![keybase proof gist keybase proof gist](https://www.starkandwayne.com/wp-content/uploads/oNm0DOR.png)
To login using the cli we use the access_key, the secrets_access_key and the session_token.Īnd we can get the session_token using the command aws sts get-session-token. That temporary token you get from your authenticator app.
#Keybase proof gist password
To login we normally need our username, password and MFA token. Options 2 and 3 are somewhat more doable. Not to worry, this is how: From the above options we ignore option 1. For instance using your phone and an authenticator app. Makes sense, we explicitly denied all that!īut maybe you were smart and actually set up MFA. This tells us we were in fact authenticated, but we were not allowed to perform this operation. Otherwise you will not even be authenticated! Note: This assumes you have your credentials set up in the credentials file. If you open it in your favorite editor you should see something like:Īn error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. The last option is easiest to setup using the aws configure command. This is also the order in which the possibilities are evaluated. Use the credentials stored in the default credential file: ~/.aws/credentials.Make use of the environment or shell variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and if using MFA AWS_SESSION_TOKEN.Provide your credentials in the command line with the command every time.Running a simple command such as aws ec2 describe-instances will be successful only if you can be authenticated (you are who you say you are) and you have sufficient authorization (you are allowed to do what you want to do).
![keybase proof gist keybase proof gist](https://s3.amazonaws.com/keybase_processed_uploads/35b03e763bc4463d46d28acb681d8205_200_200.jpg)
As such it should be clear why it is important to be careful with your credentials!
#Keybase proof gist update
It gives you direct access to the AWS api: you can list and look at resources, create update and delete them. The AWS cli is a very useful and powerful tool. And at the same time, specify specific access to users based on what they need to be doing in AWS. This way you can reuse this policy for all your users, or those in certain groups. Normally we would do this in a separate document, because you can attach multiple policies to a user. You will find it nice and boring! Nothing to do, except set up you MFA! But once you do, well… then who knows? Meaning: You should also specify more policies for the user. Then either login into the console, or make sure you create access keys and log in on the cli. Pretty neat right ? If you want to play along: just create a user in IAM, and attach this policy to them. It basically says: “All the above, is only valid under this condition: ‘If the user has no MFA present’” The last part to point your attention to is the Condition block. Then we list those actions: all basic actions that will allow our user to to nothing important except setup their MFA. Then it has another negation: NotAction, which means that we deny not the following actions or we deny all but the following actions or in even more plain english: we allow ONLY the following actions. Contrary to the other statements this one has effect Deny. Now the spice in the salsa here is found in the last block DenyAllExceptListedIfNoMFA. If you understood the structure of the first block these blocks are sort of self-evident. Then the following blocks are somewhat similar: We allow the user to change their password on first login, after setting up MFA, and of course we allow the user to setup MFA and use it. In short you can do all this, as long as it is about your current user. In this case it is simply within service iam, for any ( *) account you have access to, the current user. It is made up of several components, usually something like arn:aws. This is an ARN or Amazon Resource Name, a way to identify well, Amazon resources. "Sid": "AllowChangeOwnPasswordsOnFirstLogin",
![keybase proof gist keybase proof gist](https://s3.amazonaws.com/keybase_processed_uploads/282ac118c41f6333cf6444f498649305_360_360.jpg)
(In fact in that case I would recommend selecting json, the copy paste this document, click on Policy Summary.) The policy to deny everything if no MFA is present If you find it hard, there is always the option to specify it in the AWS Console. All of this is just in plan json structure so for most of us reading this, and even remotely interested in setting this up, quite readable. Specifying Sid can help you document and make for easier understanding. There are more options, such as conditions to make even more fine grained rules for you users. Which version of the language syntax rules.What the relevant resources are for that action.Now then how do we make sure our IAM users (being your colleagues) to use 2FA ? We setup a policy for that! IAM let’s us create users or roles, and attach policies to them which describe exactly: Risk = really quite possible though not immediately likely * selling your house and living in debt for the rest of your days = worth the trouble of using 2FA