added 2021-12-04-aws-iam-setup-user-via-cli

networkandcode · networkandcode · commit eb487c701830 · 2021-12-05T11:02:00.000Z
diff --git a/_posts/aws/2021-12-05-aws-iam-create-user-via-cli.md b/_posts/aws/2021-12-05-aws-iam-create-user-via-cli.md
@@ -0,0 +1,185 @@
+---
+title: aws iam > create user via cli
+categories: aws
+---
+
+Hey all, :wave: we shall see the following in this post: :scroll:
+- Create a group
+- Attach a policy :writing_hand: to the group
+- Create user
+- Add the user to the group
+- Generate access key for the user
+
+## AWS CLI
+Ensure you have installed the [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). Once installed, set up the credentials and configuration similar to the ones below.
+
+Credentials.
+```
+$ cat ~/.aws/credentials 
+[default]
+aws_access_key_id=<aws_access_key_id>
+aws_secret_access_key=<aws_secret_access_key>
+```
+
+Configuration.
+```
+$ cat ~/.aws/config 
+[default]
+region = us-east-2
+```
+
+## Create group
+Let's create a group with the name developers-group.
+```
+$ aws iam create-group --group-name developers-group
+{
+    "Group": {
+        "Path": "/", 
+        "CreateDate": "2021-12-05T09:40:24Z", 
+        "GroupId": "<GroupId>", 
+        "Arn": "arn:aws:iam::<AccountId>:group/developers-group", 
+        "GroupName": "developers-group"
+    }
+}
+```
+
+## List polices
+There are several built in policies in AWS, that avoids the need of creating custom polcies in most cases, let's try to retrieve policies associated with EC2. Note that I have used [jq](https://stedolan.github.io/jq/download/) for parsing JSON.
+
+```
+$ aws iam list-policies | jq '.Policies[] | select(.PolicyName | contains ("EC2")) | .Arn'                                                                              
+"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy"
+"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
+"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
+"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
+"arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotFleetServiceRolePolicy"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetAutoscaleRole"
+"arn:aws:iam::aws:policy/CloudWatchActionsEC2Access"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole"
+"arn:aws:iam::aws:policy/aws-service-role/AWSAutoScalingPlansEC2AutoScalingPolicy"
+"arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotServiceRolePolicy"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole"
+"arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForEC2ScheduledInstances"
+"arn:aws:iam::aws:policy/aws-service-role/AWSEC2FleetServiceRolePolicy"
+"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+"arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingEC2SpotFleetRequestPolicy"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
+"arn:aws:iam::aws:policy/AWSElasticBeanstalkCustomPlatformforEC2Role"
+"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
+"arn:aws:iam::aws:policy/AmazonEC2RolePolicyForLaunchWizard"
+"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder"
+"arn:aws:iam::aws:policy/aws-service-role/AWSEC2CapacityReservationFleetRolePolicy"
+"arn:aws:iam::aws:policy/aws-service-role/EC2FleetTimeShiftableServiceRolePolicy"
+"arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI_EC2"
+"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeployLimited"
+"arn:aws:iam::aws:policy/AWSApplicationMigrationEC2Access"
+"arn:aws:iam::aws:policy/EC2InstanceConnect"
+```
+
+Now let's try to find policies related to S3. :bucket:
+```
+$ aws iam list-policies | jq '.Policies[] | select(.PolicyName | contains ("S3")) | .Arn'
+"arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
+"arn:aws:iam::aws:policy/AmazonS3FullAccess"
+"arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly"
+"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+"arn:aws:iam::aws:policy/AmazonS3OutpostsFullAccess"
+"arn:aws:iam::aws:policy/aws-service-role/S3StorageLensServiceRolePolicy"
+"arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3"
+"arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy"
+"arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess"
+```
+
+## Attach policy
+Attach a relevant EC2 policy to the group.
+```
+$ aws iam attach-group-policy --group-name developers-group --policy-arn "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
+```
+
+Now let's add a second policy to the group, this time related to S3.
+```
+$ aws iam attach-group-policy --group-name developers-group --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+```
+
+So, the group now has read only access to EC2 and full access to S3.
+
+## Create user
+Create a user with the name developer1.
+```
+$ aws iam create-user --user-name developer1
+{
+    "User": {
+        "Path": "/",
+        "UserName": "developer1",
+        "UserId": "<UserId>",
+        "Arn": "arn:aws:iam::<AccountId>:user/developer1",
+        "CreateDate": "2021-12-05T10:02:02+00:00"
+    }
+}
+```
+
+## Add user
+Add the developer1 user to developers-group, so that the user inherits the policies attached to the group.
+```
+$ aws iam add-user-to-group --group-name developers-group --user-name developer1 
+```
+
+Nice they are asking for group name and user name here, unlike ARNs in cases where the names are not unique.
+
+## Access key
+Generate access key for the user, and share it with the user, so that they can setup the credentials for AWS CLI, just like you did.
+```
+$ aws iam create-access-key --user-name developer1
+{
+    "AccessKey": {
+        "UserName": "developer1",
+        "AccessKeyId": "<AccessKeyId>",
+        "Status": "Active",
+        "SecretAccessKey": "<SecretAccessKey>",
+        "CreateDate": "2021-12-05T10:14:20+00:00"
+    }
+}
+```
+
+## Verify
+List the groups, the user belongs to.
+```
+$ aws iam list-groups-for-user --user-name developer1  
+{
+    "Groups": [
+        {
+            "Path": "/",
+            "GroupName": "developers-group",
+            "GroupId": "<GroupId>",
+            "Arn": "arn:aws:iam::<AccountId>:group/developers-group",
+            "CreateDate": "2021-12-05T09:40:24+00:00"
+        }
+    ]
+}
+```
+
+List the polices, the group is attached to.
+```
+{
+    "AttachedPolicies": [
+        {
+            "PolicyName": "AmazonS3FullAccess",
+            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+        },
+        {
+            "PolicyName": "AmazonEC2ReadOnlyAccess",
+            "PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
+        }
+    ]
+}
+```
+
+This way you can create different groups as required, attach relevant policies to the group, and add appropriate users to each group. And finally don't forget to generate the access key for each user, and share it with them, with out which they will not be able to login via the AWS CLI. Thank you !!! :thumbsup:
+
+--end-of-post--
diff --git a/_posts/kubernetes/2021-11-29-kubernetes-prerequisites-for-kubeadm-cluster-in-aws.md b/_posts/kubernetes/2021-11-29-kubernetes-prerequisites-for-kubeadm-cluster-in-aws.md
@@ -1,9 +1,9 @@
 ---
 categories: kubernetes
-title: kubernetes set prerequisites for kubeadm based cluster in aws with cli
+title: kubernetes > prerequisites for kubeadm cluster in aws
 ---
 
-[kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) is one of the popular tools used for bootstrapping kubernetes, here we would be setting up the [prerequisites][prerequisites](https://theithollow.com/2020/01/13/deploy-kubernetes-on-aws/) on AWS that are essential before launching the cluster.
+[kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) is one of the popular tools used for bootstrapping kubernetes, here we would be setting up the [prerequisites](https://theithollow.com/2020/01/13/deploy-kubernetes-on-aws/) on AWS that are essential before launching the cluster.
 
 This is a continuation to this [blog](https://networkandcode.github.io/aws/ec2/2021/11/14/aws-ec2-launch-instances-the-hard-way-with-cli.html) where we have launched the instances via CLI, if you followed that, you should have a file k8s-node-ips.txt with the list of instance IPs.
 
@@ -27,7 +27,7 @@ ip-10-0-0-6
 ip-10-0-0-4
 ```
 
-And the check the private DNS.
+And then check the private DNS.
 ```
 $ for ip in $ips; do ssh -i ~/.ssh/kubeadmKeyPair.pem ubuntu@$ip "curl http://169.254.169.254/latest/meta-data/local-hostname --silent; echo"; done                                                          
 ip-10-0-0-9.us-east-2.compute.internal
@@ -38,17 +38,18 @@ Note that the AWS region in this blog is different from the one in the instances
 
 Ok, so we need to set the hostname to match with the private dns, so that the region and compute.internal domain get appended to the hostname.
 ```
-$ for ip in $ips; do ssh -i ~/.ssh/kubeadmKeyPair.pem ubuntu@$ip "sudo hostnamectl set-hostname $(curl http://169.254.169.254/latest/meta-data/local-hostname --silent)"; done
+$ for ip in $ips; do ssh -i ~/.ssh/kubeadmKeyPair.pem ubuntu@$ip "curl http://169.254.169.254/latest/meta-data/local-hostname --silent | xargs sudo hostnamectl set-hostname"; done
 ```
 
 Let's verify.
 ```
-$ for ip in $ips; do ssh -i ~/.ssh/kubeadmKeyPair.pem ubuntu@$ip hostname; done                                                                        ip-172-31-13-141.us-east-2.compute.internal
-ip-172-31-13-141.us-east-2.compute.internal
-ip-172-31-13-141.us-east-2.compute.internal
+$ for ip in $ips; do ssh -i ~/.ssh/kubeadmKeyPair.pem ubuntu@$ip hostname; done
+ip-10-0-0-9.us-east-2.compute.internal
+ip-10-0-0-6.us-east-2.compute.internal
+ip-10-0-0-4.us-east-2.compute.internal
 ```
 
-So hostname is now as expected, note that you could also enable DNS hostname at the VPC level.
+So hostname is now as expected, note that you could also enable DNS hostnames at the VPC level.
 ```
 $ aws ec2 modify-vpc-attribute --vpc-id $KUBEADM_VPC_ID --enable-dns-hostname
 ```
@@ -229,7 +230,7 @@ $ aws iam add-role-to-instance-profile --role-name k8s-worker-nodes-role --insta
 ```
 
 ## Tags
-We have to add [tags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-tags.html) to the AWS resources with the format owned: kubernetes.io/cluster/<cluster-name>: owned, if we keep kubernetes as the cluster name also, then it would be kubernetes.io/cluster/kubernetes: owned.
+We have to add [tags](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-tags.html) to the AWS resources with the format kubernetes.io/cluster/<cluster-name>: owned, if we keep kubernetes as the cluster name also, then it would be kubernetes.io/cluster/kubernetes: owned.
 
 Add tags to VPC, Subnet, Internet gateway and Route table.
 ```
diff --git a/_posts/kubernetes/2021-12-04-kubernetes-bootstrap-cluster-with-kubeadm.md b/_posts/kubernetes/2021-12-04-kubernetes-bootstrap-cluster-with-kubeadm.md
