Transcript from the "Creating an IAM User" Lesson
>> Steve Kinney: The next one that we care about is creating individual IAM users. This is what we talked about before. We've secured our root account, but we also need to do step two of not using it. So, we'll go ahead and, we can click Manage users. I'll give you a hint, it's the same as clicking that link up there, whichever one personally makes you feel better, go for it.
[00:00:21] And I get this new page. And I have no IAM users, which again makes sense, cuz it's a brand new account. So we go to Add user. And the hardest part, obviously, is naming things. So we need to give this user some kind of name. I'm gonna call it Administrator.
[00:00:41] Seems good. And so here we have Programmatic access, which is API access. And AWS Management Console access. So we're gonna give this user both. If it was something like when we set up Travis CI later, well, that Travis CI user should never be logging into the console and changing stuff.
[00:00:57] So we might, uncheck that box in that case. I'll give you a hint. We will uncheck that box in that case. But for this account, this is gonna be kind of like a daily driver, this'll be the account that we use, so we'll keep that. Autogenerated password or custom password.
[00:01:12] Autogenerated password is useful if you're creating the account for somebody else. But I can do an autogenerated password and then require a password reset, and you know what I'm gonna do? The same thing as if I had just typed in whatever password I want right here.
>> Steve Kinney: Cool, so we're in the process of creating a user, but what can this user do?
[00:01:37] So we'll go ahead and we'll say, Attach existing policies directly. We're gonna talk a little bit more about groups, and roles, and policies, as we go along. They're basically three different ways to do stuff, right? You can have a policy which is what is whatever allowed to do.
[00:01:52] And you can apply it to a group, and you can put users in the group. You can have role and apply that role to the user. It's kind of like a many to many situation. We're not gonna worry about that just yet, cuz like I said, when you're doing a large scale like, hey, 400 people are all gonna use the same Amazon resources, that's when you need to get really granular.
[00:02:10] Especially for compliance reasons, like I shouldn't be able to deploy the mail pipeline at work. That would be bad. So you kinda limit people to what they should be able to do. We're gonna go ahead and Attach existing policies directly to this user. And the one I care about is AdministratorAccess.
[00:02:28] And so you can actually see all the stuff it does. And a giant JSON file, if you want. This is pretty much everything. We'll talk about actions and resources in a little bit. What this one will not have access to, is billing, out of the box. The AdministratorAccess does not have that.
[00:02:44] But you can see, otherwise, it is allowed to about a 144 services. Yeah, that number keeps growing too, it's really stressful. Cool, so now we have a permission summary. We've got this user, and we'll go ahead and we will create it. All right, this page is important. This is your Access key, right, which is kind of like your username.
[00:03:10] And this is your Secret access key, which is kinda like your password. You might think that this is useful. It just tells them that they have an account that was created. It doesn't actually send that information to their email. So go ahead and click it, but it's not gonna be that much fun.
[00:03:28] What's important is, I'm not gonna click this, cuz that's not good. But once you leave this page, you will never see this again. You can make a new Secret access key, so it's not like you're locked out of the account. But you can't, and this is just for APIs, you can still log in with that password you made in the previous page.
[00:03:47] But for any API integration, if you lose this key, you can reset it but you can never see it again. There's a caveat, which is if you hit this download CSV button, you will download a CSV that has both the Access key and the Secret key. So, I recommend downloading that CSV no matter what, because otherwise you will not remember this.
[00:04:13] You will paste it in the first time we use it, and then it'll be gone forever. And you will have to create another one, which is a right of passage. Everyone has to do that at some point. I had to do it several times yesterday. But I'm telling you right now.
[00:04:24] Download that CSV, you will be happier. Cool, and then we can hit close. And I can see my fresh new Administrator user. So I'm gonna go back to the Dashboard here. And you can say, all right, I've got this Create individual IAM users. I'm not probably gonna do these two right now.
[00:04:44] I'll eventually have made a group. But a password policy for what people need to set their password for right now. I'm the only user and I trust me. But you can set that up as an exercise for the reader. One thing I want to change is, this is the sign in link for all of, effectively have that one root account.
[00:05:03] And it's like an organization. This one's called FEM Live. And so if people want to log in to our company, our new company that we just started right now, that console, they need to go to this lovely URL. My recommendation is you hit this Customize button, and give it a better name, cool.
[00:05:29] So with that, we're now able to go ahead and we have an account, we have an Administrator account, we have a nice URL. One more thing that we want to do, is if we go back to our users, and we click Administrator. I'm gonna leave this to you during a quick break.
[00:05:49] But we're also gonna set up two-factor auth on that Administrator user. Cuz the Administrator user has almost all the powers of the root user. You probably want to secure it the same way. So I'll let you all do that for a second. And then when we meet back, we will logout of our root account, and that is the last we're gonna touch our root account for the day.
[00:06:07] And then we're going to get settled into our Administrator account and we'll begin getting started. So I basically set up some multi-factor authentication on my Administrator account, so that that is secure as well. And go back to the Dashboard, and this is my last moments inside my root account, and that's the last we're gonna touch it.
[00:06:30] And that is how it should be. I'm gonna grab this link real quick. Think I could actually hit this Copy button. And then I will go and I will sign out.
>> Steve Kinney: And then I will go, and I will sign in.
>> Steve Kinney: I'll actually paste that link in there so I get the one that I'm looking for.
[00:06:52] You see this one is a little bit different. It's not their root account. IAM username, we'll say Administrator
>> Steve Kinney: And in we go, you don't need to remember this. And I'll quickly put in my multi-factor authentication code.
>> Steve Kinney: It's tedious, but it's secure.
>> Steve Kinney: I have to change my password, apparently.
>> Speaker 2: Yeah, you left it checked.
>> Steve Kinney: I left it checked.
>> Speaker 2: Talked about unchecking, but.
>> Steve Kinney: I talked about unchecking it, then I didn't? That's great.
>> Steve Kinney: Is that gonna be one of those annotations? [LAUGH] Steve forgot to hit this check box.
>> Speaker 2: Yeah.
>> Steve Kinney: He will pay for it later.
[00:07:45] [LAUGH] Cool, and I'm back in, and now I am in under my Administrator account, cool. And this is gonna be the account that we predominantly use the console in. We've made the root account, we secured it, we made this Administrator account and now we're not gonna touch the root account anymore.
[00:08:02] This is effectively, think of this as your actual, main account at this point. So, so far we have set up accounts which is really riveting and exciting. I know everyone is on the edge of their seat. We're gonna talk a little bit about where we're gonna put our client-side assets.
[00:08:21] We're gonna put them in S3, so we'll talk a little bit about S3. Then we're gonna change gears for a second and register a domain name, which will be totally optional, but that takes a little bit of time. And then once that happens, and there's a reason we're doing it before we setup the S3 bucket, which is they have to have the same name, but we'll get to that in a second.
[00:08:37] We'll go ahead and then start deploying a very simple version of our application. And we'll take that real React application that we have and deploy it from the command line.