Check out a free preview of the full AWS for Front-End Engineers (ft. S3, Cloudfront & Route 53) course:
The "Creating Another IAM User and Policy" Lesson is part of the full, AWS for Front-End Engineers (ft. S3, Cloudfront & Route 53) course featured in this preview video. Here's what you'd learn in this lesson:

Steve creates another create another IAM user with restricted permissions to keep from sharing administrator credentials with Travis CI.

Get Unlimited Access Now

Transcript from the "Creating Another IAM User and Policy" Lesson

[00:00:00]
>> Steve Kinney: We wanna create a user for Travis, and we want it to have a limited set of functionality that only our CI, CD deployment bot, robot, if you will, should have, right? So we don't wanna use our administrator account, because that's got a lot of power. Also we're using that for administratoring.

[00:00:20] So this is what I was talking about before which is that principle of least access. So what we want to do is create an account that can do exactly what it needs to do and ideally no more. So we're gonna create a user that can do two things right.

[00:00:33] What are the two things that Travis needs to do? It needs to push a new buildup to S3, and it needs to invalidate the CloudFront cache. So we're gonna allow it to write to S3. And we'll go ahead and allow it to invalidate CloudFront caches. Those are the two things that we will let it do, and we will use that user and will set those environment variables there.

[00:00:52] So then Travis will then use that new Travis user that we're creating with it's policies and abilities. And if something happens, it's at least a limited scope of damage. You're still gonna get paged if that key gets loose somehow, but it's definitely not as bad. So we'll start by going into policies.

[00:01:10] Before we attached a policy directly to a user. We're gonna make effectively a custom policy at this point doing the two things that we want Travis to do, write to a particular S3 bucket and invalidate CloudFront caches. So we can go ahead and hit create policy. We start by hitting Choose a service.

[00:01:28] And we'll say S3. We'll say it can write, and then what we're going to say, it can't just write to any bucket. It can only write to the super important website. Or in your case, whatever your bucket name is.
>> Steve Kinney: All right, so we're going for this superimportantwebsite.com bucket, and like I said, since we're generating fingerprinted assets, it will be like you can put whatever ones you want in there, but only this bucket.

[00:02:02] Let's also say add, and we'll say CloudFront. And what this gonna do is you can say Write. We can also get very specific. You can create an invalidation and that's it, right. Cuz maybe this isn't great. [LAUGH] That seems problematic, cool. And, we'll review this policy. We'll name it CIdeploy.

[00:02:32] And, we'll have limited write access to the CloudFront. And it will be able to write to our S3 bucket. Create that policy, all right. Cool and now we need to create a user with that policy. So we'll add a user, we'll call it Travis, we'll give it programmatic access.

[00:02:51] Travis CI does not need to be going to the console and playing with anything. And we'll attach an existing policy directly and we'll find that CIDeploy policy.
>> Steve Kinney: We'll go ahead, we'll review it, we'll create the user, and we will download that CSV. Now, we're going to take a quick break and what we're going to do is we're going to go to the settings.

[00:03:19]
>> Steve Kinney: And I have some values in here from earlier. This is my S3 bucket. This is my CloudFront ID. These are what I need to change with this new user. This is going to be the user, the csv I just downloaded. So we'll wipe these two out. All right, we're gonna make sure that this is set to off, so that we don't see the new keys that we add.

[00:03:41] And I'm just gonna quickly pop in that AWS access ID. And that AWS secret key so that Travis can now use the new Travis user that we just created. All right we're back. I have my new AWS access key and secret access key. Right, you might've just added it for the first time.

[00:03:59] I replace some existing ones. So what I'm gonna do now is I'm going to make a change to the page, and I am going to go ahead and push it up. So if I go back to Visual Studio Code, I did previously change this to a bright green color on top of that kind of like neon pink header that we had before.

[00:04:19] And changed the title. Let's change one additional thing. Let's find something nice and obnoxious. Let's take whatever the active one is. Let's pick a nice new color. Anyone have color preferences? You know this site has a certain aesthetic feel to it.
>> Speaker 2: Salmon.
>> Steve Kinney: Salmon, let's just do it.

[00:04:43] I think that's a CSS, yeah, salmon. There we go. So we'll go ahead and we'll say Moar SALMON and we'll push that up.