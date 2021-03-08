- [Instructor] Hello everyone. In this video, we are going to create the IAM role for our employee directory application and we will also look at how to create users, and look at the different AWS access keys, which are used for programmatic access to AWS APIs. So to start off, let's create the role for our application by selecting Roles in the left-hand navigation of the IAM dashboard, and then we will click Create role. On this page we need to select what the trusted entity type is to assume this role. We know that roles allow you to get access to temporary credentials that are used to make calls to AWS API calls. You wanna make sure that you're restricting who can assume this role. Not anyone can assume this role, right? So under the Trusted entity type we have the AWS service. An AWS service, that would be something like an EC2 instance, a Lambda function, other services that are assuming a role to make AWS API calls. You could have an AWS account, this would allow you to allow cross-account access to permissions for resources in your account. You also could select a web identity, which would allow for federated users to assume a role. You have a SAML 2.0 federation, so if you have a corporate directory that is on premises that would be using SAML, you could use this as your trusted entity type or you could create a Custom Trusts policy. We are going to select AWS service for this and then we are going to select EC2, since our employee directory application will be running on EC2. Next, we can select the Next button and then we're brought to the page to Add permissions. This lists out the different permissions policies that are in IAM, and right now it's pulling back the AWS managed policies that exist in this account by default. And what a managed policy is, is it is a policy that is created and managed by AWS, and so what I mean by that is, let's go ahead and look at the a policy for S3. so if I type in S3 in the search bar and then hit Enter, I'm going to expand this Amazon S3 full access policy and we can see the JSON, which is the permissions for this policy. We can see we have the effect is Allow, that's either gonna be Allow or Deny. There's no other option besides Allow or Deny, and then there's the action, which is going to define what AWS API calls are allowed to be made. So we can see that we have S3:* and S3-object-lambda:*. That's a wild card to determine all API calls are allowed against this service, and then we also have the resource here, which is also set to *. So this would be all S3 resources. This is a very permissive policy. In the real world, you would likely want to change this to allow just the API calls that your application needs, nothing more, and just the resources that you intend to have this policy be related to. So to do that, you would have to create a custom policy. So if I scroll up, you could click on this Custom policy button, which would take you to a new page where you could then create your custom policy. For now, we're going to use the AWSs managed policies and I'm gonna select the checkbox for AmazonS3FullAccess. And then I'm also going to type in DynamoDB, and exit out of the S3 filter, and then select the AmazonDynamoDBFullAccess policy here as well. Because later in the course, we are going to be using DynamoDB as the database for this application. So to prepare the role, I've selected both the S3FullAccess and DynamoDBFullAccess. Now we'll click Next. Then we can give this a name. I'm gonna name this EmployeeWebApp, and then I'm going to scroll down. We can view the trusted entities here, so this is our trust policy. We're allowing the API call STS AssumeRole, and who's allowed to assume this role? ec2.amazonaws.com. So an EC2 instance is going to be allowed to assume this role only. All right, so now I can scroll down and then click Create role. Once your role is created, you can then click on the role, which will bring you to the page where you can see the information about this role, such as the ARN, the Amazon Resource Name, and you can also scroll down, you can view the permissions attached, you could add new permissions if you want to. You can simulate the permissions, you can view the trust relationships, you can also view any tags associated with this, which are key value pairs. So, this is where you can get all of the information about your role and then where you can manage your role. So, next what I wanna do is create a user. So I'm gonna click on users in the left-hand navigation, then I'm going to click Add users, and let's give this user a name. Let's say it's EC2Admin, and then I want to click the checkbox for Enabling console access. So what that means is I want to allow this user to be able to sign in to the AWS management console. So note, by default, this was unchecked, meaning that just because you create a user doesn't mean they have access to the console. I'm gonna go ahead and check this, and then I'm gonna allow an auto-generated password to be created, and then I want to leave the checkbox checked for users to create a password at the next sign-in. So this will allow them to change their password once they log in for the first time. Now we'll click Next, and next what I want to do, is I'm going to add the users to a group. We currently don't have any groups, so I'm gonna go ahead and click Create group, and then what I wanna do is add a group name. Let's say this is EC2Admins, and then I want to attach a policy to this group, because we know that it's a best practice to attach policies to groups, not to users directly. So I'm gonna select the AmazonEC2FullAccess policy, and then I'm gonna scroll down and click Create user group, and now I can select this user group to add this user into, and then I can click next, and then we can scroll down. We can see the permissions that this one user currently has. It will be inheriting the permissions from the EC2Admins group, and then it also has directly attached to it the IAMUserChangePassword permission, which will allow these user to change their password. So now we can click Create user, and now we can go ahead and click Return to users list. We didn't download the password for this, that's fine. I don't intend to actually use this user. It's just for demonstration purposes, so we'll click Continue, and now if I click on this user, what I wanna do next is click on the Security Credentials tab, and if we scroll down, you can see that we have this panel here called Access keys. Access keys are going to allow your users to make programmatic calls to AWS using things like the AWS command line, the AWS software development kits, where maybe they're developing locally on their laptop, and they need their code to be able to reach out to AWS, so I'm gonna go ahead and create an access key here, and then I wanna use this for the command line, and then I'm gonna go ahead and click the checkbox for "I understand the above recommendation." What this is saying is it's saying, "Hey, there's another service in the browser that you could use to use the AWS CLI called AWS CloudShell." We're gonna go ahead and create the access keys anyways. I'm gonna select this checkbox and then click Next, and then I'm gonna click Next again, and click the Create access key. All right, so here you can see, we have our access key here, and then we have our secret access key, which is not being shown currently on this page, but you could click show and then copy it, and you would use this access key and secret access key to be able to configure your command line locally. Now I'll click Done and then click Continue. So now for a little bit of cleanup, I'm gonna select Actions and then I'm gonna click Deactivate and then Deactivate, and then I will click Actions and then Delete, and then we can copy and paste the access key ID here, and then click Delete. All right, that's it for this video. Hopefully you know a little bit more about roles and users.