Video 10 How To Create A Non-Admin User Account In IAM
In a previous video we created an Admin level user account in IAM. This video we will create a Non-Admin level user account. In this demo, the user account is created for a vender that will have restricted access to just one bucket.
Running time is 5:54
Lesson Ten Read
In previous lessons, we’ve looked at creating additional user access, specifically admin level access, in case we have employees or anyone for that matter, that requires admin level access to certain parts of our AWS account, as well as connecting that admin level access to the third party tool called Cloudberry S3 Explorer. In this video we’re going to create an account for an imaginary vendor that we’ve hired to do something in only one of our buckets, like for example download all the videos in that bucket, rebrand those videos and then upload them back into that bucket or whatever, optimize the images, whatever. The point is we do not want this particular imaginary vendor, who we’ll call Jane, poking around in any other bucket except the one that we want them in. Then in the next video we’re going to connect Jane’s access to another third party tool called Cyberduck.
Cyberduck is similar to Cloudberry S3 Explorer in that it allows the management of files by acting as kind of like a bridge or FTP client between the S3 account and the computer. Basically it’s an FTP account on steroids. Not only does it connect your computer with your web server but also other cloud-based services like Amazon S3. But the kicker here though is that unlike Cloudberry S3 Explorer, Cyberduck works perfectly with Macintosh as well as Windows, but that’s in the next video.
For now, let’s go ahead and log in to our AWS console and right over here about the middle of the page click on the IAM icon. I want to go and create that user access. Then come over here to users and then click on the blue button at the top that says ‘create new users’ and we’re going to give this user a name, as I’d mention the name Jane. Let’s go ahead and type in here JANE or whatever name you want and again in this example it’s for a vendor. It could be for a co-worker, a family member or even a customer or a client who as part of the product that they purchased from you, also has access to the bucket that their purchased items are in, or whatever the case.
Anyway, we want to make sure this box here is checked so that we can generate the access key because that’s what we’re going to be using to connect Jane to Cyberduck and click on create and then click on download credentials. I’m going to go ahead and click on okay and then name this one Jane just so that I can keep it separate from all the other credentials that I’ve downloaded or should have downloaded. And then click on close.
Now select Jane and then scroll down into the permission section and click on attach user policy. To my knowledge, what we’re going to be doing is not available in any of the policy templates, so we would go into the policy generator. However, along with this particular video I’m also going to be including a copy and paste document of the policy that I’ll be creating here. All you’d have to do then is click on custom policy, click on select, give it a policy name, just make sure that there’s no spaces or funky characters, just use like dashes or underscores to separate the names, like in this example it would be Jane-limit-access or something like that, and then just paste that policy in here and I’ll show you here in a second what you have to edit.
Let’s go ahead and click on cancel, come on back here and go into policy generator. Click on select. Make sure that allow is selected and under AWS services we want S3, so scroll on down to S3. Under actions we want list all buckets.
We’re going to do 2 these by the way but this one here is going to say ‘list all my buckets’ and click outside of the box and the ARN has to be entered in a certain format and I’ve got it in a text document here that I’m just going to copy and paste in this little box here, but that format is arn:aws:s3::: then put the * in there just to allow access to everything within S3 and then click on add statement and we’re going to do another one, again in the dropdown here scroll on down to S3 and under actions this time we want to select all actions, click outside the box and in this instance we want to list the bucket names but we have to still use this format.
Then we want to put in the bucket name and that’s just going to get Jane access to the bucket, which isn’t going to do a whole lot of good for us because we want her to have access to the objects within that bucket as well, so put a comma and we want to copy all this and paste it in there again, only this time with the forward slash and the *, granting access to everything within that bucket thusly, then click on add statement, then click on next step and there it is.
This is very similar to the policy that I’m including in the copy and paste, but all you’d have to do is, like I said, enter the name up here and it can be whatever you want, just describing that particular policy, in this case I would even put Jane-bucket-limitedaccess or something like that. Just make sure that you don’t have any spaces and if you do mess something up in this box, you’ll get the error message off to the side here telling you what needs to be fixed, so not a big deal, but down here what you’ll need to change is that in the copy and paste document I’m going to give you, it’s going to say bucket name right here and bucket name right here.
Just replace that with your actual bucket name and then click on apply policy after you’ve made the edits and that’s it. If at any time in the future you need to make another edit to that, you can just come in here and click on manage policy or if you want to get rid of it and start from scratch, click on remove policy.
That’s how you can create an additional user with limited access to just one particular bucket that you spell out in that user policy. That’s going to bring us to the end of this video. Thanks for watching and you have a great day.