The Best Way To Access Your AWS Accounts
Adam ElmoreAdam ElmoreI don't want to make you feel bad, but if you still have AWS credentials living on your development machine, it's time to move to IAM Identity Center. It was actually time like five years ago. It's really time now. The good news is it's super simple. To get started, find Identity Center in the console.
And click enable. Now this is a brand new AWS account. If your account also doesn't belong to an AWS organization you've got to create one first. It'll create it for you, which I'm gonna do right here, And then it'll enable Identity Center. Step one is your identity source.
By default, it's just going to be Identity Center as an identity source. That's a lot of words, a lot of identities. Ultimately, if you have a third-party IDP that you do single sign-on within your organization, like Google or Microsoft, even Okta, then you can use that as your identity source and authenticate against that and then get access into your AWS accounts through Identity Center. For our purposes, we're going to stick with the default. And it's just going to create users here within Identity Center.
And on that note, the next thing I need to do is create a user. I'm going to go and create one for myself. You do the same. I'm not going to show this part because my email address. All right, my user's created.
I've got my one-time password here and the access portal URL, which I'm going to open. And this is where we'll log in to Identity Center to access our AWS accounts. All right, so I logged in, it had me set a new password and it showed it on the screen, so I had to cut that part out. It's a lot of cutting. But you can see here I've landed on the page and I don't have any applications because we haven't set up access for this user.
Now that we have a user, let's go into AWS accounts. And this is gonna show you a top-down view of your whole organization. In this case, I've just got a single account in this organization. And once again, there's something visible on the screen that I can't show my email address. So we're going to have to block that out.
I'm going to select this account and go Assign Users or Groups. And in this case, it's a user, which is me. Next, we need to create a permission set. Permission sets are like the role that you're going to assign to the user to give it specific access into your AWS accounts. I'm going to create a permission set here.
There are some predefined permission sets defined by AWS, and I'm just going to choose the system administrator. I'm going to leave the permission set name as the default system administrator. I am going to extend the session duration because it's really annoying to keep logging in every hour. And then after we've created the permission set we can actually assign that to our users. I'm going to refresh here.
And we're going to give the user Adam system administrator access into the only account within this organization. And it's going to configure. And it's done. So now if I refresh this page, should have access into that account. And we do.
So now we can see Adam's account is available to this user in Identity Center. And we can log in with system administrator permissions. Now, if you had multiple permission sets assigned, they'd be listed here, and you can choose which you'd like to use. And this just gives us a link to jump into the console as that user in that account. Super convenient, especially if you have a big list of accounts.
But what's more powerful here for our case, as a developer, we want to make sure we don't have long-lived credentials sitting on our machine that are ready to be leaked to the world. Instead, we want to have short-term credentials vended from Identity Center so that we can perform operations within our AWS account from our development machine. So we're going to configure our CLI to use Identity Center to fetch those short-term credentials. And to do that, I'm going to do AWS configure SSO. And this is assuming you have the AWS CLI already installed.
And if you're following along this far, you probably do, because you have the long-term credentials and you don't want to have those anymore. That was the whole point of this video. Okay, session name I'm just gonna say is default. The start URL is this right here. The region, in my case, is US East 1.
I'm going to leave the registration scopes as default. And then it's going to try and log in through the browser. It's going to open this URL here. I have to confirm that the codes match, which I always do. And then it's going to ask me if I want to allow it to access this account.
I do. Using the role system administrator, it's going to the default region. That's fine. Output format, I'm just going to say JSON. And then the profile name, I'm going to name it system admin, just because that name looks bad.
Okay. So now I have a profile called SystemAdmin. So now I could do like AWS STS, let's do this, AWS STS getCallerIdentity. It's just going to give me the credentials that are used in this session. And the profile is going to be system admin.
And there you go. That's the account number. This is my system administrator permission set that we assigned, the role that's created for that. And now I have access into my AWS account from my development machine, but I don't have any credentials living on my machine. When I try to perform an AWS operation, if the session has expired, it's just going to open a browser tab and make me authenticate again.
There you go. You just improved your security by a whole lot. Thank you.
Adam ElmoreTo access your AWS accounts more securely, use IAM Identity Center instead of storing AWS credentials on your development machine. Start by enabling Identity Center in your AWS account, creating a user, and setting up an Identity source. For better integration, link Identity Center with third-party IDPs like Google or Microsoft if available.
After creating a user, assign them to an AWS account and select appropriate permission sets. Finally, configure your CLI to use Identity Center for short-term credentials, ensuring you authenticate through the browser for each session.