As soon as you signup for a new AWS Account, there are few best practices which might learn much later. We cover those as part of this article, so that you can use efficiently from Day 1. Learn about creating first user, setting up your command line and organization.
Create your first user
One of the best practices is to safely tuck away the root credentials and create a user.
- Sign up for a new account at https://aws.amazon.com/
- Register with an email (Ex: myaws@gmail.com) and Login
The email address which you used to signup is called a "root" user, unless there is some crucial operation which an administrator also can't perform, you won't need to login as root. That's why the next immediate step would be create a user with administrator access.
- Search for "IAM" from the top and go to IAM
- Go to "Users"
- Click "Add an User"
- Give any username (Ex: admin)
- Select both "programmatic" access and "console" access
- Select "Attach existing policies" and select "Administrator Access" policy
- Go to final screen till "Create User"
- Click "Add an User"
Takeaway 1 - Note down the following things in a secure place :
- URL to Login
- Username and Autogenerated Password
- Access key ID and Secret access key
We will get to above concepts in the very next articles.
Setup your command line
Before we delve into the world of AWS. Let's make sure our system is fit and ready for development.
Do you have AWS CLI installed?
AWS CLI is a command line tool which will help you access AWS resources with commands, this would immesenly help you for the programmatic access.
- AWS CLI (check:
aws --version)- If you don't have aws installed, Go Here
Is AWS Configured?
We have copied Access Key and Secret Key in above steps, we need to use them after all.
- Run
aws configure-> It will take you through few steps, provide access and secret keys where necessary. - To test if our installed is working fine, let's try to get list of users using command:
aws iam list-users --output table- It should show list of users.
If the above command worked, it means, you have successfully configured AWS account.
We can configure multiple AWS Accounts too (Optional step)
- Run:
aws configure --profile <profile_name> - Export it using:
export AWS_PROFILE=<profile_name>
Where are AWS credentials stored in my system? (Optional Knowledge)
- Go to your home directory:
cd ~ - Go to aws directory:
cd .aws - You should see two files:
configandcredentials - If you check contents of these files, they both should have
[default]configured.
Organizations
Before you proceed, Sign out of the AWS Account and login back with "User" you created. In the Takeaway 1 section, you have noted the URL, username and password. You need to login with those.
You have created an AWS Account and also configured AWS CLI to work on your development machine. Though you can avoid learning about Organizations and get around AWS, sooner or later you endup realizing that you have resources in your account which are not saggregated properly.
Imagine you are going to host an application's backend and frontend in AWS. It would mean you would have Staging, Production and may be Dev environments too - If you use multiple AWS accounts to manage these environments, there is lot of advantage. That's where the concept of Organization enters.
The official guide here: https://aws.amazon.com/organizations/getting-started/ can help you get more understanding.
Let's assume we want to create an AWS Account for Dev
- Go to "Organization" from top right navigation
- Create an Organization
- To create a new aws account you need an unique email address, I usually use gmail for email addresses, so, assuming I signed up with myaws@gmail.com, I just append
+somethingfor a new email address. In this case we will go withmyaws+dev@gmail.comfor unique email address. - Click on "Add an AWS Account" and select "Create an AWS account"
- Name: Dev
- Email Address: "myaws+dev@gmail.com"
- IAM role name: OrganizationAccountAccessRole
- Submit the form and you account is created
Takeaway 2:
- Note down the Account ID which is newly created
Troubleshooting:
If at all AWS complains that you are not able to create AWS Account because of limit, you need to write to AWS Support to increase the limit.
How do we access this account?
This is going to be a bit tricky. Here we end up using AWS concept of "Role". At this point you are logged in admin user you have created, you would be staying logged in with same account, but would "switching role" to the "OrganizationAccountAccessRole" which is created along with new account.
To re-iterate:
- You are logged in with "admin" user
- You created another AWS account which has a role OrganizationAccountAccessRole
- You would need to "switch" to that role to access it.
You can "Switch Role" from Top right navigation:
- Account: The account id from Takeaway 2
- Role: OrganizationAccountAccessRole
- Display Name: Anything which helps you recognize the account (Ex: Company-Dev)
Once you submit this form, you would be sent to a brand new account. I would suggest you again go to "IAM" and follow "Create your first user" for this new account also. This way you can access your new account too via CLI.
This time while you add another profile to your command line, you can use aws configure --profile <name> to add the Secret Key. If you don't want to export AWS_PROFILE, you can simply prepend it with every command. Example:
aws configure --profile company_devAWS_PROFILE=company_dev aws iam list-users --output table