AWS Developer Tools Blog

Using IAM Users (Access Key Management for .NET Applications – Part 2)

In the previous post about access key management, we covered the different methods to provide AWS access keys to your .NET applications. We also talked about a few best practices, one of which is to use IAM users to access AWS instead of the root access keys of your AWS account. In this post, we’ll see how to create IAM users and set up different options for them, using the AWS SDK for .NET.

The root access keys associated with your AWS account should be safely guarded, as they have full privileges over AWS resources belonging to your account and access to your billing information. Therefore, instead of using the root access keys in applications or providing them to your team/organization, you should create IAM users for individuals or applications. IAM users can make API calls, use the AWS Management Console, and have their access limited by IAM policies. Let’s see the steps involved to start using IAM users.

Create an IAM user

For this example, we are going to use the following policy, which gives access to a specific bucket. You’ll need to replace BUCKET_NAME with the name of the bucket you want to use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket","s3:GetBucketLocation"],
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject","s3:GetObject","s3:DeleteObject"],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    }
  ]
}

In cases where you are creating a policy on the fly or you want a strongly typed mechanism to create policies, you can use the Policy class found in the Amazon.Auth.AccessControlPolicy namespace to construct a policy. For more details, check Creating Access Policies in Code.

var iamClient = new AmazonIdentityManagementServiceClient(ACCESS_KEY, SECRET_KEY, RegionEndpoint.USWest2);

// Create an IAM user
var userName = "Alice";
iamClient.CreateUser(new CreateUserRequest
{
  UserName = userName,
  Path = "/developers/"
});

// Add a policy to the user
iamClient.PutUserPolicy(new PutUserPolicyRequest
{
  UserName = userName,
  PolicyName = allowS3BucketAccess,
  PolicyDocument = s3AccessPolicy
});

The Path parameter in the CreateUser call is an optional parameter that can be used to give a path to the user. In this example, the Amazon Resource Name (ARN) for the user created in the above example will be arn:aws:iam::account-number-without-hyphens:user/developers/Alice. The path for an IAM user is part of its Amazon Resource Name (ARN) and is a simple but powerful mechanism to organize users and create policies that apply to a subset of your users.

Use IAM groups

Instead of assigning permissions to an IAM user, we can create an IAM group with the relevant permissions and then add the user to the group. The group’s permissions are then applicable to all users belonging to it. With this approach, we don’t have to manage permissions for each user.

// Create an IAM group
var groupName = "DevGroup";
iamClient.CreateGroup(new CreateGroupRequest
{
  GroupName = groupName
});

// Add a policy to the group
iamClient.PutGroupPolicy(new PutGroupPolicyRequest
{
  GroupName = groupName,
  PolicyName = allowS3BucketAccess,
  PolicyDocument = s3AccessPolicy
});

// Add the user to the group
iamClient.AddUserToGroup(new AddUserToGroupRequest
{
  UserName = userName,
  GroupName = groupName
});

The preceding code creates an IAM group, assigns a policy, and then adds a user to the group. If you are wondering how the the permissions are evaluated when a group has multiple policies or a user belongs to multiple groups, IAM Policy Evaluation Logic explains this in detail.

Generate access key for an IAM user

To access AWS using the API or command line interface (CLI), the IAM user needs an access key that consists of the access key ID and secret access key.

// Create an access key for the IAM user
AccessKey accessKey = iamClient.CreateAccessKey(new CreateAccessKeyRequest
{
  UserName = userName
}).AccessKey;

The CreateAccessKey method returns an instance of the AccessKey class that contains the access key ID [AccessKey.AccessKeyId] and secret access key [AccessKey.SecretAccessKey]. You will need to save the secret key or securely distribute it to the user since you will not be able to retrieve it again. You can always create a new access key and delete the old access key (using the DeleteAccessKey method) if you lose it.

Enable access to the AWS Management Console

IAM users can access the AWS Management Console to administer the resources to which they have permissions. To enable access to the AWS Management Console, you need to create a login profile for the user and then provide them with the URL of your account’s sign-in page.

// Allow the IAM user to access AWS Console
iamClient.CreateLoginProfile(new CreateLoginProfileRequest
{
  UserName = userName,
  Password = "" // Put the user's console password here.
});

In this post we saw how to use IAM users for accessing AWS instead of the root access keys of your AWS account. In the next post in this series, we’ll talk about rotating credentials.