Team setup for AWS Cloud9

This topic explains how to use AWS IAM Identity Center to enable multiple users within a single AWS account to use AWS Cloud9. To set up to use AWS Cloud9 for any other usage pattern, see Setting up AWS Cloud9 for the correct instructions.

These instructions assume that you have or will have administrative access to a single AWS account. For more information, see The AWS account root user and Creating your first administrator and group in the IAM User Guide. If you already have an AWS account but you don't have administrative access to the account, see your AWS account administrator.

Warning

To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as AWS IAM Identity Center.

Note

You can use IAM Identity Center instead of IAM to enable multiple users within a single AWS account to use AWS Cloud9. In this usage pattern, the single AWS account serves as the management account for an organization in AWS Organizations. Moreover, that organization has no member accounts. To use IAM Identity Center, skip this topic and follow the instructions in Enterprise Setup instead. For related information, see the following resources:

• What is AWS Organizations in the AWS Organizations User Guide (IAM Identity Center requires the use of AWS Organizations)

• What is AWS IAM Identity Center in the AWS IAM Identity Center User Guide

• The 4-minute video AWS Knowledge Center Videos: How do I get started with AWS Organizations on YouTube

• The 7-minute video Manage user access to multiple AWS accounts using IAM Identity Center on YouTube

• The 9-minute video How to set up IAM Identity Center for your on-premise Active Directory users on YouTube

To enable multiple users in a single AWS account to start using AWS Cloud9, start steps that are for the AWS resources you have.

Do you have an AWS account?	Do you have at least one IAM group and user in that account?	Start with this step
No	—	Step 1: Sign up for an AWS account
Yes	No	Step 2: Create an IAM group and user, and add the user to the group
Yes	Yes	Step 3: Add AWS Cloud9 access permissions to the group

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to an administrative user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create an administrative user

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

2. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create an administrative user

1. Enable IAM Identity Center.

   For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

2. In IAM Identity Center, grant administrative access to an administrative user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the administrative user

• To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Step 2: Create an IAM group and user, and add the user to the group

In this step, you create a group and a user in AWS Identity and Access Management (IAM), add the user to the group, and then use the user to access AWS Cloud9. This is an AWS security best practice. For more information, see IAM Best Practices in the IAM User Guide.

If you already have all of the IAM groups and users that you need, skip ahead to Step 3: Add AWS Cloud9 access permissions to the group.

Note

Your organization might already have an IAM group and user set up for you. If your organization has an AWS account administrator, check with that person before starting the following procedures.

You can complete these tasks using the AWS Management Console or the AWS Command Line Interface (AWS CLI).

To watch a 9-minute video related to the following console procedures, see How do I set up an IAM user and sign in to the AWS Management Console using IAM credentials on YouTube.

Step 2.1: Create an IAM group with the console

1. Sign in to the AWS Management Console, if you aren't already signed in, at https://console.aws.amazon.com/codecommit.

   Note

   You can sign in to the AWS Management Console with the email address and password that was provided when the AWS account was created. This is called signing in as root user). However, this isn't an AWS security best practice. In the future, we recommend you sign in using credentials for an administrator user in the AWS account. An administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot sign in as an administrator user, check with your AWS account administrator. For more information, see Creating your first IAM user and group in the IAM User Guide.

2. Open the IAM console. To do this, in the AWS navigation bar, choose Services. Then choose IAM.

3. In the IAM console's navigation pane, choose Groups.

4. Choose Create New Group.

5. On the Set Group Name page, for Group Name, enter a name for the new group.

6. Choose Next Step.

7. On the Attach Policy page, choose Next Step without attaching any policies. You will attach a policy in Step 3: Add AWS Cloud9 access permissions to the group.

8. Choose Create Group.

   Note

   We recommend that you repeat this procedure to create at least two groups: one group for AWS Cloud9 users, and another group for AWS Cloud9 administrators. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

Skip ahead to Step 2.2: Create an IAM user and add the user to the group with the console.

Step 2.1: Create an IAM group with the AWS CLI

Note

If you're using AWS managed temporary credentials, you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Install and configure the AWS CLI on your computer, if you haven't done so already. To do this, see the following in the AWS Command Line Interface User Guide:

   • Installing the AWS Command Line Interface

   • Quick configuration

   Note

   You can configure the AWS CLI using the credentials that are associated with the email address and password that was provided when the AWS account was created. This is called signing in as root user. However, this isn't an AWS security best practice. Instead, we recommend you configure the AWS CLI using credentials for an IAM administrator user in the AWS account. An IAM administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot configure the AWS CLI as an IAM administrator user, check with your AWS account administrator. For more information, see Creating your first IAM admin user and group in the IAM User Guide.

2. Run the IAM create-group command, specifying the new group's name (for example, MyCloud9Group).

   aws iam create-group --group-name MyCloud9Group

   Note

   We recommend that you repeat this procedure to create at least two groups: one group for AWS Cloud9 users, and another group for AWS Cloud9 administrators. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

Skip ahead to Step 2.2: Create an IAM user and add the user to the group with the AWS CLI.

Step 2.2: Create an IAM user and add the user to the group with the console

1. With the IAM console open from the previous procedure, in the navigation pane, choose Users.

2. Choose Add user.

3. For User name, enter a name for the new user.

   Note

   You can create multiple users at the same time by choosing Add another user. The other settings in this procedure apply to each of these new users.

4. Select the Programmatic access and AWS Management Console access check boxes. This allows the new user to use various AWS developer tools and service consoles.

5. Leave the default choice of Autogenerated password. This creates a random password for the new user to sign in to the console. Or, choose Custom password and enter a specific password for the new user.

6. Leave the default choice of Require password reset. This prompts the new user to change their password after they sign in to the console for the first time.

7. Choose Next: Permissions.

8. Leave the default choice of Add user to group (or Add users to group for multiple users).

9. In the list of groups, select the check box (not the name) next to the group you want to add the user to.

10. Choose Next: Review.

11. Choose Create user. Or, Create users for multiple users.

12. On the last page of the wizard, do one of the following:

    • Next to each new user, choose Send email, and follow the on-screen directions to email the new user their console sign-in URL and user name. Then, communicate to each new user their console sign-in password, AWS access key ID, and AWS secret access key separately.

    • Choose Download .csv. Then, communicate to each new user their console sign-in URL, console sign-in password, AWS access key ID, and AWS secret access key that's in the downloaded file.

    • Next to each new user, choose Show for both Secret access key and Password. Then communicate to each new user their console sign-in URL, console sign-in password, AWS access key ID, and AWS secret access key.

    Note

    If you don't choose Download .csv, this is the only time you can view the new user's AWS secret access key and console sign-in password. To generate a new AWS secret access key or console sign-in password for the new user, see the following in the IAM User Guide.

    • Creating, modifying, and viewing access keys (console)

    • Creating, changing, or deleting an IAM user password (console)

13. Repeat this procedure for each additional IAM user that you want to create, and then skip ahead to Step 3: Add AWS Cloud9 access permissions to the group.

Step 2.2: Create an IAM user and add the user to the group with the AWS CLI

Note

If you're using AWS managed temporary credentials, you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Run the IAM create-user command to create the user, specifying the new user's name (for example, MyCloud9User).

   aws iam create-user --user-name MyCloud9User

2. Run the IAM create-login-profile command to create a new console sign-in password for the user, specifying the user's name and initial sign-in password (for example, MyC10ud9Us3r!). After the user signs in, AWS asks the user to change their sign-in password.

   aws iam create-login-profile --user-name MyCloud9User --password MyC10ud9Us3r! --password-reset-required

   If you need to generate a replacement console signin password for the user later, see Creating, changing, or deleting an IAM user password (API, CLI, PowerShell) in the IAM User Guide.

3. Run the IAM create-access-key command to create a new AWS access key and corresponding AWS secret access key for the user.

   aws iam create-access-key --user-name MyCloud9User

   Make a note of the AccessKeyId and SecretAccessKey values that are displayed. After you run the IAM create-access-key command, this is the only time you can view the user's AWS secret access key. If you need to generate a new AWS secret access key for the user later, see Creating, modifying, and viewing access keys (API, CLI, PowerShell) in the IAM User Guide.

4. Run the IAM add-user-to-group command to add the user to the group, specifying the group's and user's names.

   aws iam add-user-to-group --group-name MyCloud9Group --user-name MyCloud9User

5. Communicate to the user their console sign-in URL, initial console sign-in password, AWS access key ID, and AWS secret access key.

6. Repeat this procedure for each additional IAM user that you want to create.

Step 3: Add AWS Cloud9 access permissions to the group

By default, most IAM groups and users don't have access to any AWS services, including AWS Cloud9, (an exception is IAM administrator groups and IAM administrator users, which have access to all AWS services in their AWS account by default). In this step, you use IAM to add AWS Cloud9 access permissions directly to an IAM group that one or more users belong to. This way, you can ensure that those users can access AWS Cloud9.

Note

Your organization might already have a group set up for you with the appropriate access permissions. If your organization has an AWS account administrator, check with that person before starting the following procedure.

You can complete this task using the AWS Management Console or the AWS CLI.

Add AWS Cloud9 access permissions to the group with the console

1. Sign in to the AWS Management Console, if you aren't already signed in, at https://console.aws.amazon.com/codecommit.

   Note

   You can sign in to the AWS Management Console with the email address and password that was provided when the AWS account was created. This is called signing in as root user. However, this isn't an AWS security best practice. In the future, we recommend you sign in using credentials for an IAM administrator user in the AWS account. An administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot sign in as an administrator user, check with your AWS account administrator. For more information, see Creating your first IAM admin user and group in the IAM User Guide.

2. Open the IAM console. To do this, in the AWS navigation bar, choose Services. Then, choose IAM.

3. Choose Groups.

4. Choose the group's name.

5. Decide whether you want to add AWS Cloud9 user or AWS Cloud9 administrator access permissions to the group. These permissions apply to each user in the group.

   AWS Cloud9 user access permissions allow each user in the group to do the following things within their AWS account:

   • Create their own AWS Cloud9 development environments.

   • Get information about their own environments.

   • Change the settings for their own environments.

   AWS Cloud9 administrator access permissions allow each user in the group to do additional things within their AWS account:

   • Create environments for themselves or others.

   • Get information about environments for themselves or others.

   • Delete environments for themselves or others.

   • Change the settings of environments for themselves or others.

   Note

   We recommend that you add only a limited number of users to the AWS Cloud9 administrators group. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

6. On the Permissions tab, for Managed Policies, choose Attach Policy.

7. In the list of policy names, choose the box next to AWSCloud9User for AWS Cloud9 user access permissions or AWSCloud9Administrator for AWS Cloud9 administrator access permissions. If you don't see either of these policy names in the list, enter the policy name in the Filter box to display it.

8. Choose Attach Policy.

   Note

   If you have more than one group you want to add AWS Cloud9 access permissions to, repeat this procedure for each of those groups.

To see the list of access permissions that these AWS managed policies give to a group, see AWS managed (predefined) policies.

To learn about AWS access permissions that you can add to a group in addition to access permissions that are required by AWS Cloud9, see Managed policies and inline policies and Understanding permissions granted by a policy in the IAM User Guide.

Skip ahead to Step 4: Sign in to the AWS Cloud9 console.

Add AWS Cloud9 access permissions to the group with the AWS CLI

Note

If you're using AWS managed temporary credentials, you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Install and configure the AWS CLI on your computer, if you haven't done so already. To do this, see the following in the AWS Command Line Interface User Guide:

   • Installing the AWS Command Line Interface

   • Quick Configuration

   Note

   You can configure the AWS CLI using the credentials that are associated with the email address and password that was provided when the AWS account was created. This is called signing in as root user. However, this isn't an AWS security best practice. Instead, we recommend you configure the AWS CLI using credentials for an IAM administrator user in the AWS account. An IAM administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot configure the AWS CLI as an administrator user, check with your AWS account administrator. For more information, see Creating Your First IAM Admin User and Group in the IAM User Guide.

2. Decide whether to add AWS Cloud9 user or AWS Cloud9 administrator access permissions to the group. These permissions apply to each user in the group.

   AWS Cloud9 user access permissions allow each user in the group to do the following things within their AWS account:

   • Create their own AWS Cloud9 development environments.

   • Get information about their own environments.

   • Change the settings for their own environments.

   AWS Cloud9 administrator access permissions allow each user in the group to do additional things within their AWS account:

   • Create environments for themselves or others.

   • Get information about environments for themselves or others.

   • Delete environments for themselves or others.

   • Change the settings of environments for themselves or others.

   Note

   We recommend that you add only a limited number of users to the AWS Cloud9 administrators group. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

3. Run the IAM attach-group-policy command, specifying the group's name and the Amazon Resource Name (ARN) for the AWS Cloud9 access permissions policy to add.

   For AWS Cloud9 user access permissions, specify the following ARN.

   aws iam attach-group-policy --group-name MyCloud9Group --policy-arn arn:aws:iam::aws:policy/AWSCloud9User

   For AWS Cloud9 administrator access permissions, specify the following ARN.

   aws iam attach-group-policy --group-name MyCloud9Group --policy-arn arn:aws:iam::aws:policy/AWSCloud9Administrator

   Note

   If you have more than one group you want to add AWS Cloud9 access permissions to, repeat this procedure for each of those groups.

To see the list of access permissions that these AWS managed policies give to a group, see AWS Managed (Predefined) Policies.

To learn about AWS access permissions that you can add to a group in addition to access permissions that are required by AWS Cloud9, see Managed Policies and Inline Policies and Understanding Permissions Granted by a Policy in the IAM User Guide.

Step 4: Sign in to the AWS Cloud9 console

After you complete the previous steps in this topic, you and your users are ready to sign in to the AWS Cloud9 console.

1. If you are already signed in to the AWS Management Console as an AWS account root user, sign out of the console.

2. Open the AWS Cloud9 console, at https://console.aws.amazon.com/cloud9/.

3. Enter the AWS account number for the IAM user you created or identified earlier, and then choose Next.

   Note

   If you don't see an option for entering the AWS account number, choose Sign in to a different account. Enter the AWS account number on the next page, and then choose Next.

4. Enter the sign-in credentials of the IAM user you created or identified earlier, and then choose Sign In.

5. If prompted, follow the on-screen directions to change your user's initial sign-in password. Save your new sign-in password in a secure location.

The AWS Cloud9 console is displayed, and you can begin using AWS Cloud9.

Next steps

Task	See this topic
Restrict AWS Cloud9 usage for others in your AWS account, to control costs.	Additional setup options
Create an AWS Cloud9 development environment, and then use the AWS Cloud9 IDE to work with code in your new environment.	Creating an environment
Learn how to use the AWS Cloud9 IDE.	Getting started: basic tutorials and Working with the IDE
Invite others to use your new environment along with you in real time and with text chat support.	Working with shared environments