Menu
AWS for DevOps
Getting Started Guide

Step 1.2: Create IAM Resources

In this step, you will complete the following tasks:

  • Create an IAM group and an IAM user specifically for use with this walkthrough.

  • Attach participating AWS service access permissions to the new group.

  • Add the new user to the new group.

  • Sign in to the AWS Management Console with the new user's credentials.

Why should you create an IAM user? As an AWS security best practice, we do not recommend that you complete the tasks in this walkthrough while signed in as either an AWS root account or an administrative IAM user in the account. Instead, you should complete those tasks while signed in as an individual user associated with an IAM group.

Why should you create an IAM group? Groups are convenient: you can manage access permissions for groups, and you associate IAM users with groups instead of managing access permissions for individual users.

The following procedure uses an AWS CloudFormation template to complete this step's tasks more quickly. (To view the contents of the AWS CloudFormation template, see IAMSetup.template.) To learn how to accomplish these tasks in other ways, such as with the AWS Management Console or the AWS Command Line Interface (AWS CLI), see the following topics in the IAM User Guide:

To create the IAM resources

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

  2. In the AWS region selector, choose US East (N. Virginia). (This walkthrough uses AWS services and resources in this AWS region.)

  3. Choose Create Stack.

  4. On the Select Template page, for Specify an Amazon S3 template URL, type the URL to the AWS CloudFormation template for this step: https://s3.amazonaws.com/aws-for-devops/cfn-templates/IAMSetup.template. Choose Next.

  5. On the Specify Details page, for Stack name, type a stack name (for example, DevOpsIAMSetup). If you choose a different name, substitute it for DevOpsIAMSetup throughout this walkthrough.

  6. The settings in the Parameters are used to:

    • Create an IAM group and an IAM user and then add the new user to the new group.

    • Attach to the new group a default set of access permissions for AWS CloudFormation, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, Elastic Beanstalk, and AWS OpsWorks.

    To accept these default settings, for NewUserPassword, type a password for the new user, and then skip to step 7 of this procedure.

    Alternatively, you may want to experiment with these default settings by running this template multiple times to create IAM resources for this walkthrough. For example, later on you may want to attach access permissions to a newly created IAM group. Or you may not want to attach AWS OpsWorks access permissions to a group (or user), but you may change your mind later.

    The following table shows which settings to choose in the Parameters area.

    I want to create an IAM group and IAM user in my AWS account specifically for use with this walkthrough.

    Leave CreateGroupAndUser set to the default value of Yes. For NewUserPassword, type a password for the new user to use to sign in to the AWS Management Console. (The user will be asked to change this password after initial sign-in.)

    Note

    If you have an existing group (or user) you want to use for this walkthrough, set CreateGroupAndUser to No.

    I want to use an existing IAM group in my account for this walkthrough, and I already have at least one IAM user added to the group.

    Set ExistingGroup to Yes. For GroupName, type the name of the group.

    I want to use an existing IAM user in my account for this walkthrough.

    Set ExistingUser to Yes. For UserName, type the name of the user.

    I want to attach AWS CloudFormation administrative access permissions to the IAM groups (or users).

    Leave CloudFormation set to the default value of Yes.

    Note

    Set CloudFormation to No only if the existing group (or user) you want to use for this walkthrough already has AWS CloudFormation administrative access permissions attached. For more information, see Controlling Access with AWS Identity and Access Management in the AWS CloudFormation User Guide.

    I want to attach AWS CodeCommit full access permissions to the IAM groups (or users) I specified earlier.

    Leave CodeCommit set to the default value of Yes.

    Note

    Set CodeCommit to No only if the existing group (or user) you want to use for this walkthrough already has AWS CodeCommit full access permissions attached. For more information, see the AWS CodeCommit User Access Permissions Reference in the AWS CodeCommit User Guide.

    I want to attach AWS CodeDeploy default access permissions to the IAM groups (or users).

    Leave CodeDeploy set to the default value of Yes.

    Note

    Set CodeDeploy to No only if the existing group (or user) you want to use for this walkthrough already has AWS CodeDeploy default access permissions attached, or if you do not want to deploy to AWS CodeDeploy deployment targets. For more information, see Step 1: Provision an IAM User in the AWS CodeDeploy User Guide.

    I want to attach AWS CodePipeline full access permissions to the IAM groups (or users).

    Leave CodePipeline set to the default value of Yes.

    Note

    Set CodePipeline to No only if the existing group (or user) you want to use for this walkthrough already has AWS CodePipeline full access permissions attached. For more information, see the AWS CodePipeline Access Permissions Reference in the AWS CodePipeline User Guide.

    I want to attach Elastic Beanstalk full access permissions to the IAM groups (or users).

    Leave ElasticBeanstalk set to the default value of Yes.

    Note

    Set ElasticBeanstalk to No only if the existing group (or user) you want to use for this walkthrough already has Elastic Beanstalk full access permissions attached, or if you do not want to deploy to Elastic Beanstalk deployment targets. For more information, see Controlling Access to Elastic Beanstalk in the AWS Elastic Beanstalk Developer Guide.

    I want to attach AWS OpsWorks administrative access permissions to the IAM groups (or users).

    Leave OpsWorks set to the default value of Yes.

    Note

    Set OpsWorks to No only if the existing group (or user) you want to use for this walkthrough already has AWS OpsWorks administrative access permissions attached, or if you do not want to deploy to AWS OpsWorks deployment targets. For more information, see Example Policies in the AWS OpsWorks User Guide.

    Note

    This walkthrough attaches very permissive access permissions to groups (or users). In production scenarios, as an AWS security best practice, you should limit these access permissions to only the AWS service actions and resources you need.

  7. Choose Next.

  8. On the Options page, choose Next. (You do not need to change anything on this page.)

  9. On the Review page, select I acknowledge that this template might cause AWS CloudFormation to create IAM resources, and then choose Create.

    Note

    The steps in this walkthrough that instruct you to create AWS CloudFormation templates are very similar. If you forget how to create a template, use this topic as a refresher.

  10. In the list of stacks, wait until CREATE_COMPLETE is displayed under Status for DevOpsIAMSetup.

    If you created a group and user, you can get information about them by choosing the corresponding Physical ID links on the Resources tab for the stack.

  11. Sign out of the console, and then sign back in to the console with the new or existing user's credentials, and then go to Step 2: AWS CodeCommit Setup.