Create users and roles - AWS SDK for .NET
Users and permission setsService roles

Create users and roles

As a result of creating an AWS account, you have (at least) two user accounts:

  • Your root user account, which was created for you and has full access to everything.

  • An AWS IAM Identity Center (successor to AWS Single Sign-On) user that has been assigned a permission set with AdministratorAccess permissions. This user and permission set has full access to almost everything.

Neither of these user accounts is appropriate for doing .NET development on AWS or for running .NET applications on AWS. As such, you need to create users, permission sets, and service roles that are appropriate for these tasks.

The specific users, permission sets, and service roles that you create, and the way in which you use them, will depend on the requirements of your applications. The following are some of the simplest types and some information about why they might be used and how to create them.

Users and permission sets

Although you can use an IAM user account with long-term credentials to access AWS services through your application, this isn't a best practice and is only appropriate in certain circumstances. Even during development, it is a best practice to create users and permission sets in IAM Identity Center and use temporary credentials provided by an identity source.

For development, you can use the user that you have already created for administrative access, but provide a different permission set with least privilege. Alternatively, you can create new users specifically for development, providing a similar permission set with least privilege. The course of action you choose will depend on your circumstances.

For more information about these users and permissions sets and how to create them, see Authentication and access in the AWS SDKs and Tools Reference Guide and Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

Service roles

You can set up an AWS service role to access AWS services on behalf of users. This type of access is appropriate if multiple people will be running your application remotely; for example, on an Amazon EC2 instance that you have created for this purpose.

The process for creating a service role varies depending on the situation, but is essentially the following.

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Roles, and then choose Create role.

  3. Choose AWS service, find and select EC2 (for example), and then choose the EC2 use case (for example).

  4. Choose Next: Permissions, and select the appropriate policies for the AWS services that your application will use.

    Warning

    Do NOT choose the AdministratorAccess policy because that policy enables read and write permissions to almost everything in your account.

  5. Choose Next: Tags and enter any tags you want.

    You can find information about tags in Control access using AWS resource tags in the IAM User Guide.

  6. Choose Next: Review and provide a Role name and Role description. Then choose Create role.

You can find high-level information about IAM roles in Identities (users, groups, and roles) in the IAM User Guide. Find detailed information about roles in that guide's IAM roles topic.