Automating user creation with AWS Identity and Access Management (IAM) resources
Automatically Provisioning AWS User Accounts
Introduction
In this article, I will demonstrate a simple automated user group and user account creation process to help you avoid the repetitive manual tasks in provisioning AWS accounts.
Note: AWS-specific account information will be redacted in all images and sample outputs. If you follow the steps in this article and change any object or file names, please ensure you modify the commands given herein with the names you used.
Use Case
Let’s assume you need to migrate 100+ users, each user must have Multi-factor Authentication (MFA) enabled, and each user must be assigned a specific user group to maintain the best practice of minimal privileged user access required for their role. Since we are not federating user accounts, we must also provide the ability for the users to change their passwords.
Solution Architecture
MFA Policy
Our MFA policy must allow the logged-in user to:
- Allow the user to see their user profile.
- Allow the user to view MFA devices.
- Manage their own MFA device.
- Deny access to all other services if MFA still needs to be set up.
Download the policy JSON file here.
Important note: By defining the resource in the policy, the user can only create an MFA device named as their username. Example:
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
To implement the MFA policy in your AWS environment:
- Log in to your AWS console.
- Open the CloudShell.
- Upload the MFA policy JSON file.
- Execute the following command:
aws iam create-policy --policy-document file://enforce_mfapolicy.json --policy-name EnforceMFAPolicy
The output from the command will look something like this:
{
"Policy": {
"PolicyName": "EnforceMFAPolicy",
"PolicyId": "XXXXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:policy/EnforceMFAPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2023-04-26T03:29:09+00:00",
"UpdateDate": "2023-04-26T03:29:09+00:00"
}
}
Script Execution Prerequisite
Before moving on to the group and account creation processes, we need to install the following package.
- Log in to your AWS console.
- Open the CloudShell.
- Execute the following command:
sudo yum install dos2unix -y
Automating User Group Creation
The script to create the predefined user groups automatically will take the group name and default policy from an input CSV file. The script will also apply the standard AWS IAM User Change Password and the MFA enforcement policies we created to the user group.
The input file is a simple CSV file with group and policy attributes. Example:
group,policy
CloudAdmin,AdministratorAccess
DBA,AmazonRDSFullAccess
LinuxAdmin,AmazonEC2FullAccess
NetworkAdmin,AmazonVPCFullAccess
Trainees,ReadOnlyAccess
Download the script file here.
Edit the aws-iam-create-group.sh file and replace the <policy arn> for the MFA Policy ARN, for example:
aws iam attach-group-policy --group-name $group --policy-arn arn:aws:iam::0000000000:policy/EnforceMFAPolicy
Note: If you don’t like the AWS CloudShell vim editor, you can use the instructions here to install the nano editor.
Steps to create groups:
- Log in to your AWS Console.
- Open the CloudShell.
- Upload the aws-iam-create-group.sh script and your groups.csv file.
- Execute the following command to set up permission to execute the script:
chmod +x aws-iam-create-group.sh
5. Execute the following command to create the groups:
./aws-iam-create-group.sh groups.csv
Sample output for the “CloudAdmin” group given in the sample input file data:
{
"Group": {
"Path": "/",
"GroupName": "CloudAdmin",
"GroupId": "XXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:group/CloudAdmin",
"CreateDate": "2023-04-26T01:19:13+00:00"
}
}
Automatically Create Users and Assign them to Designated Groups
The script to create the predefined list of users automatically will take the username, group name, and password from an input CSV file. The script will also implement the requirement to reset the user’s password on the first login.
The input file is a simple CSV file with user, group, and password attributes. Example:
user,group,password
jane.doe,DBA,ChangeMe123456!
john.doe,NetworkAdmin,ChangeMe123456!
billy.joe,CloudAdmin,ChangeMe123456!
jim.bob,LinuxAdmin,ChangeMe123456!
mary.sunshine,Trainees,ChangeMe123456!
Download the script file here.
Steps to create the user accounts:
- Log in to your AWS console.
- Open the CloudShell.
- Upload the aws-iam-create-user.sh script and your users.csv file.
- Execute the following command to set up permission to execute the script.
chmod +x aws-iam-create-user.sh
5. Execute the following command to create the user accounts.
./aws-iam-create-user.sh users.csv
Sample output for the billy.joe user given in the sample input file data:
{
"User": {
"Path": "/",
"UserName": "jane.doe",
"UserId": "XXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::0000000000:user/billy.joe",
"CreateDate": "2023-04-26T02:54:20+00:00"
}
}
{
"LoginProfile": {
"UserName": "billy.joe",
"CreateDate": "2023-04-26T02:54:22+00:00",
"PasswordResetRequired": true
}
}
Finally, after the users have logged in, changed their passwords, and added an MFA device, we can see the results:
Summary
We walked through creating an MFA policy in the AWS CloudShell and then executed the automated assignment of that policy and others during the User Group creation process. Then we walked through an automated user account creation process, including assigning the appropriate user groups.
If you face any issues while implementing these scripts, please get in touch with me on LinkedIn. If you enjoyed reading this article or found it helpful, don’t forget to click the like button or follow me.