Sunday, December 11, 2022

AWS IAM User/Group/Policies

Next step in my weekend AWS / Container / Spring Boot experimentation is to try and actually get my Docker Image pushed up to ECR.  

It runs fine in my local Docker Desktop, but I want to get it running as a service in AWS ECS.  

In following AWS best practices:

"We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User."

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html?icmpid=docs_iam_console

I created a new IAM user called java-demo and Policy called ECR-PushImages that should allow this IAM user to push to any ECR Repository.  

If I were working in an enterprise environment, I would restrict resources, but since this is home studies, I'm leaving it open.


I'm also creating a Group called java-group, adding the IAM java-demo to this Group, and assigned ECR-PushImages (and some other out-of-box AWS IAM Policies) to this Group.

Next, I installed the AWS CLI v2 (latest) and configured it using aws configure

It asked me for 4 items:

  • AWS Access Key ID: <access key for java-demo IAM user>
  • AWS Secret Access Key: <secret access key for java-demo IAM user>
  • Default region name: us-east-1
  • Default output format: json
Once this was done, I confirmed that I could connect via CLI to ECR:
 
C:\>aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin **********.dkr.ecr.us-east-1.amazonaws.com
Login Succeeded

No comments:

Post a Comment