-
Notifications
You must be signed in to change notification settings - Fork 1
Identity and Account Management (IAM) users and logging into the Green Biome Institute AWS account
Identity and Account Management (IAM) users and logging into the Green Biome Institute AWS account
It’s important to have a bit of information about Identity and Account Management (IAM) before jumping into AWS. IAM Identity Services is what allows for us to create a series of users (you and I) within the Green Biome Institute AWS account that all have the correct resources and permissions. This helps create a secure virtual environment and prevent implementing resources in the cloud that are unnecessary (and costly). There are IAM users, groups, and roles.
The account is managed by a root user and subsequent admin users. These are the accounts that are able to deal with the billing side of the account, create other accounts for students/other users, and approve requests to use cloud resources. Accounts to do genome assembly will be created either for their use case or per person (or both), therefore allowing each individual to manage the account they are using and its dedicated services. For example, Melis will be in charge of the account at the highest level. Any person who wishes to use AWS can have an account created that lets them create storage, upload data, create new virtual servers (instances) and do genome assembly/analysis. Each set of users with similar needs (for example the admins users and the student users) can be put into groups that have the same permissions.
All the users will log into the same account, but with their own unique log-in link, username, and password. If you find that a certain service is unavailable, it is most likely because the account you are using does not have the correct permissions assigned to it.
IAM Credentials
When a new user is created, it will have a dedicated set of credentials. These are important to save in a secure location! It will have your username, password, log-in link, and access keys. If you lose the credentials and can’t log in, there is no way of getting them back through AWS, you just have to create new ones (not a big deal). To log in, go to the link provided by the credentials. The ‘Account ID’ is associated with the GBI account, and can be found within the link provided on the credentials document. It is the 12-digit number at the beginning of the "Console login link." For example if a console like is https://123456789012.signin.aws.amazon.com/console, then the Account ID used to log in will be 123456789012.
IAM Roles
IAM is not only used to manage users, however. It is also used to give permissions to the services we use as well. These are called IAM roles and are used to give temporary permissions/access to a user or service. For example an EC2 instance must have an IAM role with the correct permissions to access our S3 storage buckets in order to use relevant data within them. If you are unable to access any services you might need from an EC2 instance, it might be because that instance doesn't have the correct IAM role assigned.