diff --git a/aws-iam-users.html.md.erb b/aws-iam-users.html.md.erb new file mode 100644 index 000000000..af40816e2 --- /dev/null +++ b/aws-iam-users.html.md.erb @@ -0,0 +1,63 @@ +--- +title: Creating IAM Users +--- + +## Creating new use user + +1. Log into the AWS console: [https://console.aws.amazon.com/console/home](https://console.aws.amazon.com/console/home). + + <%= image_tag("images/deploy-microbosh-to-aws/account-dashboard.png") %> + +1. Click your account name and select **Security Credentials**. + + <%= image_tag("images/deploy-microbosh-to-aws/security-credentials-menu.png") %> + +1. If the AWS IAM confirmation box is presented, click **Get Started with IAM Users** to go to IAM Users management page. Alternatively go directly to [users list](https://console.aws.amazon.com/iam/home#users). + + <%= image_tag("images/deploy-microbosh-to-aws/iam-modal.png") %> + +1. Click **Create New Users** button. + + <%= image_tag("images/deploy-microbosh-to-aws/list-iam-users.png") %> + +1. Enter a descriptive name for a new user, make sure that access keys will be generated for each user and click **Create** button. + + <%= image_tag("images/deploy-microbosh-to-aws/create-iam-users.png") %> + +1. Record **Access Key ID** and **Secret Access Key** for later use. Click **Close** link to get back to the list of users. + + <%= image_tag("images/deploy-microbosh-to-aws/get-iam-creds.png") %> + +1. Click on a new user from the list of users. + +1. Click on **Inline Policies** panel and choose to create a new inline policy. + + <%= image_tag("images/deploy-microbosh-to-aws/attach-iam-policy.png") %> + +1. Add a policy configuration for the chosen user and click **Apply Policy**. + + <%= image_tag("images/deploy-microbosh-to-aws/add-iam-inline-policy.png") %> + + For example your aws-cpi's inline policy allows full EC2 and ELB access: + + ```yaml + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Stmt1448388791000", + "Effect": "Allow", + "Action": [ "ec2:*" ], + "Resource": [ "*" ] + }, + { + "Sid": "Stmt1448389431000", + "Effect": "Allow", + "Action": [ "elasticloadbalancing:*" ], + "Resource": [ "*" ] + } + ] + } + ``` + +

Note: It's highly encouraged to set very restrictive policy to limit unncessary access.

diff --git a/images/deploy-microbosh-to-aws/add-iam-inline-policy.png b/images/deploy-microbosh-to-aws/add-iam-inline-policy.png new file mode 100644 index 000000000..547def0e2 Binary files /dev/null and b/images/deploy-microbosh-to-aws/add-iam-inline-policy.png differ diff --git a/images/deploy-microbosh-to-aws/attach-iam-policy-expanded.png b/images/deploy-microbosh-to-aws/attach-iam-policy-expanded.png new file mode 100644 index 000000000..34ee966a9 Binary files /dev/null and b/images/deploy-microbosh-to-aws/attach-iam-policy-expanded.png differ diff --git a/images/deploy-microbosh-to-aws/attach-iam-policy.png b/images/deploy-microbosh-to-aws/attach-iam-policy.png new file mode 100644 index 000000000..40c448be7 Binary files /dev/null and b/images/deploy-microbosh-to-aws/attach-iam-policy.png differ diff --git a/images/deploy-microbosh-to-aws/create-iam-users.png b/images/deploy-microbosh-to-aws/create-iam-users.png new file mode 100644 index 000000000..c2095e0e0 Binary files /dev/null and b/images/deploy-microbosh-to-aws/create-iam-users.png differ diff --git a/images/deploy-microbosh-to-aws/get-iam-creds.png b/images/deploy-microbosh-to-aws/get-iam-creds.png new file mode 100644 index 000000000..37a116e32 Binary files /dev/null and b/images/deploy-microbosh-to-aws/get-iam-creds.png differ diff --git a/images/deploy-microbosh-to-aws/iam-modal.png b/images/deploy-microbosh-to-aws/iam-modal.png new file mode 100644 index 000000000..864e921b3 Binary files /dev/null and b/images/deploy-microbosh-to-aws/iam-modal.png differ diff --git a/images/deploy-microbosh-to-aws/list-iam-users.png b/images/deploy-microbosh-to-aws/list-iam-users.png new file mode 100644 index 000000000..fc1d22e11 Binary files /dev/null and b/images/deploy-microbosh-to-aws/list-iam-users.png differ diff --git a/index.html.md.erb b/index.html.md.erb index 26cdb6903..480b57509 100644 --- a/index.html.md.erb +++ b/index.html.md.erb @@ -68,6 +68,7 @@ title: Index * [AWS](aws-cpi.html) * [Using IAM instance profiles](aws-iam-instance-profiles.html) * [Using instance storage](aws-instance-storage.html) + * [Creating IAM users](aws-iam-users.html) * [OpenStack](openstack-cpi.html) * [Using Keystone v3 API](openstack-keystonev3.html) * [Extended Registry configuration](openstack-registry.html) diff --git a/init-aws.html.md.erb b/init-aws.html.md.erb index f09ebc89e..f730facc8 100644 --- a/init-aws.html.md.erb +++ b/init-aws.html.md.erb @@ -172,29 +172,10 @@ To configure your AWS account for MicroBOSH: * [Create a Key Pair](#create-key-pair) * [Create and Configure Security Group](#create-security) +--- ### Obtain AWS Credentials -Your AWS credentials consist of an Access Key ID and a Secret Access Key. If you already know your AWS credentials you can skip this step and replace `ACCESS-KEY-ID` and `SECRET-ACCESS-KEY` in your deployment manifest. - -1. Log into the AWS console: [https://console.aws.amazon.com/console/home](https://console.aws.amazon.com/console/home). - - <%= image_tag("images/deploy-microbosh-to-aws/account-dashboard.png") %> - -1. Click your account name and select **Security Credentials**. - - <%= image_tag("images/deploy-microbosh-to-aws/security-credentials-menu.png") %> - -1. If the AWS IAM confirmation box is presented, click **Continue to Security Credentials** to display the Security Credentials page. - -1. Expand the **Access Keys** section and click **Create New Access Key**. - - <%= image_tag("images/deploy-microbosh-to-aws/security-credentials-dashboard.png") %> - -1. Replace `ACCESS-KEY-ID` and `SECRET-ACCESS-KEY` in your deployment manifest with the **Access Key ID** and **Secret Access Key** shown. - - <%= image_tag("images/deploy-microbosh-to-aws/access-keys-modal.png") %> - -1. Close the dialog box. +Your AWS credentials consist of an Access Key ID and a Secret Access Key. Follow [Creating IAM Users](aws-iam-users.html#create) to create a new IAM user and replace `ACCESS-KEY-ID` and `SECRET-ACCESS-KEY` in your deployment manifest. --- ### Create a Virtual Private Cloud (VPC)