When you set up a new AWS account, you start out with only a root user account. You rarely want to use the root user account due to security concerns for your account. It is better to create at least one IAM user that you use for day-to-day administrative activities. In this post we will go over how to create an administrator IAM account. In this case, we will also set up CodeCommit credentials for this new IAM user.
This post assumes that you only have a root user for your AWS account.
This is a post in the "Blog on a Budget" series.
Sign in as the root user of the account where you want to set up the new IAM user.
Once logged in, you will see the AWS Console homepage:
Select user from the left-hand menu.
Then select the blue Add users button on the right:
Fill in a name for the user in the User name field.
Then select the checkbox next to "Provide user access to the AWS Management Console":
Because we want to eventually create CodeCommit credentials, we want to select the "I want to create an IAM user" radio button.
In my case, I already had a complex password ready, so I chose the Custom password option.
When you have things ready, select the orange Next button.
This will bring us to a page where we can set credentials for this user:
In this case, we want this to be our non-root administrative user, so we are going to grant it the AdministratorAccess permissions by selecting the checkbox next to the policy.
Then we are going to search for billing permissions.
Once we find the Billing policy, we will select the checkbox for that one as well:
Once both policies are both selected, we will select the orange Next button.
This will bring us to the Review and create page for final review:
If everything looks good, then select the orange Create user button.
You will then be presented with the option to retrieve this user's password one last time:
If you are sure you have the password for this new user stored someplace safely already, then go ahead and select the orange Return to users list button.
This should bring you back to a page where you can see your new user listed:
Now you have a new IAM administrative user ready. However, since this account has so much power within your account, it is good practice to set up Multi-Factor Authentication (MFA) for this account. Setting up MFA is covered in the next section.
Note that there is a sentence with red text that reads, "Enabled without MFA".
If we click on that red text, an option will appear which will let us set up MFA:
Select the Enable MFA button.
This will bring up a page that will allow you to select an MFA device:
In this case, we are going to set up MFA using an Authenticator app. There is more detail about some Authenticator app options in the post about setting up MFA for the root user.
Fill in the device name for this MFA configuration.
Select the orange Next button.
This will bring up a page where you can scan in the QR code and enter two consecutive MFA codes:
Once you have scanned the QR code and filled in two consecutive MFA codes, select the orange Add MFA button.
The user detail page will then be displayed with a green banner letting you know that the MFA was successfully configured:
At this point you have created a new IAM administrative user and enabled MFA for that user.
Next we are going to create some CodeCommit credentials.
Select one of the Generate Credentials buttons for this section.
A window will then pop up with the details of the credentials that were just generated:
You have now created HTTPS credentials that will allow you to interact with CodeCommit.
NOTE: Normally I would advocate for setting up a separate IAM user for your CodeCommit credentials and not an administrative IAM account. But for the purpose of this post, it was just easier to show this all at once with the creation of the administrative user.
In this post the following was done:
The new administrative IAM user should be used when you need to do administrative activities with your account (instead of the root user).