Team setup for AWS Cloud9

Team setup for AWS Cloud9

This topic explains how to use AWS Identity and Access Management (IAM) to enable multiple users within a single AWS account to use AWS Cloud9. To set up to use AWS Cloud9 for any other usage pattern, see Setting up AWS Cloud9 (p. 6) for the correct instructions.

These instructions assume that you have (or will have) administrative access to a single AWS account. For more information, see The AWS account root user and Creating your first IAM admin user and group in the IAM User Guide. If you already have an AWS account but you do not have administrative access to it, see your AWS account administrator.

NoteYou can use AWS Single Sign-On (SSO) instead of IAM to enable multiple users within a single AWS account to use AWS Cloud9. In this usage pattern, the single AWS account serves as the management account for an organization in AWS Organizations, and that organization has no member accounts. To use AWS SSO, skip this topic and follow the instructions in Enterprise Setup (p. 15) instead. For related information, see the following resources:

• What is AWS Organizations in the AWS Organizations User Guide (AWS SSO requires the use of AWS Organizations)

• What is AWS Single Sign-On in the AWS Single Sign-On User Guide

• The 4-minute video AWS Knowledge Center Videos: How do I get started with AWS Organizations on the YouTube website

• The 7-minute video Manage user access to multiple AWS accounts using AWS Single Sign-on on the YouTube website

• The 9-minute video How to set up AWS Single Sign On for your on-premise Active Directory users on the YouTube website

To enable multiple users in a single AWS account to start using AWS Cloud9, start with one of the following steps, depending on which AWS resources you already have.

Do you have an AWS account? Do you have at least one IAM

group and user in that account? Start with this step

No — Step 1: Create an AWS

account (p. 8)

Yes No Step 2: Create an IAM group and

user, and add the user to the group (p. 9)

Yes Yes Step 3: Add AWS Cloud9

access permissions to the group (p. 12)

Step 1: Create an AWS account

NoteYour organization might already have an AWS account set up for you. If your organization has an AWS account administrator, check with that person before starting the following procedure. If you already have an AWS account, skip ahead to Step 2: Create an IAM Group and User, and Add the User to the Group (p. 9).

To watch a 4-minute video related to the following procedure, see Creating an Amazon Web Services Account on the YouTube website.

To create an AWS account 1. Go to https://aws.amazon.com/.

2. Choose Sign In to the Console.

3. Choose Create a new AWS account.

4. Complete the process by following the on-screen directions. This includes giving AWS your email address and credit card information. You must also use your phone to enter a code that AWS gives you.

After you finish creating the account, AWS will send you a confirmation email. Do not go to the next step until you get this confirmation.

Step 2: Create an IAM group and user, and add the user to the group

In this step, you create a group and a user in AWS Identity and Access Management (IAM), add the user to the group, and then use the user to access AWS Cloud9. This is an AWS security best practice. For more information, see IAM Best Practices in the IAM User Guide.

If you already have all of the IAM groups and users that you need, skip ahead to Step 3: Add AWS Cloud9 access permissions to the group (p. 12).

NoteYour organization might already have an IAM group and user set up for you. If your organization has an AWS account administrator, check with that person before starting the following

procedures.

You can complete these tasks using the AWS Management Console (p. 9) or the AWS Command Line Interface (AWS CLI) (p. 10).

To watch a 9-minute video related to the following console procedures, see How do I set up an IAM user and sign in to the AWS Management Console using IAM credentials on the YouTube website.

Step 2.1: Create an IAM group with the console

1. Sign in to the AWS Management Console, if you are not already signed in, at https://

console.aws.amazon.com/codecommit.

NoteAlthough you can sign in to the AWS Management Console with the email address and password that was provided when the AWS account was created (we call this an AWS account root user), this isn't an AWS security best practice. In the future, we recommend you sign in using credentials for an IAM administrator user in the AWS account. An IAM administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot sign in as an IAM administrator user, check with your AWS account administrator. For more information, see Creating your first IAM admin user and group in the IAM User Guide.

2. Open the IAM console. To do this, in the AWS navigation bar, choose Services. Then choose IAM.

3. In the IAM console's navigation pane, choose Groups.

4. Choose Create New Group.

5. On the Set Group Name page, for Group Name, enter a name for the new group.

6. Choose Next Step.

7. On the Attach Policy page, choose Next Step without attaching any policies. (You will attach a policy in Step 3: Add AWS Cloud9 access permissions to the group (p. 12).)

8. Choose Create Group.

Step 2: Create an IAM group and user, and add the user to the group

NoteWe recommend that you repeat this procedure to create at least two groups: one group for AWS Cloud9 users, and another group for AWS Cloud9 administrators. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

Skip ahead to Step 2.2: Create an IAM user and add the user to the group with the console (p. 10).

Step 2.1: Create an IAM group with the AWS CLI

NoteIf you're using AWS managed temporary credentials (p. 536), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Install and configure the AWS CLI on your computer, if you haven't done so already. To do this, see the following in the AWS Command Line Interface User Guide:

• Installing the AWS Command Line Interface

• Quick configuration

NoteAlthough you can configure the AWS CLI using the credentials associated with the email address and password that was provided when the AWS account was created (we call this an AWS account root user), this isn't an AWS security best practice. Instead, we recommend you configure the AWS CLI using credentials for an IAM administrator user in the AWS account. An IAM administrator user has similar AWS access permissions to an AWS account root user and avoids some of the associated security risks. If you cannot configure the AWS CLI as an IAM administrator user, check with your AWS account administrator. For more information, see Creating your first IAM admin user and group in the IAM User Guide.

2. Run the IAM create-group command, specifying the new group's name (for example, MyCloud9Group).

aws iam create-group --group-name MyCloud9Group

NoteWe recommend that you repeat this procedure to create at least two groups: one group for AWS Cloud9 users, and another group for AWS Cloud9 administrators. This AWS security best practice can help you better control, track, and troubleshoot issues with AWS resource access.

Skip ahead to Step 2.2: Create an IAM user and add the user to the group with the AWS CLI (p. 11).

Step 2.2: Create an IAM user and add the user to the group with the console

1. With the IAM console open from the previous procedure, in the navigation pane, choose Users.

2. Choose Add user.

3. For User name, enter a name for the new user.

NoteYou can create multiple users at the same time by choosing Add another user. The other settings in this procedure apply to each of these new users.

4. Select the Programmatic access and AWS Management Console access check boxes. This allows the new user to use various AWS developer tools and service consoles.

5. Leave the default choice of Autogenerated password. This creates a random password for the new user to sign in to the console. Or choose Custom password and enter a specific password for the new user.

6. Leave the default choice of Require password reset. This prompts the new user to change their password after they sign in to the console for the first time.

7. Choose Next: Permissions.

8. Leave the default choice of Add user to group (or Add users to group for multiple users).

9. In the list of groups, select the check box (not the name) next to the group you want to add the user to.

10.Choose Next: Review.

11.Choose Create user (or Create users for multiple users).

12.On the last page of the wizard, do one of the following:

• Next to each new user, choose Send email, and follow the on-screen directions to email the new user their console sign-in URL and user name. Then communicate to each new user their console sign-in password, AWS access key ID, and AWS secret access key separately.

• Choose Download .csv. Then communicate to each new user their console sign-in URL, console sign-in password, AWS access key ID, and AWS secret access key that is in the downloaded file.

• Next to each new user, choose Show for both Secret access key and Password. Then communicate to each new user their console sign-in URL, console sign-in password, AWS access key ID, and AWS secret access key.

NoteIf you do not choose Download .csv, this is the only time you can view the new user's AWS secret access key and console sign-in password. To generate a new AWS secret access key or console sign-in password for the new user, see the following in the IAM User Guide.

• Creating, modifying, and viewing access keys (console)

• Creating, changing, or deleting an IAM user password (console)

13.Repeat this procedure for each additional IAM user that you want to create, and then skip ahead to Step 3: Add AWS Cloud9 access permissions to the group (p. 12).

Step 2.2: Create an IAM User and add the user to the group with the AWS CLI

NoteIf you're using AWS managed temporary credentials (p. 536), you can't use a terminal session in the AWS Cloud9 IDE to run some or all of the commands in this section. To address AWS security best practices, AWS managed temporary credentials don’t allow some commands to be run. Instead, you can run those commands from a separate installation of the AWS Command Line Interface (AWS CLI).

1. Run the IAM create-user command to create the user, specifying the new user's name (for example, MyCloud9User).

aws iam create-user --user-name MyCloud9User

2. Run the IAM create-login-profile command to create a new console sign-in password for the user, specifying the user's name and initial sign-in password (for example, MyC10ud9Us3r!). After the user signs in, AWS asks the user to change their sign-in password.

aws iam create-login-profile user-name MyCloud9User password MyC10ud9Us3r! --password-reset-required

Step 3: Add AWS Cloud9 access permissions to the group

If you need to generate a replacement console signin password for the user later, see Creating, changing, or deleting an IAM user password (API, CLI, PowerShell) in the IAM User Guide.

3. Run the IAM create-access-key command to create a new AWS access key and corresponding AWS secret access key for the user.

aws iam create-access-key --user-name MyCloud9User

Make a note of the AccessKeyId and SecretAccessKey values that are displayed. After you run the IAM create-access-key command, this is the only time you can view the user's AWS secret access key. If you need to generate a new AWS secret access key for the user later, see Creating, modifying, and viewing access keys (API, CLI, PowerShell) in the IAM User Guide.

4. Run the IAM add-user-to-group command to add the user to the group, specifying the group's and user's names.

aws iam add-user-to-group --group-name MyCloud9Group --user-name MyCloud9User

5. Communicate to the user their console sign-in URL, initial console sign-in password, AWS access key ID, and AWS secret access key.

6. Repeat this procedure for each additional IAM user that you want to create.

Step 3: Add AWS Cloud9 access permissions to the group

By default, most IAM groups and users don't have access to any AWS services, including AWS Cloud9. (An exception is IAM administrator groups and IAM administrator users, which have access to all AWS services in their AWS account by default.) In this step, you use IAM to add AWS Cloud9 access permissions directly to an IAM group to which one or more users belong, so that you can ensure those users can access AWS Cloud9.

Note

Your organization might already have a group set up for you with the appropriate access permissions. If your organization has an AWS account administrator, check with that person before starting the following procedure.

You can complete this task using the AWS Management Console (p. 12) or the AWS CLI (p. 13).

Add AWS Cloud9 access permissions to the group with the

在文檔中 AWS Cloud9 (頁 21-25)