Skip to content

AWS Related Information

Accounts and Logins

At MBARI, we are using IAM Identity Center (used to be called AWS SSO) to manage logins. At the time of this writing we are also using IAM on the accounts themselves, but it's clear AWS is moving away from that and we will need to transition at some point. We have an issue with access key expirations using identity center logins so we created IAM users that have longer lasting access keys. More work needs to be done here. So, currently, the system looks like this:

graph TD subgraph MBARI AD active-directory(MBARI Active Directory) end subgraph AWS IAM Identity Center identity-source(Identity Source) user1(AD user1) user2(AD user2) end subgraph AWS Organization root-org(Root) se-ie-account(SE IE Account) se-ie-user1(IAM user1) se-ie-user2(IAM user2) se-ie-user3(IAM user3) account-1 account-1-user1(IAM user1) account-1-user2(IAM user2) account-2 account-2-user1(IAM user1) account-2-user2(IAM user2) account-3 account-3-user1(IAM user1) end active-directory --> identity-source identity-source --- root-org root-org --> se-ie-account se-ie-account --> se-ie-user1 se-ie-account --> se-ie-user2 se-ie-account --> se-ie-user3 root-org --> account-1 account-1 --> account-1-user1 account-1 --> account-1-user2 root-org --> account-2 account-2 --> account-2-user1 account-2 --> account-2-user2 root-org --> account-3 account-3 --> account-3-user1

To login to the MBARI IAM Identity Center, visit this page and login with your MBARI username and password (you might have to reach out to Kevin Gomes so that he can add you to the Identity Center before you can actually login).

Add an AD User to Identity Center

By default, we do NOT have all AD users set up in Identity Center as there is actually a much smaller number of MBARI users that need access to AWS. We are also NOT using AD groups to manage any permissions on AWS. Essentially, our AD is just providing authentication to Identity Center. So, if a user needs to have access to AWS using Identity Center, an administrator needs to add that user to be 'synced' to the Identity Center. To do this:

  1. First login to the MBARI identity center with an account that has admin privileges.
    Login Window

  2. This will bring you to the lists of all the accounts you have access to. To use Identity Center, you have to be logged into the management account which is the SE Information Engineering account. Click on that account, then click on "AWSAdministratorAccess" to login to that account as an Administrator.
    User List

  3. Then navigate to the IAM Identity Center, then click on Users.
    User List

  4. Click on "Manage Sync" in the upper right corner, then click on "Add users and groups"

  5. Enter the username (without the @mbari.org) and click on "Submit"
    User List

Create New Account

These are the steps to create a new AWS account.

  1. Go to the MBARI Help Request System and request a new email alias to be created for the new account. Use the format of aws_project_[dev|prod]. For example, aws_901103_dev@mbari.org which means it is associated with the 901103 project and it will be an account for development purposes. Also include what email addresses you want attached to that alias. You need to wait for those aliases to be created before continuing.
  2. Once you have the aliases set up, go to the AWS SSO Login (currently this is linked to our AD system).
  3. Click on "AWS Accounts", then on SE Information Engineering, then on "AWSAdministratorAccess".
  4. Click on login drop-down in upper right corner, the click on Organization.
  5. Click on "Add an AWS Account" button.
  6. In the AWS account name, use the project number first, then add descriptive name separated by dashes. For example: "901103-biodiversity"
  7. Enter the email alias that IS created for you and leave the role at the default
  8. Click on "Create AWS account" button.
  9. This can sometimes take a minute or two, but if you refresh the page after a bit, you should see the new account.
  10. Click on the new account and at the top click on "Move" and choose the right location in the organization tree structure for the account (for example Projects > Dev)

Add Identity Center Permissions

  1. Next, you want to grant your SSO login full access to the new account. Navigate to the IAM Identity Center.
  2. Click on 'AWS accounts' in the left menu and expand the tree to find the account you just created and click on the account name.
  3. Click on 'Assign users or groups', then on the "Users" tab. Select the checkbox next to your account (and any other you want to have full access), then click on 'Next'.
  4. Click on the checkbox next to 'AWSAdministatorAccess', then Next.
  5. Review, then click on 'Submit' and wait for it to update. Once updated, the Identity Center account should now have admin privileges on the account.

One thing to note that sometimes seems strange is that if you are using Identity Center logins for account access, if you go to the local IAM service on the account, you will not see any users. This sometimes causes confusion, understandably.

Add local IAM accounts (if desired)

As mentioned at the top of this document, the short-lived access keys associated with identity center accounts are creating issues for long-running jobs. To get around this, you can created an IAM account directly attached to the AWS account and use access keys that are much longer lived. This may not always be this way as AWS seems to be moving away from these local IAM keys, but for now, it works.

  1. Go back to the AWS SSO Login login page and click on "AWS account" again. Now that you have access to the new account, you should see the account in the list.
  2. Click on the account and then on the "AWSAdministratorAccess" link which opens the management console for that account.
  3. In the search box, type 'iam' and click on the 'IAM' option.
  4. Click on 'Users' in the left menu
  5. Click on 'Create user'.
  6. Enter a user name (we tend to use the person part of the @mbari.org email address). You probably want to let them have access to the AWS Management Console by checking that box. Leave all the other options to their defaults and click 'Next'
  7. We tend to select 'Attach Policies Directly' for the first account and give them 'AdministratorAccess' policy and then let that user handle the other accounts.
  8. Click 'Next'
  9. Click on 'Download .csv file' and put it somewhere safe in case the user needs it. I usually store them on my local computer under a folder that matches the account name.
  10. Click on email sign-in instructions and send the new user an email.

Command Line Interface (CLI) Access

In order to effectively use AWS, most people will eventually want to the Command Line Interface (CLI) to AWS. This is a tool that can be used on your local machine to control AWS resources. Basically, you set up a local configuration that serves to identify what login you are using to operate in AWS. There are two ways to set up this connection, one using an IAM account that is attached directly to the AWS account and the other is to use an Identity Center account. We will document both cases below.

Local IAM Account

In order to use the CLI with an IAM account that is local to the AWS, you first need to create an IAM account (see above) and then create an access key for that account.

  1. Go to the AWS SSO Login login page and click on "AWS accounts"
  2. Click on the account for which you want an access key and then on the "AWSAdministratorAccess" link which opens the management console for that account.
  3. In the search box, type 'iam' and click on the 'IAM' option.
  4. Click on 'Users' in the left menu.
  5. Click on the user that you want to generate an access key for.
  6. Click on the 'Security Credentials' tab and then scroll down to 'Access keys'. Note that each user can have up to 2 access keys. If the user already has 2, you will not be able to create another one.
  7. Click on 'Create access key'.

  8. Select the 'Command Line Interface (CLI)' option and check the box at the bottom that states you understand their recommendation for the safest way to do this (BTW, this is not the safest way)
    User List

  9. Add a tag (optional) in the next step if you want to and then click 'Create access key'

  10. After the access key is created, it gives you and option to view the key or download it in .csv format. It's probably best to download it as this is the only time you will have access to it. Either way, make sure you keep this information secure.
    User List

  11. Now that you have access keys, open a terminal on your computer and (assuming you have the AWS CLI installed), run aws configure

  12. Enter the Access Key, the Secret Key, the region you want to default to (likely 'us-west-2') and the format of the responses you prefere (JSON in the below example)
$ aws configure
AWS Access Key ID [None]: XXXXXXXXXXXXXXXXXXX
AWS Secret Access Key [None]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Default region name [None]: us-west-2
Default output format [None]: json

These steps create an entry in your ~/.aws/config file and in the ~/.aws/credentials file which set up a 'profile' that can be used to interact with AWS through the command line. To test that this worked, you can run aws s3 ls and see if you get a list of S3 buckets associated with the account.

$ aws s3 ls
2021-09-23 17:30:19 901101-smdb-media
2022-02-15 19:18:22 901502-blue-a-bled-batch-in
2022-02-15 19:18:22 901502-blue-a-bled-batch-out
2022-02-04 18:21:15 901502-blue-a-classify-batch-out
2022-02-04 18:21:16 901502-blue-a-model
2022-09-23 15:42:22 901502-blue-d-bled
2022-02-15 19:18:22 901502-blue-d-bled-batch-in
...

Identity Center Account

This section describes the process to set up the AWS CLI using your Identity Center account. For detailed instructions see the AWS documentation.

  1. Login to the MBARI Identity Center Login page using your MBARI credentials
$ aws configure sso
SSO session name (Recommended): mbari-se-ie-sso
SSO start URL [None]: https://mbari.awsapps.com/start/#
SSO region [None]: us-west-2
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

TJGH-HBQJ
There are 12 AWS accounts available to you.
Using the account ID 872338704006
The only role available to you is: AWSAdministratorAccess
Using the role name "AWSAdministratorAccess"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [AWSAdministratorAccess-872338704006]: se-ie-administrator

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile se-ie-administrator

Cloud Shell

Another option to interact with AWS services is to use what is know as CloudShell. When you are logged into an account, you should see a terminal prompt icon at the top of the screen. If you click on that, it basically brings up an in-browser terminal window where you can issue commands just like you would at your terminal prompt, but the access is already set up based on your account permissions. Below is a screen capture of a new CloudShell as well as a screen capture of a simple command being issued in the shell.


Cloud Shell


Cloud Shell Command

Roles

This documentation is under construction.

Roles allow AWS entities to have permissions against other AWS services. For example, if you want a role for an EC2 instance to be able to read (only) IAM users, you would create a new role for an EC2 'service' and then attach a 'IAMReadOnlyAccess' policy to that role.