In my previous post , I had explained how to create IAM users and permission details. Today I will explain how to create access keys and signing certificates. By using either access key or signing certificate , we can allow the user to make programmatic calls to AWS services. So let’s start by configuring access key.
As you see below our “User_admin” user have no access keys right now.
When we click “Manage access keys”, and then “Create Access Key”, our key will be created. Remember that , you have to copy or download your keys before closing the popup window. Otherwise you have to create another and make inactive/delete the old one.
Below command lists all instances (Of course the user should have permission to list them). I used -O and -W keys to enable the access key I generated when making call to AWS service.
Now we can configure signing certificates. It is more detailed than configuring access keys. Again in the same console screen when we click the “Manage Signing Certificates”, it wants us to upload a certificate. There is an important thing that IAM can not create a certificate. So as it tells us we have to use a third-party tool such as OpenSSL. Also AWS recommends us create an RSA key that is either 1024-bit or 2048-bit in length.
Let’s create our private key and certificate by using openssl.
openssl genrsa 1024 > private-aws.pem –> To create private key
openssl req -new -x509 -nodes -sha1 -days 365 -key private-aws.pem -outform PEM > cert-aws.pem –> To create certificate
Now in the console we have to upload the certificate body by clicking “Upload Signing Certificate”
I have to use the pem file in text format.
-----BEGIN CERTIFICATE----- MIICWDCCAcGgAwIBAgIJAMyiR1XS8JWcMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAlRSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDI1MDQyMzE1WhcNMTUwNDI1MDQyMzE1WjBF MQswCQYDVQQGEwJUUjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDaPFvjg9WVQb9K0qd/4yG5gx0fkCobts2+XrP8jLtn0qOQl+LOuK4PMNEzmzbn pEnOSF3EkE0XoJzwmW+E8UHk2oNm9vu3o1il/pHrsEyFMKNH1YWixrB0bXOLvTCq +FeBwU0lCFRlv5rX/WYvKHZ44GX1g2Z+TsBlwMT/ppK/7QIDAQABo1AwTjAdBgNV HQ4EFgQUwsEpj3CR4fBpTJtzuGl8Gr4xIVIwHwYDVR0jBBgwFoAUwsEpj3CR4fBp TJtzuGl8Gr4xIVIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCEKnSM o06MlmgcIqIHots+g9dhf0QC3J0inm+hsx3JJCGT/mCkH78C3NZN+z6zAOXp418L YjtiNlE1/hGV7KmaZBFumiS5lnJaycKo5k0frVnuBZkcjyoH2TSuLYO//fIxyD9i NvKcwcJHp6E6vMAylyG30vJMmY6VIKQTY6sT/A== -----END CERTIFICATE-----
Now again with the same ec2-describe-instances command I will list my instances but this time I will use my private key and certificate. I used -K and -C keys to enable the private key and certificate I generated when making call to AWS service.
In my next post, I will explain sign-in credentials and also configure MFA.
If you have any question or comment please feel free to write and don’t forget to share please.