Granting a User Read-Only Access in AWS.
I enjoy: • Building and leading technical teams as a compassionate servant leader. • Evaluating and negotiating with technology vendors with laser focus on ROI. • Data engineering from design to development, especially on wildly heterogeneous data. • Balancing mission against security across policy, architecture, and end users systems. • Teaching and mentoring
I've been fortunate enough to: • Build engineering and internal technology teams from scratch to over 15 engineers, both internationally and domestically • Guide a startup's technology team from seed through series B. • Guest lectured at George Mason on law and policy for big data. • Data engineering, systems and security architecture, and AWS cloud integration for the US Intelligence Community. • Extensive international travel for work and fun.
I value: • Humility and openness to feedback leading to personal growth. • Building and working in diverse teams. • Working through challenges to establish productive, stable relationships. • I strive always to be kind, honest, and fair.
As a technical advisor, I often need to access a client’s AWS account with admin or read-only privileges so I can evaluate what they are doing. There are several ways to do this, including using cross-account access using roles. Often, the most straightforward way is for the client to create a user for me in their account and grant that user access.
To give me the right access, the client can follow these steps in AWS as the root user:
Configure AWS Organizations
From the search bar, navigate to AWS Organizations.
If not already enabled → Create Organization
Enable Other Users to Access Billing Info
In the top right, click on the account name.
Click Account.
Scroll down to IAM user and role access to Billing Information and Edit.
Check Activate and click Update.
It should look like:
Create IAM Permissions
From the search bar, navigate to IAM Identity Center.
Enable if not already enabled.
From left-hand bar, Multi-account permissions→ Permission Sets.
Click "Create permission set"
Custom permission set→ Next
Select AWS Managed Policies
Filter by Type→ AWS managed - job function
Check ReadOnlyAccess or AdministratorAccess, depending on your needs. ReadOnlyAccess is probably all I need for the time being. It's easy enough to upgrade later as needed.
Click Next
Permission set name→ ReadOnly
Tags-> poc = <your name>
Next, Create
Create Group
- While still in the IAM Identity Center, from left side-bar, click Groups, then Create Group
Fill out the details.
Group Name: Solint
Description: Grant admin privileges and billing access to consultant with Solint
You don’t need to add users at this time.
Create Group
Create my user
While still in the IAM Identity Center, from left side-bar, click Users, then Add User
Username: my email address.
Leave the password set to email setup.
For email, again use my email address.
Fill out other details as you see fit.
Click Next
Add my user to Solint group.
Click Next.
Assign Permissions
While still in the IAM Identity Center, from left side-bar, click Multi-account permissions→AWS accounts.
Under the Users and groups tab, click Assign users or groups
Check the Solint group.
Check ReadOnly or AdministratorAccess, depending on what you provisioned above
Click Next, then Submit.
Troubleshooting
Trouble finding the button to Assign users or groups?
You may need to click on the Root account to see the management account in which you can assign users and groups.
Other Problems?
Please let me know!
Wrapping Up
I'll get an email inviting me to your account, but feel free to ping me. To revoke my access, you can just undo any/all of the steps above.
