Automated user migration and management of AWS Identity and Access Management (IAM) resources
In this project based on a real-world scenario, I acted as Cloud Specialist with the mission to migrate users in an automated way and manage AWS IAM (Identity and Access Management) resources.
There were 100 users that needed to be migrated and have MFA (Multi-factor authentication) enabled on their accounts, as this is a security best practice.
To avoid repetitive and manual tasks in the AWS console, I needed to think about automating the processes.
Using GitBash with AWS CLI and Shell Scripts, I was able to come up with a working solution to the problem at hand. These tools allowed myself to quickly add all 100 users to the AWS IAM resource in a matter of seconds compared to hours upon hours of adding users by hand in the AWS console. All the users were listed in a csv file with there username, group they should be apart of in IAM and their temporary password. Don't worry when creating the user using the AWS CLI commands we are going to force the user to change their password when they first log in. The Shell Script reads in the csv file and loops over all the users in the file and runs the appropriate AWS CLI commands to add the user, force a password reset on first login and finally add the user to their appropriate group already defined in IAM.
The first thing we need to do in order to add all the users using our Shell Script, is to install dos2unix, in order to convert the csv file from dos to unix format. Run the following command to install dos2unix in the AWS CLI:
sudo yum install dos2unix -y
In the Shell Script we add the following command to convert the csv file from dos to unix. The csv file is provided as an argument to the script, so we assign the variable INPUT to $1 which is the first argument.
INPUT=$1 dos2unix $INPUT
Now in the script we loop over each user in the csv file and run the following commands to create the user, the user profile and add the user to their appropriate group. Note how the --password-reset-required option is specified for the create-login-profile command. This is so that the user must change password on first login.
aws iam create-user --user-name $user
aws iam create-login-profile --password-reset-required --user-name $user --password $password
aws iam add-user-to-group --group-name $group --user-name $user
Now that we have explained the Shell Script and the commands inside the script it is time to see the output of running the script. Here is an snippet of adding in all the users to the IAM resource using the AWS CLI.
Here is the snippet of the users add to the IAM resource from the AWS console:
Here is a diagram of the architecture for what I did to migrate all 100 users from a csv file to AWS IAM.
This is how you automatically add users from a csv file to the AWS IAM resource and save tons of hours from doing it by hand in the AWS console. I hope that you enjoyed this post and learned something new today.