aws cli 使用_学习AWS CLI –使用AWS CLI探索IAM用户，角色，策略

aws cli 使用

AWS provides a command-line interface (AWS CLI) tool to work with its various cloud services. It is a single tool with many useful commands and allows you to automate a particular task using scripts. You might need to do specific tasks regularly. You can use the AWS Web Console for it. However, it requires you to go through all configuration options all over again.

AWS提供了命令行界面（AWS CLI）工具来使用其各种云服务。 它是一个包含许多有用命令的工具，可让您使用脚本自动执行特定任务。 您可能需要定期执行特定任务。 您可以使用AWS Web控制台。 但是，它要求您重新遍历所有配置选项。

In the previous articles on the Learn AWS CLI, we explored the following points.

在了解AWS CLI的先前文章中，我们探讨了以下几点。

• An Overview of AWS CLI (AWS Command Line Interface): We get an overview of the CLI tool along with its installation and profile configuration for your AWS account using access and secret key. You should perform the steps mentioned in this article to go ahead with the article AWS CLI概述（AWS命令行界面） ：我们将使用访问和密钥为您的AWS账户提供CLI工具的概述以及其安装和配置文件配置。 您应该执行本文中提到的步骤以继续本文。
• Interact with AWS S3 Buckets using AWS CLI: This article gives instructions for CLI commands related to Amazon S3 buckets such as create a bucket, upload & download objects, list S3 buckets, and remove a bucket 使用AWS CLI与AWS S3存储桶进行交互 ：本文提供与Amazon S3存储桶相关的CLI命令的说明，例如创建存储桶，上传和下载对象，列出S3存储桶以及删除存储桶

AWS provides two kinds of users to work in both AWS web console and CLI interface.

AWS提供了两种用户在AWS Web控制台和CLI界面中工作。

• Root user: It is the account you create once you sign up for AWS services. It has the highest privileges, and you should not use this account to work with any services 根用户：这是您注册AWS服务后创建的帐户。 它具有最高的特权，您不应使用此帐户来使用任何服务
• IAM user: We create user accounts in AWS, assign permissions, roles, attach policies so that users can authenticate themselves and can do the authorized work IAM用户：我们在AWS中创建用户帐户，分配权限，角色，附加策略，以便用户可以进行身份​​验证并可以执行授权工作

We will explore more about the IAM user in this article. I will walk through both AWS web console, and AWS CLI commands for it.

我们将在本文中探索有关IAM用户的更多信息。 我将同时介绍AWS Web控制台和AWS CLI命令。

使用AWS Web Console具有管理访问权限的IAM用户 (IAM user with administrative access using AWS Web Console)

As highlighted earlier, we should not use the root account for doing any operational work in AWS. Some users might require administrative permissions so we can create an IAM user with administrative access.

如前所述，我们不应使用root帐户在AWS中进行任何操作。 有些用户可能需要管理权限，因此我们可以创建具有管理访问权限的IAM用户。

First, sign up to AWS console and navigate to IAM in the Security, Identity & Compliance group:

首先，注册到AWS控制台并导航到“ 安全性，身份和合规性”组中的IAM ：

It opens the Identity and access management web page. You can see existing IAM users, roles, groups along with a Web URL for IAM users:

它将打开“身份和访问管理”网页。 您可以查看现有的IAM用户，角色，组以及IAM用户的Web URL：

As you can see, we have two existing users in my account. Click on Users, and it gives you a list of users:

如您所见，我的帐户中已有两个现有用户。 单击“ 用户” ，它会为您提供用户列表：

Click on any IAM user, and it gives you information such as User ARN, Creation time, attached policies:

单击任何IAM用户，它将为您提供诸如用户ARN， 创建时间 ， 附加策略之类的信息 ：

Let’s fetch this information using AWS CLI. We can use the following CLI command for this purpose.

让我们使用AWS CLI获取此信息。 为此，我们可以使用以下CLI命令。

>aws iam list-users

> aws iam列表用户

You get users lists in the JSON format.

您以JSON格式获取用户列表。

• User Name: It is a friendly user name that we specify while creating the IAM user 用户名：这是我们在创建IAM用户时指定的友好用户名
• User ID: It is a unique id of each IAM user 用户ID ：这是每个IAM用户的唯一ID
• ARN: It is the Amazon resource name to identify the user ARN：这是用于识别用户的Amazon资源名称
• Create Date: It is the user creation date in ISO 8601 date-time format 创建日期：这是ISO 8601日期时间格式的用户创建日期

The list-users command does not provide you with a list of policies attached to the user. Let’s go back up AWS console and click on Add Permissions:

list-users命令不向您提供附加到用户的策略列表。 让我们备份AWS控制台，然后单击Add Permissions ：

On the next page, navigate to Attach existing policies directly. It lists all AWS managed and custom user policies(if we have created earlier).

在下一页上，导航到“ 直接附加现有策略”。 它列出了所有AWS托管和自定义用户策略（如果我们之前已创建）。

• AWS managed policy: You can assign these policies to users, groups, or roles, but we cannot modify the permissions in an AWS managed policy. It is managed by AWS and might not be suitable for your requirement AWS托管策略 ：您可以将这些策略分配给用户，组或角色，但是我们无法修改AWS托管策略中的权限。 它由AWS管理，可能不适合您的要求
• Customer Managed Policy: If you do not want to apply the AWS managed policy, you can configure your policy, manage it, create different versions, or remove it as required. AWS does not manage the policy 客户托管策略 ：如果您不想应用AWS托管策略，则可以配置，管理，创建不同版本或根据需要删除它。 AWS不管理该政策

Let’s assign an existing AWS managed policy as of now to the IAM user. Put a check on AdministratorAccess policy to add this permission to the specified user

现在，让我们将现有的AWS托管策略分配给IAM用户。 选中AdministratorAccess策略以将此权限添加到指定用户

Click on Next: Review:

单击下一步：审阅：

Click on Next: Review on the previous screen, confirm the permission. In the title, we can see it will assign the permissions to the user named [Rajendra]:

单击“ 下一步：在前一个屏幕上查看 ”，确认权限。 在标题中，我们可以看到它将为名为[ Rajendra ]的用户分配权限：

We can verify in the following screenshot that the user [Rajendra] is having two AWS managed policy attached.

我们可以在以下屏幕截图中验证用户[ Rajendra ]是否已附加两个AWS托管策略。

• AdministratorAccess
  管理员访问
• IAMUserChangePassword
  IAMUserChangePassword

Now, switch back to the AWS CLI command prompt. We want to view the policies attached to the user [Rajendra]. It should return the policies listed in the above image.

现在，切换回AWS CLI命令提示符。 我们要查看附加到用户[ Rajendra ]的策略。 它应该返回上图中列出的策略。

In the CLI, we use command list-attached-user-policies to list attached policies for a user.

在CLI中，我们使用命令list-attached-user-policies列出用户的附加策略。

> aws iam list-attached-user-policies –user-name Rajendra –profile production

> aws iam列表附加用户策略–用户名Rajendra –配置文件制作

We can see both AWS managed policies and PolicyARN attached to the user [Rajendra]:

我们可以看到附加到用户[ Rajendra ]的AWS托管策略和PolicyARN：

创建客户管理的AWS策略 (Create a customer-managed AWS policy)

In the previous section, we assigned an AWS managed policy to the IAM user. These AWS managed policy cannot be modified. It is always a good practice to configure your custom policy with appropriate permissions and assign it to the users or groups.

在上一节中，我们为IAM用户分配了AWS托管策略。 这些AWS托管策略无法修改。 始终将良好的做法配置为具有适当权限的自定义策略，然后将其分配给用户或组。

First, let’s view the policy creation using the AWS web console. In the IAM menu, click on the Policies->Create policy:

首先，让我们使用AWS Web控制台查看策略创建。 在IAM菜单中，单击策略->创建策略 ：

In the create policy wizard, select the AWS service, permissions, resources, and conditions, if any. For this demo, we use the Amazon S3 service. You should understand the permission levels and assign them appropriately. I do not cover the use of the S3 service in this article:

在创建策略向导中，选择AWS服务，权限，资源和条件 （如果有）。 对于此演示，我们使用Amazon S3服务。 您应该了解权限级别并适当地分配它们。 我不会在本文中介绍S3服务的使用：

Give a suitable name for the new policy, review it, and click the Create policy button:

为新策略指定一个合适的名称，进行检查，然后单击“ 创建 策略”按钮：

We have created the AWS policy. You can filter the policy and view it:

我们已经创建了AWS策略。 您可以过滤策略并查看它：

Click on the policy and view the JSON statement for this policy:

单击该策略，然后查看此策略的JSON语句：

Copy this JSON, paste in the notepad and save the file in the JSON extension such as MyPolicy.JSON

复制此JSON，粘贴在记事本中，然后将文件保存在JSON扩展名（例如MyPolicy.JSON）中

In the next part, we create the policy using AWS CLI and the JSON file created above. In the CLI, we use create-policy command and specify the JSON statement file location in the command.

在下一部分中，我们将使用AWS CLI和上面创建的JSON文件创建策略。 在CLI中，我们使用create-policy命令并在命令中指定JSON语句文件位置。

In the below command, we create the AWS policy [my-policy] and use argument policy-document to specify the JSON file path. You can refer to AWS docs for more details.

在以下命令中，我们创建AWS策略[my-policy]并使用参数policy-document指定JSON文件路径。 您可以参考AWS文档以了解更多详细信息。

> aws iam create-policy –policy-name my-policy –policy-document file://C://sqlshack//AWS/MyPolicy.json –profile production

> aws iam create-policy –policy-name my-policy –policy-document文件：// C：//sqlshack//AWS/MyPolicy.json –profile生产

This command returns the AWS IAM policy name, policy ID, policy ARN, created, and updated date of the policy:

此命令返回AWS IAM策略名称，策略ID，策略ARN，策略的创建日期和更新日期：

Refresh the AWS console, and you can see policy created using CLI in the web console:

刷新AWS控制台，您可以在Web控制台中看到使用CLI创建的策略：

We can create multiple versions(up to 5 versions) of a policy and can define a version as a default version. This default version is attached to users, roles, or groups.

我们可以创建一个策略的多个版本（最多5个版本），并将一个版本定义为默认版本。 此默认版本附加到用户，角色或组。

Let’s make some changes in the JSON file and save it. To create a new version, we use the create-policy-version command. It requires ARN of the existing policy.

让我们在JSON文件中进行一些更改并保存。 要创建新版本，我们使用create-policy-version命令。 它需要现有策略的ARN。

You can either note the ARN from the output of a create-policy command or open the policy in AWS web console to copy the policy ARN as shown below.

您可以从create-policy命令的输出中记下ARN，也可以在AWS Web控制台中打开策略以复制策略ARN，如下所示。

> aws iam create-policy-version –policy-arn arn:aws:iam::147081669821:policy/my-policy –policy-document file://C://sqlshack//AWS/MyPolicy.json –set-as-default

> aws iam create-policy-version –policy-arn arn：aws：iam :: 147081669821：policy / my-policy –policy-document文件：// C：//sqlshack//AWS/MyPolicy.json –set-as -默认

In the below screenshot, we see two different versions of an existing policy. In the output, it returns the version V2 and V3 of it. We might have assigned this policy for existing users, roles. Once we create a policy version with the set-as-default parameter, it becomes effective for all existing users, the role to which this policy is attached:

在下面的屏幕截图中，我们看到了现有策略的两个不同版本。 在输出中，它返回其版本V2和V3。 我们可能已为现有用户，角色分配了此策略。 一旦使用set-as-default参数创建了策略版本，该策略版本将对所有现有用户生效，即该策略所附加的角色：

使用AWS CLI创建IAM用户 (Create IAM user using the AWS CLI)

In the above examples, we used existing IAM users and assigned the policy to those users. In this section, let’s create an IAM user with AWS CLI commands. It uses create-user in CLI to create the user in the current account.

在以上示例中，我们使用了现有的IAM用户，并将策略分配给了这些用户。 在本部分中，让我们使用AWS CLI命令创建一个IAM用户。 它在CLI中使用create-user在当前帐户中创建用户。

> aws iam create-user –user-name Krish

> aws iam创建用户–用户名Krish

You get the username, user id, ARN, and the created date for the IAM user:

您将获得用户名，用户ID，ARN和IAM用户的创建日期：

结论 (Conclusion)

In this article, we explored the useful commands of AWS CLI for creating IAM user, attach existing AWS managed policies, create a new customer managed policy. CLI commands can make you manage AWS resources effectively without going through the web console wizard. It is useful for you to automate the task you frequently do in your environment.

在本文中，我们探讨了AWS CLI的有用命令，这些命令可用于创建IAM用户，附加现有的AWS托管策略，创建新的客户托管策略。 CLI命令可以使您有效地管理AWS资源，而无需通过Web控制台向导。 对您自动化您在环境中经常执行的任务很有用。

翻译自: https://www.sqlshack.com/learn-aws-cli-explore-iam-user-role-policies-using-aws-cli/

aws cli 使用