Identity and Access Management (IAM) in AWS has three general types: Users, Groups, and Roles. Users are similar to users in other systems. They are typically assigned to individuals, can be assigned permissions, passwords, and API keys. Roles are another construct that can be assigned to AWS resources like virtual machines (EC2). They can also be assigned permissions, but cannot be assigned long-term API keys like users can. Finally, groups are collections of users that have common permissions.
The University of Iowa uses Federation for users on campus. This means that there is a common identity - your HawkID - that you can use to log in to your computer, your email, internal applications, and AWS. Previously you could only log in to the AWS console using your HawkID, but it is now possible to use the AWS command line interface (CLI) with this identity. When you log in to the AWS CLI with your HawkID you get a session that lasts for 8 hours. If you have more than one AWS account or multiple roles within an AWS account you will be given an opportunity, on login, to choose which account or role you would like to use.
Starting June 1, 2019 ITS Cloud Services will be removing the ability to create users in AWS IAM. In the following months, ITS Cloud Services will work with customers that have existing users to remove those that can be removed and scope down the permissions of the remaining.
There are cases where an IAM user might be the most appropriate mechanism to use. For example, there are AWS services that do not support Federated Users. In other cases, there may be a need to push data from on campus resources to AWS. In these cases, you can request that ITS Cloud Services create a user in your AWS account. We will work with you to scope the permissions appropriately.
To learn how to install the AWS CLI for Federated users please see our page How to install the Federated Login tool for the AWS CLI. Windows directions are located on our page How to install the Federated Login tool for the AWS CLI on Windows.
For questions please email firstname.lastname@example.org