Overview of Getting and Using an AWS IAM Account

From UCSC Genomics Institute Computing Infrastructure Information

Revision as of 18:31, 6 February 2019 by Weiler (talk | contribs)

Getting Amazon Web Services Access

The Genomics Institute has a series of AWS Accounts that all support different projects. Often if you become associated with one or more of those projects, you will need access to that account or accounts. The way we are managing AWS IAM Account Access is that we have one AWS account that is the 'top level' account that everyone gets access to, and then, once you log in there, you can "Switch Role" into another sub-account that you are running things in.

To get access, you will need your PI or Project Manager to email cluster-admin (cluster-admin@soe.ucsc.edu) asking for an AWS account for you, and also in that email to name the projects you will have access to. The cluster-admin group will contact you with your credentials to login. Once you login, you can change your password if you want to and also you will be able to set up MFA (Multi-Factor Authentication) for your account. You will be required to use MFA in order to "Switch Role" into any of the sub-accounts for the projects you are working on.

The login URL to use when logging in to the top level account is listed below. The top level account is known as "gi-gateway": 

https://gi-gateway.signin.aws.amazon.com/console

When you login, you will see a couple error messages on the AWS dashboard saying you don't have access to view certain resources - this is normal, so just ignore the error messages.

Configuring Account Credentials

Once you login to the gi-gateway, you will have very few permissions to do anything there - which is normal, since you will not be working in that account anyway. The gi-gateway account is just there to authenticate you to AWS.

Changing Your Password

You can change your password by clicking on your username on the top right of the web browser window, just to the right of the little bell. If your username is bill@ucsc.edu, for example: 

* Click "bill@ucsc.edu @ gi-gateway" on the top right of your browser window.
* Click the "My Security Credentials" drop-down menu option.
* Click the "Change Password" button to change your password.

You will also need to configure MFA on your account before you can switch roles into another account.

Configuring MFA

To configure MFA, the most common way to do it is to use Google Authenticator, which is an app available for Apple and Android based cell phones and mobile devices. The app is free, simply download it from the app store to your cell phone or tablet to get started. Other MFA apps may also work but we have not tested everything out there.

Once you have Google Authenticator installed, log into the gi-gateway using the above URL, then: 

* Click "bill@ucsc.edu @ gi-gateway" on the top right of your browser window (again, bill@ucsc.edu is an example).
* Click the "My Security Credentials" drop-down menu option.
* Scroll downt o the MFA (Multi-Factor Authentication) section of the page, and click "Manage MFA Device".
Retrieved from "http://giwiki.gi.ucsc.edu/index.php?title=Overview_of_Getting_and_Using_an_AWS_IAM_Account&oldid=107"