Overview of Getting and Using an AWS IAM Account

From UCSC Genomics Institute Computing Infrastructure Information

Revision as of 18:42, 6 February 2019 by Weiler (talk | contribs)

Getting Amazon Web Services Access

The Genomics Institute has a series of AWS Accounts that all support different projects. Often if you become associated with one or more of those projects, you will need access to that account or accounts. The way we are managing AWS IAM Account Access is that we have one AWS account that is the 'top level' account that everyone gets access to, and then, once you log in there, you can "Switch Role" into another sub-account that you are running things in.

To get access, you will need your PI or Project Manager to email cluster-admin (cluster-admin@soe.ucsc.edu) asking for an AWS account for you, and also in that email to name the projects you will have access to. The cluster-admin group will contact you with your credentials to login. Once you login, you can change your password if you want to and also you will be able to set up MFA (Multi-Factor Authentication) for your account. You will be required to use MFA in order to "Switch Role" into any of the sub-accounts for the projects you are working on.

The login URL to use when logging in to the top level account is listed below. The top level account is known as "gi-gateway": 

https://gi-gateway.signin.aws.amazon.com/console

When you login, you will see a couple error messages on the AWS dashboard saying you don't have access to view certain resources - this is normal, so just ignore the error messages.

Configuring Account Credentials

Once you login to the gi-gateway, you will have very few permissions to do anything there - which is normal, since you will not be working in that account anyway. The gi-gateway account is just there to authenticate you to AWS.

Changing Your Password

You can change your password by clicking on your username on the top right of the web browser window, just to the right of the little bell. If your username is bill@ucsc.edu, for example: 

* Click "bill@ucsc.edu @ gi-gateway" on the top right of your browser window.
* Click the "My Security Credentials" drop-down menu option.
* Click the "Change Password" button to change your password.

You will also need to configure MFA on your account before you will be allowed to switch roles into another account.

Configuring MFA

To configure MFA, the most common way to do it is to use Google Authenticator, which is an app available for Apple and Android based cell phones and mobile devices. The app is free, simply download it from the app store to your cell phone or tablet to get started. Other MFA apps may also work but we have not tested everything out there.

Once you have Google Authenticator installed, log into the gi-gateway account using the above URL, then: 

* Click "bill@ucsc.edu @ gi-gateway" on the top right of your browser window (again, bill@ucsc.edu is an example).
* Click the "My Security Credentials" drop-down menu option.
* Scroll down to the MFA (Multi-Factor Authentication) section of the page, and click "Assign MFA Device".
* In the following menu select "Virtual MFA Device".
* In the following window click the "Show QR Code" link, and the MFA QR barcode will appear on your screen.
* Open the Google Authenticator app on your mobile device, and click the little "+" symbol in the top right corner of the app to add an account.
* You will then need to select "Scan Barcode" in the Google Authenticaor app to continue, and aim your mobile device camera at the QR barcode.
* The new account MFA device should then be set up and you should see a 6 digit number with a small timer to the right of it.
  You must type in one 6 digit code that it displays into your web browser when asked, then wait for the next code to appear
  after the timer expires, and type that into the second field.  It should then inform you that you have successfully associated
  an MFA device with your account.

Once you have associated an MFA device with your AWS Account, log out, then log back in. It will ask for your username and password, and then ask for your MFA code, which you can view by opening Google Authenticator and seeing what code it is displaying at that time. The code changes every 30 seconds or so.

Retrieved from "http://giwiki.gi.ucsc.edu/index.php?title=Overview_of_Getting_and_Using_an_AWS_IAM_Account&oldid=108"