AWS first steps - How to initialize the admin IAM user and initialize CLI tools

02 Feb 2020 - tsp
Last update 09 Jul 2020
Reading time 4 mins

First steps

First log into the AWS console with your newly created root user. If possible assign your root user an 2FA device like your YubiKey. This is a highly recommended step. Do so at your users login settings. After that create a new IAM admin user for administrative access. You should never use your root user for such access.

First search for the IAM application in the search box. Select User and select the Add User command. Enter the desired username (most of the time this will be an E-Mail address or any other account wide unique identifier - it doesn’t have to be globally unique since it’s used only inside your application - and if used for logging into the console the application ID is used in conjunction with the login information).

Select which access type you want to use. For access using the CLI tools or one of the integration SDKs, Jenkins Plugins, etc. select Programmatic access, for interactive access to the web interface select Access to management console. One can also select both methods if a user should be capable of both access methods. Of course one can create the keys required for programmatic access later on through the IAM console

If you want to use the user account yourself (as replacement for your root account) you can define an own custom password. If it should be used by a third party select automatically generated password. In this case you should always select the option to enforce password change after creation.

In the next step assign the user to given roles (user-groups). For admin access add the user to AdministratorAccess group. If you like you can add some tags to the user(s). This will be used for resource groups so it’s especially interesting for service users.

After that you can commit the user creation. In case of programmatic access the access key ID and secret is displayed - you have to store it now, it won’t be accessible later on. You should also take note of the user password and pass this, the login link (including the application ID) and the password to the desired user.

If you want to provide your administrators access to IAM you should modify the Administrator group to include the IAMFullAccess ruleset. This can be done in the dashboard at the group settings. Select the desired group and select Append Ruleset. Then search for IAMFullAccess to grant the group full access to IAM.

Log out of your account and if the account was created on your behalf log in with your new admin account. Change your password if prompted to and if possible enable 2FA using your YubiKey at your accounts login information.

Using the CLI tools

On FreeBSD install the CLI tools either from ports or packages using either

sudo pkg install devel/awscli

or (as root user)

cd /usr/ports/devel/awscli
make install clean

After that you can configure AWS CLI tools with the previously generated credentials using

aws configure

Enter the AWS access key ID and AWS secret access key as generated for programmatic access during account creation. If you haven’t created one during the account creation (or the IAM account has been created on your behalf by a third party) log into your AWS console and search for the IAM application. Select your user, select the security/login information tab, scroll down to access key and create a new one.

After that configure your default region name. One should choose the region that mostly fits one’s application (i.e. to which region one wants to deploy most of the time). In our example we choose eu-central-1 since this had the least hops into the network topological region our application targeted.

At the end select json as default output format:

$ aws configure
AWS Access Key ID [None]: ********************
AWS Secret Access Key [None]: ********************
Default region name [None]: eu-central-1
Default output format [None]: json

If you want to change any of the selected parameters simply re-run the aws configure command. Any fields that you don’t want to change simply accept by pressing enter.

This article is tagged:

Data protection policy

Dipl.-Ing. Thomas Spielauer, Wien (

This webpage is also available via TOR at http://rh6v563nt2dnxd5h2vhhqkudmyvjaevgiv77c62xflas52d5omtkxuid.onion/

Valid HTML 4.01 Strict Powered by FreeBSD IPv6 support