Creating an IAM user

When we deployed Metabase in the last section, we did so as the Root User. I mentioned that the root user has all the power and permissions, including deleting all your services and even your AWS account.

If you are working in an organization that already uses AWS today, don't expect to be given Root user access. The standard practice is to create accounts within AWS that let the user do only what they need to do. In this section, we'll learn how to create an account with the IAM service to use going forward for all things related to Metabase:

1. In the AWS Management Console, click Services in the upper left-hand corner.
2. A dropdown showing the 175+ services will appear. Rather than finding IAM manually, just type it in the search bar and select it, as in Figure 2.5:
   

   Figure 2.5 – Searching for the IAM service in the AWS console

3. Within the IAM service, we will expand the Create individual IAM users dropdown and click Manage Users as in Figure 2.6:
   

   Figure 2.6 – The IAM service

4. On the next screen, click the Add User button.
5. On the Add User form, create a username (I chose metabase-admin).
6. Under Access Types, there are two options: Programmatic access and AWS Management console access. For this user, we only need Management console access, so check the latter.
7. The Autogenerated Password radio button should be on by default. If not, click it.
8. The Require Password Reset radio button should also be on by default; click it if not.
9. Click Next: Permissions.

Here, we will create a Group with the permissions necessary to properly administer Metabase in the context of this book:

1. Create a group called Metabase-group with the following policies:

   a. AmazonEC2FullAccess

   b. AWSElasticBeanstalkFullAccess

   c. AmazonVPCFullAccess

   d. AmazonRDSFullAccess

2. Click Next: Tags, but we will not add any tags in this step.
3. Click Next: Review.
4. Click Create user.

   Important note

   Before clicking the newly created URL, download the user credentials CSV. This is the only time you will be able to download this file and it contains the temporary password to sign in to the newly created user account. If you accidentally skip this step, you have to sign back in as the Root User and delete the newly created user and then recreate it.

Once the user has been created, you'll see a new URL that users with AWS Management Console access can sign in at. It will look something like https://12345678.signin.aws.amazon.com/console, with a string of 12 random digits instead of 12345678. That 12-digit number is your account ID. Make note of the URL as this will be the URL to use to sign in as your IAM user going forward. At some point, you'll want to use the root credentials again, perhaps to adjust your account at the end of the 1-year trial period, but for now, we can use this URL. Do not click it until you've downloaded the credentials file.

Once you've downloaded the credentials.csv file, you may click the URL. You'll see the login page looks different; your account ID will be populated. Sign in using the newly created metabase-admin username, or whatever username you chose. You can find the password in the credentials.csv file. The file is comma-separated with two rows. The second value in the second row is the password – it should be 12 characters long. Once you sign in, you'll be asked to change your password. Change it to something longer. Take note of everything – the sign-in URL, the username, and the password.

After signing in, you'll see the same view of the Management Console but your username will be different.

Important note

Multi-Factor Authentication (MFA) is highly recommended if you are going to be using AWS for anything serious (such as running your organization's website). I recommend installing an authenticator app, such as Google Authenticator, on your mobile phone. At the minimum, you should protect your root account with MFA but it's probably smart to protect all AWS accounts.

Now that we have our IAM user created, we will be using it for the remainder of the chapter. In the next section, we will learn how to create a Virtual Private Cloud (VPC).