Certified Security - Specialty

Sign Up Free or Log In to participate!

What is the best way to grant CLI access?

I have a scenario where I have an On Premise monitoring to which I like to add some monitoring of our AWS resources. It will use a combination of Python and the AWS CLI to do thisW monitoring.

What is not clear to me is what best way is to grant this monitoring too acsess. The options I’ve considered are:

  • An IAM user with no console access an an assigned policy

  • An IAM user with only stsAssueRole and a role with the necessary policy assigned

Which is the better solution, or is there some other preferred alternative that I haven’t considered?


1 Answers

The common way is a User service account with a least right Policy and a set of keys.

However I did find a lovely reference that allows you to use a Role to do this.

here they are.  

– https://www.google.com/search?q=aws+cli+role

Review these and see if you can make them work for you


Gavin Goldsmith

Thanks Rusty. The Service account is the easiest and approach. To use StsAssumeRole you have to have been authenticated already – made more complicated when you’re authenticating using SAML from AD 🙂

Gavin Goldsmith

I’ll post and update if I find a more elegant way than the service account

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?