DEV Community

Cover image for AWSSDK.IdentityManagement ( AWS IAM )
Ahmed Adel for AWS Community Builders

Posted on • Updated on

AWSSDK.IdentityManagement ( AWS IAM )

The AWS SDK for .NET supports AWS Identity and Access Management (IAM), which is a web service that enables AWS customers to manage users and user permissions in AWS.

First of all, let's have a brief about IAM Service in AWS...

➽What is IAM Service in AWS?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
☞You grant permissions to a user by creating a IAM policy. The policy contains a policy document that lists the actions that a user can perform and the resources those actions can affect.
☞ Read more about IAM Service
☞ Read more about Policies and Permissions


➽Installing AWSSDK.IdentityManagement :

AWSSDK.IdentityManagement is installed mainly from Nuget
☞There is 3 ways to install AWSSDK.IdentityManagement, they are the same as installing AWSSDK.S3 from Part 1 of this series
☞let's use the easiest one, from Package Manager Console by using the Install-Package command.

PM> Install-Package AWSSDK.IdentityManagement
Enter fullscreen mode Exit fullscreen mode

🌟 Second step is to connect to our AWS account using __ Access keys (Access Key ID and Secret Access Key)__, this was explained before briefly in the first article under (Get AWS Access keys)


➽Let's now check what we can do with this SDK :

1- Create IAM user:
➤The following snippet creates an IAM user, adds the given managed security policy, and then creates and stores credentials for him.

    // Create the user Method
    private static async Task<CreateUserResponse> CreateUser(
      IAmazonIdentityManagementService iamClient, string userName,
      string policyArn, string csvFilename)
    {
      // Create the user
      // Could also create a login profile for the user by using CreateLoginProfileAsync
      CreateUserResponse responseCreate =
        await iamClient.CreateUserAsync(new CreateUserRequest(userName));

      // Attach an existing managed policy
      await iamClient.AttachUserPolicyAsync(new AttachUserPolicyRequest{
        UserName = responseCreate.User.UserName,
        PolicyArn = policyArn});

      // Create credentials and write them to a CSV file.
      CreateAccessKeyResponse responseCreds =
        await iamClient.CreateAccessKeyAsync(new CreateAccessKeyRequest{
          UserName = responseCreate.User.UserName});
      using (FileStream s = new FileStream(csvFilename, FileMode.Create))
      using (StreamWriter writer = new StreamWriter(s))
      {
        writer.WriteLine("User name,Access key ID,Secret access key");
        writer.WriteLine("{0},{1},{2}", responseCreds.AccessKey.UserName,
          responseCreds.AccessKey.AccessKeyId,
          responseCreds.AccessKey.SecretAccessKey);
      }

      return responseCreate;
    }
Enter fullscreen mode Exit fullscreen mode

2- Display list of IAM users:
➤ To display a list of existing users, as well as information about each user such as access key IDs and attached policies.

    // Method to print out a list of the existing users and information about them
    private static async Task ListUsers(IAmazonIdentityManagementService iamClient)
    {
      // Get the list of users
      ListUsersResponse responseUsers = await iamClient.ListUsersAsync();
      Console.WriteLine("\nFull list of users...");
      foreach (var user in responseUsers.Users)
      {
        Console.WriteLine($"User {user.UserName}:");
        Console.WriteLine($"\tCreated: {user.CreateDate.ToShortDateString()}");

        // Show the list of groups this user is part of
        var responseGroups = await iamClient.ListGroupsForUserAsync(
            new ListGroupsForUserRequest(user.UserName));
        foreach (var group in responseGroups.Groups)
          Console.WriteLine($"\tGroup: {group.GroupName}");

        // Show the list of access keys for this user
        ListAccessKeysResponse responseAccessKeys =
          await iamClient.ListAccessKeysAsync(
            new ListAccessKeysRequest{UserName = user.UserName});
        foreach(AccessKeyMetadata accessKey in responseAccessKeys.AccessKeyMetadata)
          Console.WriteLine($"\tAccess key ID: {accessKey.AccessKeyId}");

        // Show the list of managed policies attached to this user
        var requestManagedPolicies = new ListAttachedUserPoliciesRequest{
          UserName = user.UserName};
        var responseManagedPolicies = await iamClient.ListAttachedUserPoliciesAsync(
            new ListAttachedUserPoliciesRequest{UserName = user.UserName});
        foreach(var policy in responseManagedPolicies.AttachedPolicies)
          Console.WriteLine($"\tManaged policy name: {policy.PolicyName}");

        // Show the list of inline policies attached to this user
        var responseInlinePolicies = await iamClient.ListUserPoliciesAsync(
            new ListUserPoliciesRequest(user.UserName));
        foreach(var policy in responseInlinePolicies.PolicyNames)
          Console.WriteLine($"\tInline policy name: {policy}");
      }
    }
Enter fullscreen mode Exit fullscreen mode

3- Delete IAM users:
⛔ Before deleting a user, we should first de-attach all his policies and remove all his access keys using the following methods

    // Method to detach managed policies from a user
    private static async Task DetachPolicies(
      IAmazonIdentityManagementService iamClient, string userName)
    {
      ListAttachedUserPoliciesResponse responseManagedPolicies =
        await iamClient.ListAttachedUserPoliciesAsync(
          new ListAttachedUserPoliciesRequest{UserName = userName});
      foreach(AttachedPolicyType policy in responseManagedPolicies.AttachedPolicies)
      {
        Console.WriteLine($"\tDetaching policy {policy.PolicyName}");
        await iamClient.DetachUserPolicyAsync(new DetachUserPolicyRequest{
          PolicyArn = policy.PolicyArn,
          UserName = userName});
      }
    }

    // Method to delete access keys from a user
    private static async Task DeleteAccessKeys(
      IAmazonIdentityManagementService iamClient, string userName)
    {
      ListAccessKeysResponse responseAccessKeys =
        await iamClient.ListAccessKeysAsync(
          new ListAccessKeysRequest{UserName = userName});
      foreach(AccessKeyMetadata accessKey in responseAccessKeys.AccessKeyMetadata)
      {
        Console.WriteLine($"\tDeleting Access key {accessKey.AccessKeyId}");
        await iamClient.DeleteAccessKeyAsync(new DeleteAccessKeyRequest{
          UserName = userName,
          AccessKeyId = accessKey.AccessKeyId});
      }
    }
Enter fullscreen mode Exit fullscreen mode

➤ Now we can delete the user:

    // Method to delete a user
    private static async Task DeleteUser(
      IAmazonIdentityManagementService iamClient, string userName)
    {
      // Remove items from the user
      // Detach any managed policies
      await DetachPolicies(iamClient, userName);

      // Delete any access keys
      await DeleteAccessKeys(iamClient, userName);

      // DeleteLoginProfileAsycn(), DeleteUserPolicyAsync(), etc.
      // See the description of DeleteUserAsync for a full list.

      // Delete the user
      await iamClient.DeleteUserAsync(new DeleteUserRequest(userName));
      Console.WriteLine("Done");
    }
Enter fullscreen mode Exit fullscreen mode

4- Creating IAM managed policies from JSON:
✅ Let's assume that we have a policy file like this

{
  "Version" : "2012-10-17",
  "Id"  : "DotnetTutorialPolicy",
  "Statement" : [
    {
      "Sid" : "DotnetTutorialPolicyS3",
      "Effect" : "Allow",
      "Action" : [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource" : "*"
    },
    {
      "Sid" : "DotnetTutorialPolicyPolly",
      "Effect": "Allow",
      "Action": [
        "polly:DescribeVoices",
        "polly:SynthesizeSpeech"
      ],
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

➤To read more about IAM managed policies

➤ To create an IAM managed policy from a given policy document in JSON by creating an IAM client object, reads the policy document from a file, and then creates the policy.

    // create an IAM policy from a JSON file
    private static async Task<CreatePolicyResponse> CreateManagedPolicy(
      IAmazonIdentityManagementService iamClient, string policyName, string jsonFilename)
    {
      return await iamClient.CreatePolicyAsync(new CreatePolicyRequest{
        PolicyName = policyName,
        PolicyDocument = File.ReadAllText(jsonFilename)});
    }
Enter fullscreen mode Exit fullscreen mode

5- Display the policy document of an IAM managed policy:
➤ First, we need to find the default version of the given IAM Policy

    // Method to determine the default version of an IAM policy
    // Returns a string with the version
    private static async Task<string> GetDefaultVersion(
      IAmazonIdentityManagementService iamClient, string policyArn)
    {
      // Retrieve all the versions of this policy
      string defaultVersion = string.Empty;
      ListPolicyVersionsResponse reponseVersions =
        await iamClient.ListPolicyVersionsAsync(new ListPolicyVersionsRequest{
          PolicyArn = policyArn});

      // Find the default version
      foreach(PolicyVersion version in reponseVersions.Versions)
      {
        if(version.IsDefaultVersion)
        {
          defaultVersion = version.VersionId;
          break;
        }
      }
      return defaultVersion;
    }
Enter fullscreen mode Exit fullscreen mode

➤Then, display the policy document

    // Method to retrieve and display the policy document of an IAM policy
    private static async Task ShowPolicyDocument(
      IAmazonIdentityManagementService iamClient, string policyArn, string defaultVersion)
    {
      // Retrieve the policy document of the default version
      GetPolicyVersionResponse responsePolicy =
        await iamClient.GetPolicyVersionAsync(new GetPolicyVersionRequest{
          PolicyArn = policyArn,
          VersionId = defaultVersion});

      // Display the policy document (in JSON)
      Console.WriteLine($"Version {defaultVersion} of the policy (in JSON format):");
      Console.WriteLine(
        $"{HttpUtility.UrlDecode(responsePolicy.PolicyVersion.Document)}");
    }
Enter fullscreen mode Exit fullscreen mode

Discussion (1)

Collapse
edgargonzalo_m profile image
Edgar Gonzalo

An example using CloudWatch, please. :(
Thanks.