Skip to main content

1password

  1. The "Success" page should show you the "Access key ID" and hidden Secret access key" which can be revealed by clicking "Show". Copy these to your secure credentials storage as you will need them shortly.
  2. Click "Close" to return to the IAM console. Select "Users" on the sidebar if it is not already selected. You should see a list of users. Click the user name "super-admin-user" (which should be a hyperlink) to take you to the Users -> super-admin-user "Summary" page.
  3. Click on the "Security credentials" tab. In the 'Multi-Factor Authentication (MFA)' section, click "Assign a virtual MFA device".
  4. Enter a name that corresponds to how you will store the MFA token (e.g. '1password')
  5. Select 'Authenticator App' as the MFA device type and click 'Next'.
  6. Follow the instructions to set up the MFA device. Store the TOTP key in your secure credentials storage.
  7. You should be taken back to the "Security Credentials" tab, but now the "Assigned MFA device" field should have an ARN like arn:aws:iam::<account-number>:mfa/super-admin-user. Copy the ARN and keep it with the Access Key.
  8. Now we need to create an Access Key for CLI access. Click on the "Create Access Key" under "Access Keys".
  9. Select "Command Line Interface" and click the "I understand..." checkbox then click 'Next'.
  10. Enter a description if you like, such as 'super-admin-user CLI Access' and click 'Create'.

Storing super-admin-user credentials in 1Password

The super-admin-user credentials should be properly stored in 1Password. Relative to other potential 1Password item types, the most appropriate 1Password item type for these credentials is login. Since these are programmatic credentials and not an actual login with an endpoint from which the website favicon can be retrieved, the icon for this item should be manually set to the AWS logo. Additionally, the password field should be kept empty. For convenience in retrieving the TOTP code when using Leapp, save com.leapp.app as a website URL.

Set the username to super-admin-user, create fields for the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and the TOTP (known as One Time Password field type in 1password) via the AWS virtual MFA device's secret.

Finally, leave a note for this item in the following format:

This account's Access Key should be made inactive when not needed.

CURRENT STATUS: ACTIVE

Use this account for API/command line access to administrative functions that IAM roles cannot do, such as provision IAM roles.

This account should not be allowed to log in to the AWS console, and therefore does not have a password.

Root account ID: [AWS ACCOUNT ID]

User ARN arn:aws:iam::[AWS ACCOUNT ID]:user/super-admin-user

MFA Device ARN arn:aws:iam::[AWS ACCOUNT ID]:mfa/super-admin-user

The resulting entry in 1password should appear as follows:

Hit save once you are done. Once the super-admin-user credentials need to be disabled, do not forget to update the notes in this item.

--img src="-assets-refarch-image-20211016-220615.png" />

Detailed Instructions

These are just some more detailed step-by-step instructions. These are redundant with the basic instructions and might be out of date as the AWS web console interface changes.

  1. Login to the AWS root account using the root credentials from 1Password

  2. Navigate to the IAM console page --img src="-assets-refarch-image-20210720-181056.png" />

  3. In the IAM console, select Users on the sidebar

  4. --img src="-assets-refarch-image-20210720-181130.png" />
    Click Add users button --img src="-assets-refarch-image-20210720-181200.png" />

  5. Enter "super-admin-user" for User name and check Programmatic access and leave AWS Management Console access unchecked. Click Next: Permissions at the bottom right corner of the page

--img src="-assets-refarch-image-20210720-181251.png" />

  1. Under Set permissions , select Attach existing policies directly . A list should appear, from which you should check AdministratorAccess . Click Next: Tags at the bottom right corner of the page

--img src="-assets-refarch-image-20210720-181512.png" />

  1. Skip the tags, Click Next: Review at the bottom right corner of the page

  2. Review and click Create user at the bottom right corner of the page

  3. The Success page should show you the Access key ID and hidden Secret access key which can be revealed by clicking Show , copy these to your secure credentials storage as you will need them shortly

--img src="-assets-refarch-image-20210720-181626.png" />

  1. Click Close at the bottom right corner to return to the IAM console and select Users on the sidebar if it is not already selected

  2. You should a list of users. Click the user name super-admin-user (which should be a hyperlink)

--img src="-assets-refarch-image-20210720-182019.png" />

  1. On the Users -> super-admin-user "Summary" page, click on the Security credentials tab

  2. In the Sign-in credentials section, find: Assigned MFA device: Not assigned | Manage and click Manage

--img src="-assets-refarch-image-20210720-182257.png" />

  1. Choose Virtual MFA device and click Continue

--img src="-assets-refarch-image-20210720-182421.png" />

  1. Press the Show secret key button

--img src="-assets-refarch-image-20210721-151123.png" />

  1. Copy the key into 1Password as a AWS Credential using the “MFA” field

--img src="-assets-refarch-image-20210721-151429.png" />

  1. Use the MFA codes from 1Password to complete the MFA setup process (you will input 2 consecutive codes)

--img src="-assets-refarch-image-20210721-151622.png" />

  1. You should be taken back to the Security Credentials tab, but now the Assigned MFA device field should have an ARN like arn:aws:iam::<account-number>:mfa/super-admin-user

--img src="-assets-refarch-image-20210720-182914.png" />

  1. Copy the ARN and keep it with the Access Key in 1Password

  2. Configure AWS profile with the super-admin-user user credentials:

  3. If it does not already exist on your host computer, create the file $HOME/.aws/config

  4. Add the following lines to the end of the $HOME/.aws/config file:

````ini`

[profile super-admin-user]

region = us-west-2

default_region = us-west-2

mfa_serial = arn:aws:iam::<account-number>:mfa/super-admin-user


  replacing `us-west-2` with the primary region where you will be hosting your company's infrastructure,

  and `arn:aws:iam::<account-number>:mfa/super-admin-user` with the "Assigned MFA device" ARN from the previous step.

21.

:::tip

Done!

:::

### Related articles

:::note

The content by label feature displays related articles automatically, based on labels you choose. To edit options for this feature, select the placeholder below and tap the pencil icon.

:::

| Related issues |     |
| -------------- | --- |