profile

codevev

My friend asked if I know what AWS is.

Published 26 days ago • 2 min read

My friend asked me yesterday if I know what AWS is. And it’s not someone I only talk to once in a while. We literally talk every day. I guess I always refer to my employer as just Amazon, so “AWS” never comes up.

He recently acquired an app and needed to create a new AWS account, add a new user for his developer, and give him permissions for Lightsail (whatever that is). He managed to do the first two. The permissions part? Yep, he had no idea.

I’ve written about IAM before here. My goal yesterday was to help him get it done quickly, not necessarily in the most appropriate way.

IAM Identity Center is confusing (even if you know IAM)

I assumed he used “regular IAM,” so the plan was simple: find the user in IAM, attach some permissions, move on with life. But he said there wasn’t a user in there, even though his developer was able to log in to the console. He just had no access.

My first thought was: maybe IAM isn’t global and he’s in the wrong region. So I asked him to check the region list. Nope, IAM is global.

Then it clicked: he probably used IAM Identity Center. Which was confusing even for me the first time I tried it, and I can only imagine how confusing it is if you don’t already have the “permissions mental model” in your head.

He opened Identity Center and of course had to switch the region to us-east-1. There he found his user, and I thought it would be as simple as assigning permissions.

It wasn’t.

He kept sending me screenshots of what he sees and I had no idea where he should go next. At some point I realized I was just guessing, so I logged into my own account and tried it before telling him anything else.

The actual flow (and where AWS hides it)

What needed to happen first was creating a Permission Set, and only then attaching policies to it. I won’t rant about how terrible this experience was when I forgot to specify which resources to allow, and then the console refused to save my changes when I tried to fix it. But I managed to get it working on my side, and my friend created the same thing on his side following my instructions.

Then we hit the next problem: I still didn’t see any way to attach the permission set to the user.

So I went to my favorite friend ChatGPT Google (yep, I still Google stuff sometimes because I hate how long ChatGPT takes to think, but that’s another story).

Apparently the missing step is hidden under:

Multi-account permissions → AWS accounts

From there you select the AWS account, assign the group or user, attach the permission set, and save.

This whole process should be more streamlined. Why do I have to go to 3–4 different places to get one developer access to one service? If I didn’t know at least in theory what needs to happen, this would’ve been even more painful than it already was.

Do you have your own IAM stories? Reply to share!

Cheers!

Evgeny Urubkov (@codevev)

600 1st Ave, Ste 330 PMB 92768, Seattle, WA 98104-2246
Unsubscribe · Preferences

codevev

codevev is a weekly newsletter designed to help you become a better software developer. Every Wednesday, get a concise email packed with value:• Skill Boosts: Elevate your coding with both hard and soft skill insights.• Tool Tips: Learn about new tools and how to use them effectively.• Real-World Wisdom: Gain from my experiences in the tech field.

Read more from codevev

It was my first on-call shift since I’ve been back after surgery. I was also onboarding a new person to be on-call, which is always a fun combo: you’re trying to look calm while quietly hoping nothing explodes. On Wednesday night I went to bed early, around 9pm, trying to catch up on sleep. Of course, my “favorite” sound came from the phone, the pager app. I really didn’t want to get up, so I did the lazy thing: checked which alarm fired through this terrible app we have to use, saw it wasn’t...

12 days ago • 4 min read

A couple weeks ago I wrote about making our reports take a couple seconds instead of 3 minutes. What I discovered later is that we didn’t actually have access to historical reports, because all the DynamoDB entries that pointed to the S3 data behind those reports had a TTL of one day. After asking around, the reason was simple: some partition keys were exceeding 10GB, and that’s the DynamoDB item collection limit per partition key (aka “all items with the same partition key”). So the...

19 days ago • 3 min read

My recovery after the ACL surgery took longer than expected, so I didn’t return to work until December, and even then I never worked a full week. But now it’s the new year and we have to start on this grind again. If you subscribed recently, welcome! I write about AWS and engineering work the way it actually feels, plus the occasional lesson learned the hard way. Since I’ve been back, the most notable thing my team did while I was out was build a package with a bunch of “Skills” for Claude....

about 1 month ago • 3 min read