Before you can use Locksmith, you must create an IAM user and configure
Locksmith with its credentials. Locksmith can be both used stand-alone and
managed by a service. Here we show how to use Locksmith as a stand-alone tool.
Because of the nature how assuming a role works, it is important that you use
a personal account (i.e., an account that nobody else has access to) for
creating your IAM user!
It is strongly recommend creating a new account dedicated to holding this single
Create an IAM user
First, we are going to create an IAM user.
The only function this user is going to fulfil is assuming roles in other AWS
accounts. You MUST create this new IAM user in a new personal account, dedicated
to nothing else than holding this single IAM user. You must not do anything else
with this account (except enabling CloudTrail).
Create an IAM user:
- Choose access type “Programmatic access” only
- Do not select “AWS Management Console access”
- Choose “Attach existing policies directly”
- Click “Create policy”
- Click “Create Your Own Policy”, and fill the fields as follows:
- Policy Name: stsAssumeRole
- Description: Allow assuming IAM Roles.
- Click “Create Policy”
- Return to the user creation, “Refresh” the list of policies
- Select the “Customer managed” policy “stsAssumeRole” that was just created
- Click “Next: Review”
Review the settings:
- Click “Create user”
- Safely store the credentials for this user,
we are going to need this later
- Find the user that was just created, and open the “Security credentials” tab
- Click the pencil icon next to “Assigned MFA device” to start configuring
an MFA token for this IAM user
- Configure a virtual or hardware MFA device
- Make at note of the ARN/serial number of the MFA device
Now we are going to install and configure Locksmith with the credentials of the
just created IAM User:
- Install the Locksmith Google Chrome extension:
- Navigate to the Locksmith settings:
- Open Locksmith by clicking the lock icon
- Open the settings by clicking the cog-wheel icon
- Set the following settings:
- Use Local Storate: enable
- Access Key ID, Secret Access Key: The credentials of the IAM user you
- MFA Serial Number: The serial number of your hardware MFA token, or the
ARN of your virtual MFA token.