This is my story when I need to give IAM users on the same AWS account, access to open and work on existing AWS Cloud9 workspace. It’s not straightforward to give access to AWS C9 for IAM users. Here are the keys to giving IAM users access to your AWS C9 – so they don’t need to login as root user.
The AWS docs did provide the detailed guides to do this.
However, when I had created the IAM user I needed, and I had attached it to a Group, and that Group already had attached the required policies for accessing AWS Cloud9 on that account, it’s still not working.
When I tested that IAM user on another browser, and access that existing AWS Cloud9 workspace, it returned big 400 texts, literally.
With some additional details that in short: the IAM user account I log in to, did not have sufficient permission.
This is not good.
I read again the whole AWS doc about permitting this IAM user for accessing it.
Everything is looking good. Nothing seems wrong.
I even try this:
- Remove that IAM user from the Group.
- Attached the required policies for Cloud9 directly on that user.
- Not only that, but I also attached that “Administrator Access” to see if this is needed though the doc did not say it. I know this is a bad practice, so please bear with me.
I got nothing wrong. I compared each step I had done on the doc, and I did follow them exactly as they said.
I take a deep breath and start to read again the doc and still find no clue.
It’s been more than thirty minutes I am struggling with this.
Until I skimmed the doc and somehow I stumbled upon on this page.
Finally. Yes, finally. That’s the missing key to this puzzle.
I haven’t invited the IAM user on that same AWS account to the workspace itself.
I should have realized it earlier.
After all, mostly it’s still the same as old Cloud9 except the fact it’s now running on a top of an EC2 instance.
Yet, somehow I think, I wish I read that doc page first, before creating a new IAM user.
AWS Cloud9 did provide detailed and good documentation for their AWS Cloud9.
Though it’s a bit overwhelming for the first time (just like the rest of AWS docs), it did help.
All we need to do, as their customers are reading the available doc carefully.
Just like my case above, I tend to rush to skim the doc and try to find the things I look for, to fix the problem on hand.
The short and simple ways to allow IAM users on the same AWS account to access the Cloud9 workspace are:
- Create or edit IAM user
- Add proper permissions. Just attached those permissions that contained “Cloud”
- Go back to the AWS c9 workspace.
- Then, invite that IAM user we had set up on steps 1 and 2. Just make sure it had the required permissions to access Cloud9. To do this, you need to log in with the root user of that account or with the IAM user with “Administrator permissions”
- At last, open another browser. Try to login to that IAM user you had invited on AWS Cloud9 and open the workspace. It should work.