IAMS user can't access Cloud9 IDE

Question

As a root user, I created an environment in Cloud9, then created IAMS users and gave them RW access to the environment, which I can see has worked when I click the Share button on the upper left corner of the environment, but when they log in and go to Cloud9 they can see the card for the environment but 'Open IDE' is grayed out and they can't access it.  Sigh.

Answer

Generally it's against best practices to use root credentials to create and share environments because read/write members can use the environment owner's AWS access credentials. See [here](https://docs.aws.amazon.com/cloud9/latest/user-guide/share-environment.html#share-environment-best-practices) for more information. Specifically this section:

*For EC2 environments, read/write members can use the environment owner's AWS access credentials, instead of their own credentials, to make calls from the environment to AWS services. To prevent this, the environment owner can disable AWS managed temporary credentials for the environment. However, this also prevents the environment owner from making calls. For more information, see [AWS Managed Temporary Credentials](https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html#auth-and-access-control-temporary-managed-credentials).*

As for your question, what's the IAM policy look like for your IAM user(s)? Are you using an AWS Managed Policy like **AWSCloud9User** or are you using a custom policy? If using a custom policy, ensure it includes the permissions similar to those listed out in the **AWSCloud9User** as those will be required to see and access environments, whether they are shared or not.

IAMS user can't access Cloud9 IDE

相关内容