DEV Community

loading...

Who really uses AWS IAM API keys?

animeshkbhadra profile image Animesh Bhadra 🎯 Originally published at archerimagine.com on ・7 min read

AWS Made Easy | AWS IAM API Keys

Introduction

Developer community uses the cloud technologies the most. In your conquest to learn about AWS, you have been focusing on configuring thing using the AWS console. As a developer, you may not find the use of AWS console efficient to do the tasks.

Sounds like Neo's trapped in the matrix. It's you, but you didn't find Morphaeus. You have no knowledge of the existence of the RED pill to show you the truth.

Soon you can access AWS Cloud with tools like CLIs, SDKs or HTTP APIs. These are the tools you completely understand. Even if you don't, sit tight we will make it easy to flow along.

You will first create a user with programmatic access, then progress to configure the developer's machine to connect to the cloud. After this, you will get information from the cloud using programmatic access.

Stay seated and enjoy this journey of programmatic access to the promised Earth of the Cloud.

IAM API Keys

You have already found out that there are three ways to connect to AWS. The AWS console is the most basic way to access. AWS CLIs and SDKs provide a much better way to access, as this can be controlled programmatically.

To revise we will list does the various ways to access AWS.

  • AWS Console
  • AWS SDKs
  • AWS CLIs
    • Windows PowerShell

You can use any of the above methods to access AWS, all of them use the AWS APIs in the back-end. The way of access to AWS does not change the features of AWS.

You might think, AWS Console is easy to use, there is a web interface, you type in the username and password, which allows access to AWS.

How will you use the AWS using these programmatic ways.

IAM API Keys to the rescue

You need to have access to IAM API keys to enable programmatic access to AWS. This API Keys is tied up with an IAM user, so you have to create an IAM user and enable the IAM API Keys.

So let's dive into the world of creating and using the IAM API Keys.

How to create IAM API Keys?

The first step is to build an IAM user. You have already learned the creation of IAM User here.

IAM User creation is a five step process. We have to follow all the steps with a minor change in Step 1.

You can see below, we have to just select the option, Programmatic Access.

AWS Made Easy | AWS IAM User with API Keys

You can also enable this user to have an AWS Console access by enabling the option AWS Management console access.

You have to follow the remaining steps from the IAM user creation article.

In the step five, Success, you have to take some specific action.

You might see in step five, your screen will look little different than the last time you created the user. We have two new field

  • Access Key ID
  • Secret access key

You will get these two fields only when you enable the IAM user with programmatic access.

Please download the security credentials in CSV format, and keep it safe.

AWS Made Easy | AWS IAM User Success screen

Previous time you may have seen this screen. In this the user did not have the programmatic access.

AWS Made Easy | IAM Users creation steps, success

Now you have a user with IAM API keys enabled.

Properties of IAM API Keys

You should keep in mind few important points about IAM API Keys.

  • The above user creation step is the only time you will see both Access Key ID and Secret access key together.
  • Access Key ID is only visible in IAM User's security credentials.
  • It is advised to key the security credentials downloaded in CSV format.
  • Once lost, you cannot recreate the Secret access key corresponding to the Access Key ID.
  • You have to deactivate the old Access Key ID and create a new pair of Access Key ID & Secret access key.
  • You might have already figured this out, since the IAM API keys are tied to an IAM User, we cannot have it associated with IAM Roles.
  • The above combination should never be stored in an AWS EC2 instance, you should use IAM Roles for this.

How to use the IAM API Keys?

You can use these IAM API Keys in two major ways.

  • AWS SDKs
  • AWS CLIs

We will go through both these steps.

Using IAM API Keys with AWS CLI.

We can install the Python based AWS CLI with a simple command if you have pip package manager.

pip install awscli

Enter fullscreen mode Exit fullscreen mode

To use the AWS CLI you need to configure the AWS environment by running this command.

aws configure

Enter fullscreen mode Exit fullscreen mode

If you get four questions as an output than it proves that the AWS CLI is installed.

The above command will ask four questions which you can provide the details from the above Access Key ID & Secret access key you created for the new IAM user.

AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Enter fullscreen mode Exit fullscreen mode

Let me try to explain you the details about these 4 options.

  • AWS Access Key ID [None] : fill the value you got for Access Key ID
  • AWS Secret Access Key [None]: fill the value you got for the Secret access key.
  • Default region name [None]: You should provide the region on which the AWS CLIs or SDKs should execute.
  • Default output format [None]: JSON is generally the preferred option.

The above execution creates 2 file in ~/.aws folder.

-rw------- 1 user staff 116B Dec 24 23:43 credentials
-rw------- 1 user staff 44B Dec 24 23:43 config

Enter fullscreen mode Exit fullscreen mode

The credentials file contains this, you gave the Access Key ID & the Secret access key above.

[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Enter fullscreen mode Exit fullscreen mode

The config file has this.

[default]
region = us-west-2
output = json

Enter fullscreen mode Exit fullscreen mode

With this you can execute AWS CLI specific commands. Here is a reference of such commands.

Once you have the CLI installed and configured, using the SDK is much easier.

Using IAM API Keys with AWS SDKs.

AWS support SDKs in many languages.

  • C++
  • Go
  • Java
  • JavaScript
  • .NET
  • Node.js
  • PHP
  • Python
  • Ruby

You will use the Python SDK for this example. The Python3 AWS SDK is called Boto3

You should complete the AWS CLI installation before proceeding.

Boto3 installation | QuickStart

Python has a very good package manager called pip, and we can install boto3 with a simple command

pip install boto3

Enter fullscreen mode Exit fullscreen mode

Post this you need to add a few details to some configuration files if you have still not installed the AWS CLI. Create the credentials and config file in the aws directory as shown above.

Here is a sample code, which just list all the buckets on AWS S3. Even if you do not understand AWS S3 no worries. The below code will not give any errors if you do not have any S3 buckets. No error in the below code signifies that the AWS SDKs and CLIs are working in conjunction with each other.

import boto3

s3 = boto3.resource("s3")
for bucket in s3.buckets.all():
    print(bucket.name)

Enter fullscreen mode Exit fullscreen mode

Conclusion

AWS Console if a great way to use AWS, but it becomes difficult to use only AWS Console for all the tasks. There are times when you may need to do the job more than once. Manually performing these repeated tasks is very difficult and subject to errors.

AWS offers two additional access channels, AWS CLIs and SDK. These accesses require a user enabled with programmatic access. The same user can also have the console access with programmatic access.

After you have created the user, you should note that you receive an Access Key ID and a Secret Access Key. These pairs of key are only available during user creation. This is the reason we should download this information in the CSV format, as this information is required multiple time for access.

You now have all the raw materials to connect to AWS programmatically. The next step is to download the Python AWS CLI package and configure it. Once configured, you will see a folder in the home directory ~/.aws. This folder now has all the sufficient information to connect to AWS.

The CLI is a powerful tool to use, if you still want the SDK, you can download the BOTO3 Python SDKs and use the sample code to access all the bucket in the S3 if you have created. If the above code executes without any error you should assume that the SDKs is installed.

You can now use any of the methods to access AWS. Let me know your experience of accessing the AWS using CLIs or SDKS, was it easy or hard.

Info Graphics

AWS Made Easy | IAM API Key Properties

Reference

Discussion (0)

pic
Editor guide