Day 42: IAM Programmatic access and AWS CLI

IAM Programmatic Access

What it is:

Programmatic access means allowing applications, scripts, or terminals to interact with AWS resources without using the AWS Management Console. Instead of logging in through the web UI, you authenticate using credentials.

The credentials

• AWS Access Key ID → like a username
• AWS Secret Access Key → like a password (must be kept secret)

When combined, they let your tools (like AWS CLI, SDKs, Terraform, etc.) talk to AWS APIs.

Important :

• These keys should not be shared or hard-coded in code.
• Best practices are to rotate them regularly or use IAM roles / IAM Identity Center (SSO) for temporary credentials.

Why it’s useful

• Automates tasks that would be slow in the AWS Console.
• Integrates AWS into CI/CD pipelines, scripts, and applications.
• Enables developers and DevOps engineers to manage cloud resources at scale.

AWS CLI (Command Line Interface)

What it is:
The AWS CLI is a unified tool that allows you to manage AWS services from the terminal. Instead of clicking through the web console, you type commands that directly call AWS APIs.

Key Features

• Unified tool: One CLI for all AWS services.
• Automation: You can script repetitive tasks (e.g., deploy EC2 instances, upload to S3, create IAM roles).
• Profiles: Manage multiple AWS accounts or environments (dev, test, prod).
• Interactive features: CLI v2 offers auto-prompting, wizard-like configurations, and SSO integration.

Examples of AWS CLI commands

# Verify identity
aws sts get-caller-identity

# List S3 buckets
aws s3 ls

# Start an EC2 instance
aws ec2 start-instances --instance-ids i-1234567890abcdef0

How they connect

1. You create Access Keys in IAM (IAM Programmatic Access).
2. You configure those keys in your local machine using the AWS CLI (aws configure).
3. The CLI uses those credentials to sign API requests to AWS services.
4. AWS checks the credentials, verifies permissions (IAM policies), and allows or denies the action.

Hands-On Task:

0) Prerequisites & Safety (very important)

• Do NOT create access keys for the root user. Use an IAM user (or, even better, IAM Identity Center / SSO).
• Give your IAM user only the permissions it needs (least privilege). If you’re just learning, an AdministratorAccess-attached user is acceptable in a sandbox account.
• Turn on MFA for the user.

1) Create programmatic access keys (IAM user)

1. Sign in to the AWS Console with an admin-capable user.
2. Go to IAM → Users → select your IAM user (or create one: Add users → User name → check Provide user access to the AWS Management Console if needed → attach permissions → create).
3. Open Security credentials tab.
4. In Access keys, click Create access key.
5. Choose Use case: Command Line Interface (CLI) → acknowledge the warning.
6. Click Create access key.
7. Copy the keys immediately or Download .csv:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY

Store them securely. Never commit these to GitHub, scripts, or shared docs.

2) Install AWS CLI v2

Windows

• Option A (recommended): winget

  winget install --id Amazon.AWSCLI -e

• Option B: MSI installer (double-click, Next→Next→Finish)

Verify:

aws --version

macOS

• With Homebrew:

  brew install awscli

Verify:

aws --version

Linux (Debian/Ubuntu)

sudo apt update
sudo apt install -y unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

If you’re on ARM (e.g., Graviton, Raspberry Pi), use the ARM download from AWS.

3) Configure your credentials

Quick setup (default profile)

Run:

aws configure

Enter:

• AWS Access Key ID → paste from step 1
• AWS Secret Access Key → paste from step 1
• Default region name → e.g., us-east-1 or your most-used region
• Default output format → json (or yaml, text)

Recommended: use named profiles

This keeps environments separate (e.g., dev, prod):

aws configure --profile dev
aws configure --profile prod

Where credentials are stored

• Linux/macOS: ~/.aws/credentials (keys) and ~/.aws/config (settings)
• Windows: C:\Users\<You>\.aws\credentials and C:\Users\<You>\.aws\config

Tip: You can also set values by command:

aws configure set aws_access_key_id YOUR_KEY --profile dev
aws configure set aws_secret_access_key YOUR_SECRET --profile dev
aws configure set region us-east-1 --profile dev
aws configure set output json --profile dev

4) Test your setup

Who am I?

aws sts get-caller-identity --profile dev

Expected JSON includes your Account, Arn, and UserId.

List S3 (if allowed)

aws s3 ls --profile dev

Check CLI path/version

which aws     # macOS/Linux
where aws     # Windows PowerShell
aws --version

5) (Optional) Use AWS IAM Identity Center (SSO) instead of long-lived keys

This is the modern, safer approach—no static keys on disk.

1. Ensure your organization uses IAM Identity Center.
2. Run:

   aws configure sso

1. Provide:

• SSO Start URL
• SSO Region
• AWS account & Role
• Default region and output
  1. Sign in via browser when prompted.
  2. Use it:

   aws sso login --profile my-sso
   aws sts get-caller-identity --profile my-sso

6) Environment variables (temporary use)

For short sessions or CI, you can export environment variables (they override files):

Linux/macOS

export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_DEFAULT_REGION=us-east-1

Windows PowerShell

$env:AWS_ACCESS_KEY_ID="AKIA..."
$env:AWS_SECRET_ACCESS_KEY="..."
$env:AWS_DEFAULT_REGION="us-east-1"

Unset them after use.

7) Rotating & deleting access keys

• In IAM → Users → your user → Security credentials → Access keys:

  • Create new key, update your apps, then Deactivate → Delete the old key.

• Keep only one active key whenever possible.

8) Common troubleshooting

• “Unable to locate credentials” Use the right profile: --profile dev, or run aws configure. Check with:

  aws configure list
  aws configure list-profiles

• AccessDenied / AccessDeniedException Your IAM user/role lacks permission. Attach or adjust policies.
• Command not found / not recognized Re-open your terminal or fix PATH. Verify with aws --version.
• Wrong account/identity Another profile or env vars may be taking precedence. Clear env vars or specify --profile.

9) Mini-cheat sheet

# Configure a profile
aws configure --profile dev

# Verify identity
aws sts get-caller-identity --profile dev

# Set values directly
aws configure set region eu-west-1 --profile dev
aws configure set output json --profile dev

# List profiles
aws configure list-profiles

# SSO (modern approach)
aws configure sso
aws sso login --profile my-sso