Credentials

command line

The AWS command line tools use the file ~/.aws/credentials to get the access key and secret access key:

[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Running {{aws configure}} is a way to create the file. The file has a single profile called "default", but other profiles with different keys can be defined. The profile can be specified using the {{--profile flag when running a command line tool.

The command line tools also have a {{--region flag. A default region can be specified in the ~/.aws/config file:

[default]
region=us-west-2

Environment variables take precedence over values in the credentials file and config file:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_DEFAULT_REGION

boto 3

Boto 3 checks sources in the following order for access key credentials:

  • constructor arguments
  • environment variables
  • ~/.aws/credentials
  • assume role provider
  • instance metadata

The above list is actually incomplete. See the docs.

import boto3

s3 = boto3.client(service_name='s3',
                  region_name='us-west-2',
                  aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
                  aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')

ECS

To give an EC2 instance a name, create a tag with key "Name".

On an ECS instance you can use HTTP to query for the instance metadata:

$ curl http://169.254.169.254/latest/dynamic/instance-identity/document

$ curl http://169.254.169.254/latest/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-keys/
reservation-id
security-groups
services/

$ curl http://169.254.169.254/latest/meta-data/security-groups/
tech-http-https
vpc-http-https
tech-ssh
vpc-ss

IAM

When an AWS account is created, a root account is created which has access to all services and resources in the account. One signs in to the root account using the email address and password used when creating the AWS account.

Other users, called IAM users, can be created in an AWS account. Credentials can be attached to a user. IAM users belong to zero or more IAM groups, and each IAM group has zero or more policies which define the permissions granted to the users in that group.

IAM roles also have policies. IAM users, AWS services, and applications can assume an IAM role and its privileges.

EBS

Get device name of EBS volume:

$ lsblk

If the this returns "data", then the device must be formatted:

$ sudo file -s /dev/DEVICE

Format the EBS volume as ext4:

$ sudo mkfs -t ext4 /dev/DEVICE

Make a mount point and mount the EBS volume there:

$ sudo mkdir PATH
$ sudo mount /dev/DEVICE PATH
$ sudo chown -R USER PATH