Credentials
command line
The AWS command line tools use the file ~/.aws/credentials to get the access key and secret access key:
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Running {{aws configure}} is a way to create the file. The file has a single profile called "default", but other profiles with different keys can be defined. The profile can be specified using the {{--profile flag when running a command line tool.
The command line tools also have a {{--region flag. A default region can be specified in the ~/.aws/config file:
[default]
region=us-west-2
Environment variables take precedence over values in the credentials file and config file:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_DEFAULT_REGION
boto 3
Boto 3 checks sources in the following order for access key credentials:
- constructor arguments
- environment variables
- ~/.aws/credentials
- assume role provider
- instance metadata
The above list is actually incomplete. See the docs.
import boto3
s3 = boto3.client(service_name='s3',
region_name='us-west-2',
aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')
ECS
To give an EC2 instance a name, create a tag with key "Name".
On an ECS instance you can use HTTP to query for the instance metadata:
$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
$ curl http://169.254.169.254/latest/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-keys/
reservation-id
security-groups
services/
$ curl http://169.254.169.254/latest/meta-data/security-groups/
tech-http-https
vpc-http-https
tech-ssh
vpc-ss
IAM
When an AWS account is created, a root account is created which has access to all services and resources in the account. One signs in to the root account using the email address and password used when creating the AWS account.
Other users, called IAM users, can be created in an AWS account. Credentials can be attached to a user. IAM users belong to zero or more IAM groups, and each IAM group has zero or more policies which define the permissions granted to the users in that group.
IAM roles also have policies. IAM users, AWS services, and applications can assume an IAM role and its privileges.
EBS
Get device name of EBS volume:
$ lsblk
If the this returns "data", then the device must be formatted:
$ sudo file -s /dev/DEVICE
Format the EBS volume as ext4:
$ sudo mkfs -t ext4 /dev/DEVICE
Make a mount point and mount the EBS volume there:
$ sudo mkdir PATH
$ sudo mount /dev/DEVICE PATH
$ sudo chown -R USER PATH