AWS CLI log in command - amazon-web-services

I am starting into the AWS world and I recently configured my local environment to connect to my AWS account through the terminal, but I’m having a hard time finding the correct command to log in. Could someone please point me how to do this.
Thank you beforehand

The AWS CLI does not "log in". Rather, each individual request is authenticated with a set of credentials (similar to a username and password). It's a bit like making a phone call -- you do not need to "log in" to your telephone. Instead, the system is configured to already know who you are.
To store credentials for use with the AWS CLI, you can run the aws configure command. It will prompt you for an Access Key and Secret Key, which will be stored in a configuration file. These credentials will then be used with future AWS CLI commands.
If you are using your own AWS Account, you can obtain an Access Key and Secret Key by creating an IAM User in the Identity and Access Management (IAM) management console. Simply select programmatic access to obtain these credentials. You will need to assign appropriate permissions to this IAM User. (It is not recommended to use your root login for such purposes.)

to login using shell you will need:
IAM keys (https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/)
AWS Cli (https://aws.amazon.com/cli/)

Related

Configure AWS CLI Credentials without Secret and Access Keys

I have been working for the past week using Access and Secret keys that I generated for connecting REST API to DynamoDB and AWS CLI, today I just got told by the offshore team that I am not supposed to use Access and Secret keys at all that I'm supposed to use IAM roles and I have been researching how to do that but I'm stuck, has anyone here ever had the same issue?
If everything was done the way you said it in the question and also in your comment reply to #stdunbar, it is impossible to do so, those are the purpose of both secret and access keys, i dont think your offshore team knows what they are talking about
There are methods to acquire STS session keys (like when you assume a role) from AWS. One solution is Hashicorp Vault, but this requires the infrastructure has been configured to allow this. There are other methods that use the webui session to generate an STS token.
Ask your offshore team what method you should use to get a role based access session token. You were probably used to the cli asking for Access Key ID and Secret Key. The session key will come in three parts instead of two. The session access key id will start with ASIA instead of AKIA; the session secret access key is the same as its static counterpart; the session token is a very long string.
The easiest way to set these are to edit the credentials file in .aws/credentials. If you use aws configure you won't be prompted to set the session token. you could use aws configure set for each of the parts, if you don't already have profiles set up in your credential file you can just edit the default credential profile.
source:https://docs.aws.amazon.com/cli/latest/reference/configure/index.html
The point that they're (correctly) making is that your application should not include explicit credentials.
Instead, the application should be configured in Elastic Beanstalk with an IAM role. When the application runs and uses an AWS SDK, the SDK will be able to retrieve temporary credentials from the Beanstalk environment that it is running on.
You can read more at Managing Elastic Beanstalk Instance Profiles.

How to avoid using user profile to perform s3 operations without EC2 instances

According to many advices, we should not configure IAM USER but using IAM Role instead to avoid someone managed to grab the user confidential in .aws folder.
Lets say I don't have any EC2 instances. Can I still able to perform S3 operation via AWS CLI? Says aws s3 ls
MacBook-Air:~ user$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
You are correct that, when running applications on Amazon EC2 instances or as AWS Lambda functions, an IAM role should be assigned that will provide credentials via the EC2 metadata service.
If you are not running on EC2/Lambda, then the normal practice is to use IAM User credentials that have been created specifically for your application, with least possible privilege assigned.
You should never store the IAM User credentials in an application -- there have been many cases of people accidentally saving such files into GitHub, and bad actors grab the credentials and have access to your account.
You could store the credentials in a configuration file (eg via aws configure) and keep that file outside your codebase. However, there are still risks associated with storing the credentials in a file.
A safer option is to provide the credentials via environment variables, since they can be defined through a login profile and will never be included in the application code.
I don't think you can use service roles on your personal machine.
You can however use multi-factor authentication for AWS CLI
You can use credentials on any machine not just EC2.
Follow the steps as described by the documentation for your OS.
http://docs.aws.amazon.com/cli/latest/userguide/installing.html

Automatic login to AWS resources

Thus far I get access to my AWS resources using Access Key Id and Secret Access Key. But every time I end my session I have to manually enter these keys when typing aws configure
Is there an automated way, perhaps with SSH private key on the local host ?
Generally speaking when you use "aws configure", and enter your credentials, those credentials are saved in the .aws/credentials file in a path on your machine (exactly where will depend on the OS). You shouldn't have to run 'aws configure' again unless your credentials change.
Once that is done - one time - every further execution of an AWS CLI command should just use those stored credentials - you should not have to ever enter them more than once.
Aws provides this feature to handle access and secret keys in the format of profiles..
Let say if you have multiple accounts.. or multiple regions..
You can setup those as profiles with the help of aws configure --profile <profilename>
And when performing operations in one particular account in one particular region..
export DEFAULT_AWS_PROFILE=<profilename>
By doing this it is easy to work with multiple envs.

Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?

Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?
I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.
That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.
You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.
You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.
I would suggest using the AWS CLI for the purpose and making use of the --dry-run flag for the CLI commands. I am unsure of how many AWS CLI operations support the --dry-run operation not to mention the Tag level / Resource level restrictions.
The --dry-run flag would try to check if you have permission to run the API or not without actually performing the request.
I also see the difficulty of testing (regression) as AWS has 60+ services and EC2 alone has 227 API commands [as of today]. Perhaps this might be the place where you would use your sed, awk, grep to build a shell script [and publish it in GITHUB]
SDKs do support this as well - it might be easier than the CLI approach

AWS access keys (for CLI authentication, etc..) for users from a SAML identity provider, or AD connector?

I've been looking in to getting the AWS (web) console hooked up to an AD or ADFS setup for managing users. It was reasonable easy to get working with a SAML Identity Provider in IAM and some existing ADFS infrastructure.
The problem is that users that authenticate that way, as opposed to normal AWS user accounts, don't have any way to have associated access keys so far as I can tell. Access keys are a key concept for authenticating stuff such as the AWS CLI, which needs to be tied to individual user accounts.
What are the workarounds to allow a user authenticated via a SAML identity provider to still be able to easily use the aws CLI? The only thing I've come up with to far is some hacky crap that would proxy the aws cli command, request temporary 1-hour credentials from the aws STS service, put them in the aws credentials file, and forward the command to the normal AWS cli. But, that makes me want to throw up a little bit; plus, I have no idea if it would work if a command took over an hour to complete (large s3 uploads, etc..)
Suggestions? I would try the official Directory Service AD connector, but my understanding is users still just assume IAM roles and would ultimately have the same problem.
https://github.com/Versent/saml2aws was created to address this, and has a vibrant open source community behind it.
I've had success with aws-adfs for AWS CLI via ADFS
The repo owner is currently adding support for DUO MFA as well.
It works by authenticating the user to the same page you'd use for console access then scraping the roles available. You choose a role and then aws-adfs sets the default user to the credential set needed for sts access.
After the default user is set you can cli like normal: aws s3 ls
https://github.com/venth/aws-adfs