So I use AWS Educate Starter for one simple Reason:
I want to UPLOAD an image from iOS to S3 and then get its URL. In order to do so I need an access key and an secret key, which I can find, as I found out here Access key ID and Secret Access Key for AWS Educate account.
My Problem is:
I go to this site, click the blue button expand the details and copy the aws_access_key_id and aws_secret_access_key into my Xcode project. There I get the information, that my Access Key is invalid and after playing around a little bit I recognised, that the 2 values change all the time I'm loading the labs.vocareum.com site new.
What am I doing wrong here ??
Apparently, these aws_access_key_id, aws_secret_access_id, and aws_session_token is not permanent. Every time you start a session on AWS Educate Starter Account, different credentials will be generated.
Each session would last for few hours, so if your program uploads images to S3 using non-permanent credentials (aws_access_key_id, aws_secret_access_id, aws_session_token), your program can upload without having any problem for few hours, then afterward it would not work anymore because the session would be terminated.
In a normal AWS account, you are able to get/create the permanent access key and whatnot from IAM. However, as you may already know, in AWS Educate Account, you cannot add/create the access key to your IAM user, because you don't have permission.
The only way to solve this problem is to create a standard non-educate AWS account or change credentials every time the session expires.
To answer your question, you are not doing anything wrong. Each session expires in few hours, so that is the reason why you are getting Access Key Invalid error.
Related
We're using a AWS Access Key/Secret pair for S3 uploads on an old client website. During an audit, we discovered that the Access Key used for uploads, while still working, doesn't appear to exist in any IAM user for the client's AWS account. I ran aws sts get-access-key-info --access-key-id=[old key] and it provided the correct AWS account id for our client. But searching for this key in our IAM users (https://console.aws.amazon.com/iam/home?#/users) shows no results. How can this be? Can the Access Key live somewhere else outside IAM?
Accepted answer from #kdgregory
It could belong to the root user. If yes, then you very much want to disable it. – kdgregory 2 hours ago
AFAIK AWS Access Key/Secret you can only secure and store once you created the IAM user. I don't think you can get the Access Key and Secret pair again anywhere in AWS unless you have it stored somewhere (which is not a good practice BTW).
I recently "Created a new Access Key" for my AWS Amplify IAM user, and disabled the old key. I also changed how I was authenticating to AWS (using an IAM user now instead of previously a SSO Federated user).
Now when I run something like:
amplify api push
I get:
InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
I tried re-running:
amplify configure
I used aws configure to set the new Access Key to the default profile, but still no luck.
How can I resolve this?
I ended up checking local-aws-info.json in the amplify/config directory and noticed that the "useProfile" and "profileName" keys weren't accurate anymore.
To fix I ran:
amplify configure project
And once that finished, I ran:
amplify pull however, this was probably only necessary due to the hacking around I did trying to fix the error originally.
I have been working for the past week using Access and Secret keys that I generated for connecting REST API to DynamoDB and AWS CLI, today I just got told by the offshore team that I am not supposed to use Access and Secret keys at all that I'm supposed to use IAM roles and I have been researching how to do that but I'm stuck, has anyone here ever had the same issue?
If everything was done the way you said it in the question and also in your comment reply to #stdunbar, it is impossible to do so, those are the purpose of both secret and access keys, i dont think your offshore team knows what they are talking about
There are methods to acquire STS session keys (like when you assume a role) from AWS. One solution is Hashicorp Vault, but this requires the infrastructure has been configured to allow this. There are other methods that use the webui session to generate an STS token.
Ask your offshore team what method you should use to get a role based access session token. You were probably used to the cli asking for Access Key ID and Secret Key. The session key will come in three parts instead of two. The session access key id will start with ASIA instead of AKIA; the session secret access key is the same as its static counterpart; the session token is a very long string.
The easiest way to set these are to edit the credentials file in .aws/credentials. If you use aws configure you won't be prompted to set the session token. you could use aws configure set for each of the parts, if you don't already have profiles set up in your credential file you can just edit the default credential profile.
source:https://docs.aws.amazon.com/cli/latest/reference/configure/index.html
The point that they're (correctly) making is that your application should not include explicit credentials.
Instead, the application should be configured in Elastic Beanstalk with an IAM role. When the application runs and uses an AWS SDK, the SDK will be able to retrieve temporary credentials from the Beanstalk environment that it is running on.
You can read more at Managing Elastic Beanstalk Instance Profiles.
I have a AWS Educate Starter Account, and I want to be able to generate automatically my credentials (aws_access_key_id, aws_secret_access_key, aws_session_token) from my code.
Currently, the way I do it is:
1) Login with my university email and password in labs.vocareum.com
2) Click on Account Details and copy and paste the credentials into ~/.aws/credentials for AWS CLI
3) In my Python code I use boto3 to interact with s3
But I would like to do everything in my Python script, without logging in every time and copy the credentials, since they are temporary credentials (they expire every 1 hour).
The type of account doesn't allow me to create and IAM User either.
This is a similar question, but is 2 years old and doesn't have an answer on how to do it without logging in.
Is there any way to do it?
labs.vocareum manage keys for your AWS Educate. It is not possible to do this since you will be locked out before you can reschedule your session. Unfortunately, there is currently no other way but the current method.
I'm totally new to AWS.
I downloaded some sample code from Amazon and I need to set a number of constants:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
MERCHANT_ID
MARKETPLACE_ID
I just created an AWS account. I want some type of sandbox account so I can try out the code samples.
What are the exact steps I have to take to:
Create a sandbox account
Get these credentials
Go to: http://aws.amazon.com/
Sign Up & create a new account (they'll give you the option for 1 year trial or similar)
Go to your AWS account overview
Account menu in the upper-right (has your name on it)
sub-menu: Security Credentials
Open the AWS Console
Click on your username near the top right and select My Security Credentials
Click on Users in the sidebar
Click on your username
Click on the Security Credentials tab
Click Create Access Key
Click Show User Security Credentials
Amazon changes the admin console from time to time, hence the previous answers above are irrelevant in 2020.
The way to get the secret access key (Oct.2020) is:
go to IAM console: https://console.aws.amazon.com/iam
click on "Users". (see image)
go to the user you need his access key.
As i see the answers above, I can assume my answer will become irrelevant in a year max :-)
HTH
Amit's answer tells you how to get your AWS_ACCESS_KEY_ID, but the Your Security Credentials page won't reveal your AWS_SECRET_ACCESS_KEY. As this blog points out:
Secret access keys are, as the name implies, secrets, like your
password. Just as AWS doesn’t reveal your password back to you if you
forgot it (you’d have to set a new password), the new security
credentials page does not allowing retrieval of a secret access key
after its initial creation. You should securely store your secret
access keys as a security best practice, but you can always generate
new access keys at any time.
So if you don't remember your AWS_SECRET_ACCESS_KEY, the blog goes on to tell how to create a new one:
Create a new access key:
"Download the .csv key file, which contains the access key ID and secret access key.":
As for your other questions:
I'm not sure about MERCHANT_ID and MARKETPLACE_ID.
I believe your sandbox question was addressed by Amit's point that you can play with AWS for a year without paying.
It is very dangerous to create an access_key_id in "My Account ==> Security Credentials". Because the key has all authority.
Please create "IAM" user and attach only some policies you need.
To find the AWS_SECRET_ACCESS_KEY Its better to create new create "IAM" user
Here is the steps https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Add user.