I have a AWS Educate Starter Account, and I want to be able to generate automatically my credentials (aws_access_key_id, aws_secret_access_key, aws_session_token) from my code.
Currently, the way I do it is:
1) Login with my university email and password in labs.vocareum.com
2) Click on Account Details and copy and paste the credentials into ~/.aws/credentials for AWS CLI
3) In my Python code I use boto3 to interact with s3
But I would like to do everything in my Python script, without logging in every time and copy the credentials, since they are temporary credentials (they expire every 1 hour).
The type of account doesn't allow me to create and IAM User either.
This is a similar question, but is 2 years old and doesn't have an answer on how to do it without logging in.
Is there any way to do it?
labs.vocareum manage keys for your AWS Educate. It is not possible to do this since you will be locked out before you can reschedule your session. Unfortunately, there is currently no other way but the current method.
Related
I have total 600 users in the aws congnito user pool in my old aws account , and i want to move/migrate all the users to my new aws account. It is possible to migrate aws congnito users from one aws account to another.
Please Help Me.
I checked through every document linked to Congnito, but I was unable to find a document for moving Congnito users between AWS accounts.
You should consider to use cognito-backup-restore npm tool. It's easy to use and oriented to What you require, but there are some important points to take into account:
You need the AWS CLI and security credentials installed and well configured locally, preferably use IAM roles to access Cognito.
You're backing up users from Cognito user pool to a JSON file locally, so do it in a safe environment and remove the file after restoring the backup.
There is no way of getting passwords of the users in Cognito, so you may need to ask them to make use of ForgotPassword to recover their account.
Right now we create scripts that run through CLI to automate or fetch things from AWS.
But we used AWS access key/ secret access/session token for the same.
these keys and tokens are valid for 1 hour. Hence next hour if we do use them, the script will fail.
But it is also not possible to fetch the temp credentials, update the script, and run those.
So what is the best possible solution in this condition? What should I do that I can get the updated credentials and I can run the script by using those updated credentials (automatically)? Or any other alternatives so that we can still run scripts from our local machines using Boto with AWS credentials?
any help is appreciated.
Bhavesh
I'm assuming that your script runs outside of AWS, otherwise you would simply configure your compute (EC2, Lambda, etc.) to automatically assume an IAM role.
If you have persistent IAM User credentials that allow you to assume the relevant role then use those.
If you don't then take a look at the new IAM Roles Anywhere feature.
So I use AWS Educate Starter for one simple Reason:
I want to UPLOAD an image from iOS to S3 and then get its URL. In order to do so I need an access key and an secret key, which I can find, as I found out here Access key ID and Secret Access Key for AWS Educate account.
My Problem is:
I go to this site, click the blue button expand the details and copy the aws_access_key_id and aws_secret_access_key into my Xcode project. There I get the information, that my Access Key is invalid and after playing around a little bit I recognised, that the 2 values change all the time I'm loading the labs.vocareum.com site new.
What am I doing wrong here ??
Apparently, these aws_access_key_id, aws_secret_access_id, and aws_session_token is not permanent. Every time you start a session on AWS Educate Starter Account, different credentials will be generated.
Each session would last for few hours, so if your program uploads images to S3 using non-permanent credentials (aws_access_key_id, aws_secret_access_id, aws_session_token), your program can upload without having any problem for few hours, then afterward it would not work anymore because the session would be terminated.
In a normal AWS account, you are able to get/create the permanent access key and whatnot from IAM. However, as you may already know, in AWS Educate Account, you cannot add/create the access key to your IAM user, because you don't have permission.
The only way to solve this problem is to create a standard non-educate AWS account or change credentials every time the session expires.
To answer your question, you are not doing anything wrong. Each session expires in few hours, so that is the reason why you are getting Access Key Invalid error.
I generate some files(size of the order KBs) periodically on an on-prem server. I want to push them to s3 as soon as they are generated. How do I go about managing the accesses?
I'm using the boto3 package of python to do so. How do I manage access, as in do I create a new IAM role? If so, how to specify the permissions?
There's a few requirements here:
You need something to 'trigger' the upload. This could be a cron job / scheduled task, or it could be specifically triggered by whatever process is generating the files
You could then use either the AWS Command-Line Interface (CLI) command to upload the files (either aws s3 cp or aws s3 sync), or you could write your own program as you suggested.
The AWS CLI or your own program will require AWS credentials. The recommended method would be:
Create a User in IAM and make note of the credentials (Access Key, Secret Key)
Assign minimal permissions to the User so that it has enough permission to perform the function (eg s3:PutObject for the given bucket). Do not assign s3:* on every bucket! (Very bad for security.)
On the on-premises computer, run aws configure (part of the AWS CLI) and enter the credentials that were provided when the IAM User was created
This will place the credentials in a .aws/credentials file on the computer. Never put credentials in your programming code! (Again, bad for security.)
If you are asking how to create an IAM User, please see: Creating an IAM User in Your AWS Account - AWS Identity and Access Management
According to many advices, we should not configure IAM USER but using IAM Role instead to avoid someone managed to grab the user confidential in .aws folder.
Lets say I don't have any EC2 instances. Can I still able to perform S3 operation via AWS CLI? Says aws s3 ls
MacBook-Air:~ user$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
You are correct that, when running applications on Amazon EC2 instances or as AWS Lambda functions, an IAM role should be assigned that will provide credentials via the EC2 metadata service.
If you are not running on EC2/Lambda, then the normal practice is to use IAM User credentials that have been created specifically for your application, with least possible privilege assigned.
You should never store the IAM User credentials in an application -- there have been many cases of people accidentally saving such files into GitHub, and bad actors grab the credentials and have access to your account.
You could store the credentials in a configuration file (eg via aws configure) and keep that file outside your codebase. However, there are still risks associated with storing the credentials in a file.
A safer option is to provide the credentials via environment variables, since they can be defined through a login profile and will never be included in the application code.
I don't think you can use service roles on your personal machine.
You can however use multi-factor authentication for AWS CLI
You can use credentials on any machine not just EC2.
Follow the steps as described by the documentation for your OS.
http://docs.aws.amazon.com/cli/latest/userguide/installing.html