I want to manage the my AWS environment using PowerShell. We are getting access through IAM roles. I am facing trouble to generate the Access key & secret key for my IAM role. Can someone guide me how can i generate these keys.
An IAM Role can only be used by an IAM User. This is because the User needs to authenticate to AWS to prove that they are that user. This will then provide IAM User credentials.
If you then wish to use a role, you can use the User credentials to call Use-STSRole, which will assume the role and return a set of credentials associated with the Role. (Note: The credentials will expire after a period of time, typically one hour.)
For more details, see: Switching to an IAM Role (Tools for Windows PowerShell)
You do not generate IAM Access Key / Secret Key for roles. AWS generates these for you and makes them available in the instance's metadata.
The AWS Tools for Windows PowerShell will automatically extract the access key / secret key from the instance's metadata if you have installed PowerShell and the AWS Tools correctly.
This link will provide more information about PowerShell and IAM Roles:
IAM Roles for EC2
[Update after new comment]
If your goal is to generate IAM access keys for a new user, login to the AWS console, go to IAM, go to users, Add User, click "Programmatic access", then Set permissions for the user and finish by creating the user. On the next screen will be the access keys. You need to download (or copy) the Secret access key as it will NOT be shown again.
For an existing user, click on the user, click on the "Security credentials" tab, then click the "Create access key" button. Copy or download the keys. Note: You cannot access previously created access keys. If you have lost the secret access key, then you have to generate new ones.
Managing Access Keys for Your AWS Account
According to AWS Doc there is a way through API:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Related
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
I am creating a new secret in AWS secret manager from the AWS console
I used default encryption key to encrypt it.
When I retrieve the secret from console I see it as plain text.
Can the secret be encrypted (not see it as plain text) and saved in AWS console
By default access to AWS secret manager is private and not allow to any IAM users or roles. The fact that you or someone else can view them, means they have been explicitly allowed to access the secrets.
Thus, if you have any users who should not see the secrets, deny them secretsmanager:GetSecretValue permissions or any actions that you don't want them to be able to perform.
I'm using an Access Key and Secret Key to access S3 from an app. It works. But I can't find the credentials in the console. Where might they be? They're not listed under IAM users.
The IAM Access Key and Secret Key are located (i.e. the option to create them) in IAM user's Summary in Security Credentials tab.
Edit: based on #jarmod comment.
I'm tracking how to send an Email Using the AWS SDK for Python (Boto).
At the AWS Developer Guide using-credentials page I read that:
For security best practice, use AWS Identity and Access Management (IAM) user access keys instead of AWS account access keys [emphasis added].
Then at the Managing Access Keys for IAM Users I am eventually led to this section and I duly confirm using
aws iam list-access-keys
that I have just created (in JSON form):
{
"AccessKeyMetadata": [
{
"UserName": "My_User_Name",
"Status": "Active",
"CreateDate": "2018-09-03T00:43:37Z",
"AccessKeyId": "JRUFKDHUWHE8DD495CHD"
}
]
}
but I lack clarity about whether this identity is the "AWS account access keys" that I was earlier warned does not fall in the "security best practice".
How do I create an IAM identity (user access + password) for sending email through SES and boto (while eliminating the chance I am exposing the entire AWS account)?
Ranting (and a constructive suggestion to AWS staff writers, if here): Specific branding would help. At Ikea I might order a chair or a table with the meaningless name Fjorstuvstok, but I know with certainty that I am ordering the chair I want.
The AWS account access keys are the ones owned by the root account user. To check what these are, you need to know your root account user name. This can be checked using the aws cli using the AWS root credentials, or loging in with your root account credentials to the AWS Console and clicking "My Security Credentials" under your username in the top right corner.
Assuming you use the cli, make sure you've configured the root credentials in ~/.aws/credentials. Then run:
aws iam get-user
{
"User": {
"UserName": "my_root_user_name",
"PasswordLastUsed": "2018-09-03T06:40:38Z",
"CreateDate": "2017-03-01T08:53:36Z",
"UserId": "9XXXXXXXXXXX",
"Arn": "arn:aws:iam::9XXXXXXXXXXX:root"
}
}
This will provide you with details of your root user. This username can then be used to query for access keys:
aws iam list-access-keys --user-name my_root_user_name
If any of the keys listed from this result are being used for SES, then that's bad news. AWS reccomends that you use Access Keys assigned to IAM Users (non-root).
The AWS account access keys mean the Root account access /secret keys of your AWS account. When you register yourself with aws using your email, the account created is Root account. There is key associated with that, which needs to be removed. (As this is Root account, it provides unrestricted access to all AWS services. Check AWS Account Root User Credentials vs. IAM User Credentials
The warning suggested to use IAM user access keys. So you can create IAM user in your aws account and create associated access key id and secret access key and configure that on your machine from where you are running your code. ( This is not good practice in higher deployment environment. If the machine gets compromised then access key will be exposed)
As its unclear how you are running your application code (from ECS or EC2 or AWS Lambda), You should create IAM role to grant access to SES from where you are going to run your code. This will avoid exposing IAM access key Id and Secret access key from your application code / machine.