I have an AWS Educate Account but I'm unable to get the Access Key ID and Secret Access Key for the account. It mentions that I do not have IAM access when I try to follow the AWS guide on getting these, does that mean that there's no way for me to get it using the educate account?
1) Go to Vocareum. This is kinda the main page of your student AWS account.
2) Find the blue button Account Details, click it - profit!
From vocareum main page > Account details > AWS CLI > Show
Copy and paste the CLI details into '~/.aws/credentials' for mac and 'C:/users/%UserProfile%/.aws/credentials' for windows.
[default]
region=us-east-1
aws_access_key_id=*****
aws_secret_access_key=*******
aws_session_token=***********************
'region' is not present in AWS CLI details from Vocareum. So please don't forget to add it. You can specify any region.
If you want to verify your details add 'output = json' along with the above details in your credentials file and run the command 'aws sts get-caller-identity'.
It will display your Account ID, User ID and ARN.
To check if your CLI is working, you can try to connect to S3 bucket using
aws s3 ls
I think it's better to create a personal account and use the free tier. This is a better way for education pupose.
AWS Educate account has limited access, you can't create users with keys, the root user can't create buckets from scripts, etc.
Go to https://labs.vocareum.com/ and there you will find Account details . just click on it .
there you will see AWS CLI . Here you will see your aws_access_key_id , aws_secret_access_key and aws_session_token . Go to C:/users/Dell/.aws/credentials then copy and paste the line of AWS CLI to the credentials file
All done !! you will now can be able to access your SQS , S3 Bucket without Create an user in IAM . in student account , it can't be accessed to create an IAM User.
Related
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
My goal is to access my s3 buckets from the command line using my AWS educate account.
I expected to get a list of my s3 buckets in the command prompt. I typed in this command. aws s3 ls
I actually received an error message saying Invalid Access Key ID.
They shown do not match they key on the home age of my AWS educate account.
How do I change the keys listed to match the ones on my AWS Educate home page? I think if I correct this then I will be able to access my s3 buckets with aws cli.
Run:
aws configure
And follow the prompts to configure a new Access Key and Secret Access Key.
If this isn't working, there are two other things you can check:
Have you set any of the following environment variables? https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html. These can override the ones set using aws configure
If that fails, check that $HOME/.aws/credentials is not write protected, or even try updating the credentials manually.
I have an AWS root account and I created a IAM user with Administrator policy attached. The problem is that when I make some operations like aws ec2 create-key-pair in the aws-cli, I got UnauthorizedOperation error. But if I sign into the management console using the same IAM user, I can create a key pair with no problem.
I double checked my access key id and secret access key is right. I even re-created these and configured in aws-cli to make sure I am using that user account with admin permissions. None of these worked
Is there any setting I'm not aware of that enables aws-cli access permissions?
=============== below is latest update ================
I checked my user info with aws sts get-caller-identify, and it shows my company's account id. I tried to run aws configure again and followed by aws sts get-caller-identity, it still shows that im using my company's account. How do I switch user from CLI?
In case this helps anyone, the issue for me was that my AWS account used MFA. I never considered you'd have to do this on the command-line too. Here is a guide from Amazon on the subject:
How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
This is an incredibly big pot hole to step into... but there is a precedence of where aws cli looks for credentials.
IAM credentials not found on AWS CLI
The answer of the question here explains it throughly.
I want to manage the my AWS environment using PowerShell. We are getting access through IAM roles. I am facing trouble to generate the Access key & secret key for my IAM role. Can someone guide me how can i generate these keys.
An IAM Role can only be used by an IAM User. This is because the User needs to authenticate to AWS to prove that they are that user. This will then provide IAM User credentials.
If you then wish to use a role, you can use the User credentials to call Use-STSRole, which will assume the role and return a set of credentials associated with the Role. (Note: The credentials will expire after a period of time, typically one hour.)
For more details, see: Switching to an IAM Role (Tools for Windows PowerShell)
You do not generate IAM Access Key / Secret Key for roles. AWS generates these for you and makes them available in the instance's metadata.
The AWS Tools for Windows PowerShell will automatically extract the access key / secret key from the instance's metadata if you have installed PowerShell and the AWS Tools correctly.
This link will provide more information about PowerShell and IAM Roles:
IAM Roles for EC2
[Update after new comment]
If your goal is to generate IAM access keys for a new user, login to the AWS console, go to IAM, go to users, Add User, click "Programmatic access", then Set permissions for the user and finish by creating the user. On the next screen will be the access keys. You need to download (or copy) the Secret access key as it will NOT be shown again.
For an existing user, click on the user, click on the "Security credentials" tab, then click the "Create access key" button. Copy or download the keys. Note: You cannot access previously created access keys. If you have lost the secret access key, then you have to generate new ones.
Managing Access Keys for Your AWS Account
According to AWS Doc there is a way through API:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/iam/security-credentials/*role_name*
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser