I'm totally new to AWS.
I downloaded some sample code from Amazon and I need to set a number of constants:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
MERCHANT_ID
MARKETPLACE_ID
I just created an AWS account. I want some type of sandbox account so I can try out the code samples.
What are the exact steps I have to take to:
Create a sandbox account
Get these credentials
Go to: http://aws.amazon.com/
Sign Up & create a new account (they'll give you the option for 1 year trial or similar)
Go to your AWS account overview
Account menu in the upper-right (has your name on it)
sub-menu: Security Credentials
Open the AWS Console
Click on your username near the top right and select My Security Credentials
Click on Users in the sidebar
Click on your username
Click on the Security Credentials tab
Click Create Access Key
Click Show User Security Credentials
Amazon changes the admin console from time to time, hence the previous answers above are irrelevant in 2020.
The way to get the secret access key (Oct.2020) is:
go to IAM console: https://console.aws.amazon.com/iam
click on "Users". (see image)
go to the user you need his access key.
As i see the answers above, I can assume my answer will become irrelevant in a year max :-)
HTH
Amit's answer tells you how to get your AWS_ACCESS_KEY_ID, but the Your Security Credentials page won't reveal your AWS_SECRET_ACCESS_KEY. As this blog points out:
Secret access keys are, as the name implies, secrets, like your
password. Just as AWS doesn’t reveal your password back to you if you
forgot it (you’d have to set a new password), the new security
credentials page does not allowing retrieval of a secret access key
after its initial creation. You should securely store your secret
access keys as a security best practice, but you can always generate
new access keys at any time.
So if you don't remember your AWS_SECRET_ACCESS_KEY, the blog goes on to tell how to create a new one:
Create a new access key:
"Download the .csv key file, which contains the access key ID and secret access key.":
As for your other questions:
I'm not sure about MERCHANT_ID and MARKETPLACE_ID.
I believe your sandbox question was addressed by Amit's point that you can play with AWS for a year without paying.
It is very dangerous to create an access_key_id in "My Account ==> Security Credentials". Because the key has all authority.
Please create "IAM" user and attach only some policies you need.
To find the AWS_SECRET_ACCESS_KEY Its better to create new create "IAM" user
Here is the steps https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users and then choose Add user.
Related
Expecting to see this (doing a video tutorial):
I'm now seeing:
Curious if something changed? If so is the best workaround to add a private key to the user via the user's security tab within IAM?
AWS changes all the time!
As per the message in blue, you can generate access keys after you create the user. Go to the Security credentials tab on the IAM User.
So I use AWS Educate Starter for one simple Reason:
I want to UPLOAD an image from iOS to S3 and then get its URL. In order to do so I need an access key and an secret key, which I can find, as I found out here Access key ID and Secret Access Key for AWS Educate account.
My Problem is:
I go to this site, click the blue button expand the details and copy the aws_access_key_id and aws_secret_access_key into my Xcode project. There I get the information, that my Access Key is invalid and after playing around a little bit I recognised, that the 2 values change all the time I'm loading the labs.vocareum.com site new.
What am I doing wrong here ??
Apparently, these aws_access_key_id, aws_secret_access_id, and aws_session_token is not permanent. Every time you start a session on AWS Educate Starter Account, different credentials will be generated.
Each session would last for few hours, so if your program uploads images to S3 using non-permanent credentials (aws_access_key_id, aws_secret_access_id, aws_session_token), your program can upload without having any problem for few hours, then afterward it would not work anymore because the session would be terminated.
In a normal AWS account, you are able to get/create the permanent access key and whatnot from IAM. However, as you may already know, in AWS Educate Account, you cannot add/create the access key to your IAM user, because you don't have permission.
The only way to solve this problem is to create a standard non-educate AWS account or change credentials every time the session expires.
To answer your question, you are not doing anything wrong. Each session expires in few hours, so that is the reason why you are getting Access Key Invalid error.
Is there way to check which permissions or roles are associated with a specific AWS access key?
The problem is that I got a pair of keys working but they are not present in the AWS console. These key are used regularly from some internal process but I cannot find which one.
If I search for them in the console they don't appear and neither on the root account.
You can search for the user by Access key ID in the AWS console.
See this blog post for details and screenshots:
https://aws.amazon.com/blogs/security/introducing-iam-console-search/
Don't forget, that according to the blog post
... you must type the full access key ID when searching.
In the end I wasn't able to get the roles or policies associate with a specific user, but I was able to track down the user.
So the user was using the root credentials and since I am using a normal full administrator account I wasn't able to see these creds even on the console
Pretty scary thing :|
Is it possible to grant logina#foo.com full access to all services in loginb#foo.com for AWS Web Services? I have a couple different folks working on my team and I wanted to make it easy for them to do what they need to do in our sandbox.
Thanks!
If you are using something#foo.com to log into your AWS account, you need to stop doing that right now, and set up an IAM (Identity and Access Management) account instead.
There is a best practices document here - you want to look at the section under "Manage AWS Accounts, IAM Users, Groups, and Roles" - but in a nutshell:
Use 2 factor authentication on the root account
create IAM accounts for daily use. If you grant admin access to an IAM account, it should probably be set up with 2 factor authentication as well
turn on CloudTrail. Yes, it will cost you a few cents a month. But if you ever need it, you'll really, really wish you had it.
Never, ever, ever check access keys and secrets into a public repository. (The cost for violating this one will be around $5k/hour.)
set up a billing alarm. Estimate what you'll be spending a month, and set up alarms at 25%, 50%, 75% and 100%. That way if something does go wrong (or you accidentally spin up an r3.8xlarge) you'll get a notice quickly.
Every account only has a single 'root', but using "Identity and Access Management" you can create and account users and grant console login and adminstrative privileges inside the AWS console.
Look under the services tab for one named "IAM".
Select 'Users' from and press the blue 'create new users' button
Add a user login name
Once the user's created
Select the user and set a password via "manage password"--without this they can't log in
Press the 'Permissions" tab for the users and select Attach policy
Give the user the 'Administrtor Access' policy.
The user should then be able to log into the AWS console with admin privs and use the API if they want
I've created a user "developer" on my amazon ec2 instance with restricted privileges and I've assigned him a password. Now I want allow him to connect to my instance (via ssh or sftp) and let him do something small like upload some files in a specific folder and I don't want let him play with my server like an administrator. How can I do it if I provide him the instance .pem key?
Can I give him the .pem key and force him to login using the developer account?
Accounts granted in AWS (with IAM) are independent of user accounts on a given instance. IAM account give the user access to parts of AWS defined by the policy associated with the group or user.
If you want to give someone access to the instance, you can have them generate their own personal keypair (ssh-keygen or puttygen). You will take the public part of the keypair and add it to the ~/.ssh/authorized_keys file of the user you want them to login as.
You can use IAM groups and users. The documentation is here.
IAM allows you to generate separate access keys for users with restricted usage rights.
There was a step missing in the leading answer. I added: You also need to add the public key on the AWS console under "Network & Security" -> "Key Pairs".
I'd add this as a comment, but don't have enough cred points yet.