Vanshika Sharma

IAM Programmatic access and AWS CLI

Vanshika Sharma's photo
Vanshika Sharma
·

12 min read

Table of contents

IAM Programmatic access:

IAM (Identity and Access Management) Programmatic Access in AWS allows users or applications to interact with AWS services through APIs, CLI, or SDKs rather than the AWS Management Console. Here’s a breakdown of key points related to IAM programmatic access:

1. What is IAM Programmatic Access?

  • It enables users or applications to perform actions in AWS by sending API requests.

  • Commonly used for automation, scripts, and programmatic workflows.

2. Enabling Programmatic Access

When creating or managing an IAM user, programmatic access can be enabled by:

  • Generating an Access Key ID and Secret Access Key.

  • These credentials are used for authentication in the AWS CLI, SDKs, or API calls.

3. Steps to Grant Programmatic Access

  1. Create an IAM User:

    • Open the IAM console.

    • Choose "Add User."

    • Select Programmatic Access.

  2. Set Permissions:

    • Attach existing policies or create a new custom policy.

    • Common policies: AmazonS3FullAccess, AmazonEC2ReadOnlyAccess, etc.

  3. Download Credentials:

    • Save the .csv file containing the Access Key and Secret Key. These keys are shown only once.

4. Using Programmatic Access

  • AWS CLI: Configure using aws configure and provide the Access Key ID and Secret Access Key.

  • SDKs: Use the keys in your application to authenticate API requests.

  • Environment Variables: Keys can be stored in environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) for easy access in scripts or containers.

5. Best Practices

  • Minimal Privileges: Use the principle of least privilege to assign only necessary permissions.

  • Key Rotation: Regularly rotate access keys to enhance security.

  • Use IAM Roles for EC2: Instead of storing keys, attach an IAM role to EC2 instances for temporary credentials.

  • Monitor and Audit: Enable CloudTrail for auditing actions performed with the keys.

AWS CLI:

The AWS Command Line Interface (CLI) allows you to manage AWS services from your terminal or command prompt. You can use it to automate AWS tasks, interact with services programmatically, and perform various operations without using the AWS Management Console.

1. Installing AWS CLI

  • Windows / macOS / Linux: You can download the latest version from the AWS CLI official installation guide.

  • For macOS and Linux, you can also use curl commands or package managers like brew (macOS).

  • Verify installation by running:

      aws --version

2. Configuring AWS CLI

Once installed, configure it using the following command:

aws configure

It will prompt you to:

  1. AWS Access Key ID

  2. AWS Secret Access Key

  3. Default Region (e.g., us-east-1)

  4. Output Format (e.g., json, table, or text)

3. Basic AWS CLI Commands

Here are some commonly used AWS CLI commands:

  1. List S3 Buckets:

     aws s3 ls

  2. Upload a File to S3:

     aws s3 cp file.txt s3://your-bucket-name/

  3. Launch an EC2 Instance:

     aws ec2 run-instances --image-id ami-xxxxxxxx --count 1 --instance-type t2.micro

  4. List IAM Users:

     aws iam list-users

4. AWS CLI Profiles

You can set up multiple profiles using aws configure --profile profile-name. This allows you to switch between different AWS accounts easily:

  • To use a specific profile:

      aws s3 ls --profile profile-name

5. Using AWS CLI with IAM Roles

If you’re using AWS CLI from an EC2 instance with an attached IAM role, you don’t need access keys—the CLI will automatically use the instance profile.

6. AWS CLI Automation

AWS CLI commands can be used in scripts to automate workflows, such as:

  • Automating resource creation or deletion.

  • Scheduled backups using cron or batch files.

7. Best Practices

  • Use IAM Roles: When possible, use roles instead of access keys for enhanced security.

  • Rotate Keys: Regularly rotate keys to reduce the risk of compromised credentials.

  • Set Permissions: Follow the principle of least privilege for all users or profiles.

Task-01

  • Create AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from AWS Console.

To create AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the AWS Console, follow these steps:

1. Sign In to the AWS Management Console

  • Go to the AWS Console.

  • Log in with your AWS account credentials.

2. Navigate to IAM (Identity and Access Management)

  • In the AWS Console, search for IAM in the search bar and click on the result.

3. Create a New IAM User (Optional)

  1. Click Users from the IAM dashboard.

  2. Choose Add Users.

  3. Enter a User Name (e.g., programmatic-user).

  4. Under Access type, select Programmatic access.

  5. Click Next: Permissions.

4. Assign Permissions

  • You can either:

    • Attach an existing policy (e.g., AmazonS3ReadOnlyAccess or AdministratorAccess).

    • Create a new policy if needed.

After assigning the necessary permissions, click Next: Tags.

5. Add Tags (Optional)

  • Add any tags to organize resources (optional).

  • Click Next: Review and then Create user.

6. Download AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

  • You’ll be shown the Access Key ID and Secret Access Key.

  • Download the .csv file or securely note down the keys, as you won’t be able to see the Secret Access Key again after this step.

7. Using the Access Keys

You can now use these keys in:

  • AWS CLI: Run aws configure to input the keys.

  • Environment Variables: Set them using:

      export AWS_ACCESS_KEY_ID=your-access-key-id
  export AWS_SECRET_ACCESS_KEY=your-secret-access-key

  • Applications: Use them in your application code (e.g., Python Boto3).

Task-02:

  • Set up and install AWS CLI and configure your account credentials.

Follow these steps to install AWS CLI and configure your AWS account credentials.

1. Install AWS CLI

For Windows:

  1. Download the installer from the AWS CLI Official Download Page.

  2. Run the installer and follow the instructions.

  3. Verify the installation:

     aws --version

For macOS:

  1. Use brew (Homebrew package manager):

     brew install awscli

  2. Verify installation:

     aws --version

For Linux:

  1. Download and install using the following commands:

     curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 unzip awscliv2.zip
 sudo ./aws/install

  2. Verify the installation:

     aws --version

2. Configure AWS CLI with Your Account Credentials

Once AWS CLI is installed, configure it using the following command:

aws configure

It will prompt you to enter:

  1. AWS Access Key ID: Enter the key you generated in Task-01.

  2. AWS Secret Access Key: Enter the corresponding secret key.

  3. Default Region: Enter your preferred AWS region (e.g., us-east-1, ap-south-1).

  4. Output Format: Choose your preferred format (e.g., json, table, or text).

3. Verify AWS CLI Configuration

To confirm that AWS CLI is configured correctly:

  • Run the following command to list your S3 buckets:

      aws s3 ls

    If the configuration is correct, it will display your S3 buckets or an empty list if none exist.

4. Optional: Multiple Profiles

You can configure multiple profiles using:

aws configure --profile profile-name

To use a specific profile, run:

aws s3 ls --profile profile-name

S3 Programmatic access with AWS-CLI

S3:

Amazon S3 (Simple Storage Service) is a highly scalable, secure, and durable object storage service provided by AWS. It can store any amount of data and can be accessed from anywhere on the Internet.

Key Concepts of Amazon S3

  1. Buckets

    • Buckets are containers that store objects (files).

    • Each bucket is unique within a region and globally across AWS accounts.

    • You can control access to the bucket and its objects using policies and permissions.

  2. Objects

    • Objects are the fundamental storage units in S3, consisting of:

      • Data (files).

      • Metadata (descriptive information like file size, date, etc.).

      • A unique Key (the file name used to retrieve the object).

  3. Regions

    • S3 buckets are created in specific AWS regions (e.g., us-east-1 or ap-south-1).

Common AWS S3 Operations

1. Creating a Bucket

aws s3 mb s3://your-bucket-name

2. Listing Buckets

aws s3 ls

3. Uploading a File to S3

aws s3 cp /path/to/your-file.txt s3://your-bucket-name/

4. Downloading a File from S3

aws s3 cp s3://your-bucket-name/your-file.txt /local/path/

5. Deleting an Object

aws s3 rm s3://your-bucket-name/your-file.txt

6. Deleting a Bucket

  • Ensure the bucket is empty before deleting it:

      aws s3 rb s3://your-bucket-name --force

S3 Storage Classes

  1. Standard: General-purpose storage for frequently accessed data.

  2. Intelligent Tiering: Automatically moves data between tiers based on access patterns.

  3. Standard-IA (Infrequent Access): Lower cost for infrequently accessed data.

  4. Glacier / Deep Archive: Used for long-term data archiving with retrieval delays.

Access Control and Security

  • Bucket Policies: JSON-based policies control access to the bucket and its objects.

  • IAM Policies: Manage permissions for IAM users or roles accessing S3.

  • Public Access Block: Prevent accidental public exposure of your S3 data.

  • Encryption: Enable server-side encryption (SSE) to secure stored objects.

Best Practices

  • Enable versioning to preserve, retrieve, and restore previous versions of objects.

  • Use lifecycle rules to transition objects to different storage classes or delete them after a certain period.

  • Set up logging and monitoring using CloudTrail and CloudWatch for auditing.

Task-03

  • Launch an EC2 instance using the AWS Management Console and connect to it using Secure Shell (SSH).

  • Create an S3 bucket and upload a file to it using the AWS Management Console.

  • Access the file from the EC2 instance using the AWS Command Line Interface (AWS CLI).

Task-03: Launch EC2 Instance, Create S3 Bucket, Upload a File, and Access it from EC2 using AWS CLI

1. Launch an EC2 Instance Using the AWS Management Console

  1. Sign in to AWS Console:
    Go to the AWS Console.

  2. Navigate to EC2:

    • In the AWS Management Console, search for EC2 and open the EC2 dashboard.

  3. Launch an Instance:

    • Click Launch Instances.

    • Choose an Amazon Machine Image (AMI) (e.g., Amazon Linux 2).

    • Select an instance type (e.g., t2.micro for free tier).

    • Configure any instance details (leave defaults if not needed).

    • Under Key Pair (login), create a new key pair or select an existing one.

      • Download the key file (e.g., my-key.pem).

    • Click Launch Instance.

  4. Get the Public IP Address:

    • Once the instance is running, go to the instance details page and note the Public IPv4 address.

2. Connect to EC2 Instance Using SSH

  1. Open a Terminal (Linux/macOS) or Command Prompt (Windows):
    Use the following SSH command to connect:

     ssh -i /path/to/your-key.pem ec2-user@<your-ec2-public-ip>

    Replace /path/to/your-key.pem with the location of your key file and <your-ec2-public-ip> with the instance's public IP address.

  2. Accept Fingerprint:
    If prompted, type yes to accept the fingerprint and establish the connection.

3. Create an S3 Bucket and Upload a File Using AWS Management Console

  1. Navigate to S3:
    In the AWS Console, search for S3 and open the S3 dashboard.

  2. Create a Bucket:

    • Click Create bucket.

    • Provide a unique bucket name (e.g., my-s3-bucket-unique123).

    • Choose a region and leave other settings as defaults.

    • Click Create bucket.

  3. Upload a File:

    • Click the bucket name to open it.

    • Click Upload and select a file (e.g., example.txt).

    • Complete the upload process.

4. Access the File from the EC2 Instance Using AWS CLI

  1. Install AWS CLI (if not installed):
    Amazon Linux 2 usually comes with AWS CLI pre-installed. You can check by running:

     aws --version

    If not installed, install it using the following command:

     sudo yum install aws-cli -y

  2. Configure AWS CLI:
    Run the following command to configure AWS CLI with your credentials:

     aws configure

    Enter your AWS Access Key ID, Secret Access Key, Default Region, and Output Format (e.g., json).

  3. List the S3 Buckets:
    Verify the configuration by listing the S3 buckets:

     aws s3 ls

  4. Download the File from S3 to EC2:
    Use the following command to download the uploaded file to your EC2 instance:

     aws s3 cp s3://<your-bucket-name>/example.txt .

    Replace <your-bucket-name> with the name of your S3 bucket.

  5. Check the File:
    Verify the file has been downloaded by listing the directory:

     ls

    You should see example.txt in the output.

Task-04:

  • Create a snapshot of the EC2 instance and use it to launch a new EC2 instance.

  • Download a file from the S3 bucket using the AWS CLI.

  • Verify that the contents of the file are the same on both EC2 instances.

1. Create a Snapshot of the EC2 Instance

  1. Sign in to AWS Console:
    Open the AWS Management Console.

  2. Navigate to EC2:
    Search for EC2 and go to the EC2 dashboard.

  3. Create a Snapshot:

    • Under Elastic Block Store (EBS), click Volumes.

    • Select the volume attached to your running EC2 instance.

    • Click Actions Create Snapshot.

    • Provide a Description (e.g., Snapshot of my EC2 instance).

    • Click Create Snapshot.

  4. Monitor Snapshot Status:
    Wait until the snapshot status shows as completed.

2. Launch a New EC2 Instance Using the Snapshot

  1. Navigate to Snapshots:

    • Under the Elastic Block Store (EBS) section, click Snapshots.

  2. Create a Volume from the Snapshot:

    • Select the snapshot and click Actions Create Volume.

    • Choose the same Availability Zone as your original EC2 instance.

    • Click Create Volume.

  3. Launch a New EC2 Instance:

    • In the EC2 dashboard, click Launch Instances.

    • Choose the same AMI and instance type as the original instance.

    • Under Storage, choose Add New Volume.

      • Attach the volume created from the snapshot to this instance.

    • Complete the remaining steps and launch the new instance.

  4. Connect to the New EC2 Instance:
    Use SSH to connect to the new instance, as done in Task-01.

3. Download the File from S3 Using AWS CLI

  1. Install and Configure AWS CLI (if not done earlier):
    Run the following commands on the new EC2 instance:

     aws --version

    If AWS CLI is not installed, use the following command to install it:

     sudo yum install aws-cli -y

  2. Configure AWS CLI:
    Run aws configure and enter your credentials as before.

  3. Download the File:
    Use the following command to download the file from the S3 bucket:

     aws s3 cp s3://<your-bucket-name>/example.txt .

4. Verify File Consistency

  1. Check the File on the New EC2 Instance:
    List the directory to confirm the file is downloaded:

     ls

  2. Compare the File Contents on Both EC2 Instances:

    On the original EC2 instance, run the following command to display the contents of the file:

     cat example.txt

    On the new EC2 instance, run:

     cat example.txt

    The contents should be identical.

iam programmatic access and aws cli S3 Programmatic access with AWS-CLI