AWS CLI, SDK, IAM Roles and Policies

Question 1

bad way to run AWS CLI on EC2 instance

Answer 1

1. never use “aws configure” with your credentials as you do it on the local computer. NEVER put your credentials on EC2 machine. If EC2 is somehow compromised, everything else is.
2. instead use AWS IAM roles.

Question 2

To set up AWS console on the local computer

Answer 2

1. install CLI
2. run aws –version in cmd to check
3. go to IAM Management console and create Access keys
4. in cmd run aws configure and insert these credentials. They will be stored in .aws in special files

Question 3

good way to run AWS CLI on EC2 instance

Answer 3

use AWS IAM roles.

We can attach IAM role to EC2 instance. IAM Roles can come with a policy which defines exactly what EC2 instance should be able to do.

1. So we ssh into EC2. If it’s Linux, we don’t need to install CLI, it’s already there. So we can run “aws” command directly in shell. We can run “aws configure” with empty credentials.
2. After that if the EC2 instance doesn’t have IAM roles attached - we will not be allowed to run any meaningful aws commands because we are not authorized through credentials
3. go to IAM –> Roles and create Role
   For ex., if we want to run aws s3 ls from EC2 instance -
   we create a Role for EC2 service and attach a managed policy AmazonS3ReadOnlyAccess
4. Attach the role to the EC2 instance

now we can list S3 buckets from the instance with aws s3 ls

Question 4

tools to work with IAM policies

Answer 4

IAM policy generator - to create your own policies

IAM policy simulator - to test it

Question 5

we have to use AWS SDK when

Answer 5

coding against AWS Services such as DynamoDB

Question 6

AWS SDK Credentials security

Answer 6

it’s recommended to use the default credential provider chain

NEVER STORE AWS CREDENTIALS IN YOUR CODE

Question 7

the default credential provider chain will work seamleassly with

Answer 7

1. AWS credentials at .aws\credentials
2. Instance Profile credentials using IAM roles (for EC2 machines)
3. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Question 8

Exponential BackOff

Answer 8

your first API call after failure will wait maybe 10 millisecond, your second API call will run after 20 millisecond. And so on.

the next API call, if it still fails, it will wait double of that time. Exponential Backoff means that if your API calls still keep on failing we will wait twice as long as the previous API call to try again, and that ensures that you don’t overload the API by trying it every millisecond.

Exponential Backoff is included in most SDKs

Question 9

My EC2 Instance does not have the permissions to perform an API call PutObject on S3. What should I do?

Answer 9

attach a Policy to the IAM Role on my EC2 instance that authorizes it to do the API call

Question 10

I have an on-premise personal server that I’d like to use to perform AWS API calls

Answer 10

I should run “aws configure” and put my credentials there. Invalidate them when I’m done

Even better would be to create a user specifically for that one on-premise server

Question 11

I need my colleagues help to debug my code. When he runs the application on his machine, it’s working fine, whereas I get API authorisation exceptions. What should I do?

Answer 11

compare his and mine IAM Policy in the policy simulator to understand the differences