AWS SDK and API Flashcards
Should you provide your aws_secret_access_key and aws_access_key_id in your application code
No. SDK credentials should be stored outside of your code
There are 3 places where your aws_secret_access_key and aws_access_key_id can be stored for your application to access - what are they?
Programming Language parameter store local files (~./aws) environment variables
When you make API calls to AWS services, for most services those requests are directed at a specific endpoint that corresponds to which of the following?
- AWS Facility
- AWS Region
- AWS AZ
- AWS edge location
AWS region - you choose a regional API endpoint either from your default configuration or by explicitly setting a location for you API client.
You make an API request to Polly to list the voices offered and you recieve the following error:
Unable to connect to endpoint URL:
httpsL//polly.us-east-1a.amazon.aws.com/voices
Why?
us-east-1a is an AZ, not a region, and API calls are made to the region, not the AZ.
The principals who have access to ASSUME an IAM role are defined in which document?
- IAM Access Policy
- IAM Trust Policy
- MS Grant Token
- AWS Credentials File
The IAM trust policy defines the principals who can request role credentials from AWS STS.
API’s within AWS are rate limited, i.e. S3 has a limit of 5500 GET requests per second. What should you do if you are getting:
- Intermittent Errors
- Consistent Errors
Due to rate limiting?
If you are getting intermittent errors, this is probably due to spikes in load so exponential back off will likely resolve. If the errors are consistent, you probably need to request that the rate limits are raised.
What sort of exception gets thrown if you have hit a rate limit?
ThrottlingException
What is exponential backoff?
Simply - -every time time you retry a request, you double the amount of time you wait before issuing the request again
For exponential back off - what do you need to do if you are developing through the SDK?
Nothing, Exponential back off is built into the SDK - but if your are interacting with the API as-is outside of the SDK then you will need to build it in yourself.
When using either the AWS SDK what member of the Credentials Provider Chain has precedent over all others?
Environment variables have precedent over all other items in the credential provider chain for the SDK.
What is the Credentials Provider Chain
The credentials provider chain is the order in which AWS will look for credentials, starting with Command line Arguments then Environment Variables and finishing with instance provider credentials (the lowest precedent). This means that credentials and their assigned permissions at a higher level will over-ride those at a lower level.
You are developing an application within AWS. Should you store your AWS credentials in code?
No. Never. When working in AWS credentials should ALWAYS be inherited from the credentials chain - as we are in AWS then we can leverage IAM (i.e. Instance roles for an EC2 instance, ECS roles for ECS taskes, lambda roles for lambda tasks)
We are building an application outside of AWS and we need to be able to pass credentials to access AWS services, what is the best practice for this?
Use of environment variables and or named profiles (i.e. CLI profiles)
what is sigv4 used for?
Sigv4 is used for signing requests made to the AWS http API.
SigV4 can be sent to AWS in two ways - what are they? (hint - think of the structure of an HTTP request)
SigV4 can be sent either within a requests header or as a query string (in the case of S3)
