HowTo: Install AWS CLI - Security Credentials
Here we talk about how to setup our security credentials to use the various command line tools used with AWS.
Where To Find Your Security Credentials
Assuming you’re not working with an account created with IAM, you can find your security credentials here.
If you are using an account created through IAM, there is no way to get the secret access key again. If you don’t have it, a new one set of credentials can and will need to be generated. With IAM accounts, Amazon will not generate X.509 certificates, however you can generate your own and upload the public key.
Regarding Environment Variables
To keep sensitive information out of ~/.bashrc we’ll create a new file ~/.bash_aws and put the following into ~/.bashrc:
~/.bashrc (Excerpt)
1
2
# AWS Credentials
[[ -f ~/.bash_aws ]] && . ~/.bash_aws
This will check if ~/.bash_aws exists, and if so, source it.
AWS Credential Environment Variables (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY)
For use with the new AWS Command Line Interface Tool and for use with python programs using boto, we can set our credentials using the following environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
Set them in ~/.bash_aws, replacing the example values with your access key id and secret access key:
~/.bash_aws (Excerpt)
1
2
export AWS_ACCESS_KEY_ID=C99F5C7EE00F1EXAMPLE
export AWS_SECRET_ACCESS_KEY=a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE
AWS Configuration File (AWS_CONFIG_FILE)
For this we will need our Access Key ID and Secret Access Key, and optionally which region we want to default to. We will then put them in a file with the following format:
[default]
aws_access_key_id=Your Access Key ID
aws_secret_access_key=Your Secret Access Key
region=Optional, the default region to use for this profileYou can define multiple profiles in this file, just put --profile profile_name
For this example we will use the file ~/.aws/aws_config_file and change the permissions so only your account can read the file.
Console - user@hostname ~ $
1
mkdir -p ~/.aws
~/.aws/aws_config_file
1
2
3
4
5
6
7
8
9
[default]
aws_access_key_id=C99F5C7EE00F1EXAMPLE
aws_secret_access_key=a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE
region=us-east-1
[profile test]
aws_access_key_id=DAAG6D8FF11G2EXAMPLE
aws_secret_access_key=b74yXFkAaGcjhyrB8xm4Ovxk4nuf4SECeEXAMPLE
region=us-west-2
Console - user@hostname ~ $
1
chmod 600 ~/.aws/aws_config_file
We then need to set the environment variable AWS_CONFIG_FILE to the path of the file.
We will want to set AWS_CONFIG_FILE as a user specific environment variable, so not everyone on the machine will use your credentials. We will put it into ~/.bash_aws for this example:
~/.bash_aws (Excerpt)
1
export AWS_CONFIG_FILE=~/.aws/aws_config_file
Boto Config File (/etc/boto.cfg, ~/.boto)
For programs that use boto that aren’t the AWS Command Line Tool, you can still set your credentials in a configuration file.
/etc/boto.cfgis used for global settings on the system~/.botois used for user-specific settings.
The layout is the similar AWS_CONFIG_FILE except only one set of credentials, [Credentials], can be set:
[Credentials]
aws_access_key_id=Your Access Key ID
aws_secret_access_key=Your Secret Access Key~/.boto
1
2
3
[Credentials]
aws_access_key_id=C99F5C7EE00F1EXAMPLE
aws_secret_access_key=a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE
See BotoConfig for more options to set in the configuration file.
Also with boto, you can use the environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
as described in AWS Credential Environment Variables (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY). Also IAM roles can be used if you are running on an EC2 instance that has an IAM role set.
AWS Credential Environment Variables (AWS_ACCESS_KEY_ID/AWS_SECRET_KEY)
This approach for setting your credentials that replaced X.509 certificates for EC2 API tools and can be used by the AWS Java SDK. We will need our Access Key ID and Secret Access Key and we will use them to set the following environment variables:
AWS_ACCESS_KEY_ID(for the Access Key ID)AWS_SECRET_KEY(for the Secret Access Key)
The following example has you setting these environment variables in your ~/.bash_aws file
~/.bash_aws (Excerpt)
1
2
export AWS_ACCESS_KEY_ID=C99F5C7EE00F1EXAMPLE
export AWS_SECRET_KEY=a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE
AWS Credential File (AWS_CREDENTIAL_FILE)
For this we need our Access Key ID and Secret Access Key, and we will put them into a file with the following format:
AWSAccessKeyId=Your Access Key ID
AWSSecretKey=Your Secret Access KeyFor this example we will put it into ~/.aws/aws_credential_file and change the permissions so only your account can read the file.
Console - user@hostname ~ $
1
mkdir -p ~/.aws
~/.aws/aws_credential_file
1
2
AWSAccessKeyId=C99F5C7EE00F1EXAMPLE
AWSSecretKey=a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE
Console - user@hostname ~ $
1
chmod 600 ~/.aws/aws_credential_file
We then need to set the environment variable AWS_CREDENTIAL_FILE to the path of the file.
We will want to set AWS_CREDENTIAL_FILE as a user specific environment variable, so not everyone on the machine will use your credentials. We will put it into ~/.bash_aws for this example.
~/.bash_aws (Excerpt)
1
export AWS_CREDENTIAL_FILE=~/.aws/aws_credential_file
X.509 certificates (EC2_CERT/EC2_PRIVATE_KEY)
For this we will need our X.509 certificates. If Amazon created them for you, should be named something like: cert-3F4CCOPFPLFTBZ2KRFLQXQYMYEXAMPLE.pem, which is the public key; and pk-3F4CCOPFPLFTBZ2KRFLQXQYMYEXAMPLE.pem, which is the private key. If you are using an Amazon IAM user, or if you wish to create your own X.509 certificate, see our HowTo: Generate an X.509 Certificate for an Amazon IAM User article.
We also need to set 2 environment variables:
EC2_CERTEC2_PRIVATE_KEY
Set EC2_CERT to the cert.pem file, and EC2_PRIVATE_KEY to the pk.pem file.
For this example, save the cert.pem file and pk.pem file into the ~/.aws directory; set the environment variables in ~/.bash_aws:
~/.bash_aws (Excerpt)
1
2
export EC2_CERT=~/.aws/cert-3F4CCOPFPLFTBZ2KRFLQXQYMYEXAMPLE.pem
export EC2_PRIVATE_KEY=~/.aws/pk-3F4CCOPFPLFTBZ2KRFLQXQYMYEXAMPLE.pem
~/.s3curl and ~/.aws_secrets
The S3 command line tool, s3curl.pl keeps its security credentials in ~/.s3curl. The Route53 command line tool dnscurl.pl, and the CloudFront command line tool cfcurl.pl, keep their security credentials in ~/.aws_secrets. These two files have the format, so if you so desired you can populate one and have the other be a symbolic link. The format is like so:
%awsSecretAccessKeys = (
friendly_name => {
id => 'Your Access Key ID',
key => 'Your Secret Access Key',
},
another_name => {
id => 'Another Access Key ID',
key => 'Another Secret Access Key',
},
);For this example we will save into ~/.s3curl and we will have the friendly name be main.
~/.s3curl
1
2
3
4
5
6
%awsSecretAccessKeys = (
main => {
id => 'C99F5C7EE00F1EXAMPLE',
key => 'a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE',
},
);
Set the permissions to 600, otherwise it will complain when you try running the programs.
Console - user@hostname ~ $
1
chmod 600 ~/.s3curl
Create the symbolic link for ~/.aws_secrets.
Console - user@hostname ~ $
1
ln -s ~/.s3curl ~/.aws_secrets
credentials.json
For the elasticmapreduce ruby command line tool, you will need to put your credentials into a json file. By default it looks in the install directory for credentials.json, but there is a flag (-c) that will let you use whatever credentials.json file you want. For example:
Console - user@hostname ~ $
1
2
3
4
5
6
7
8
9
elastic-mapreduce \
--create \
--name "Hive Query" \
--instance-type m1.small \
--num-instances 2 \
--hive-script \
s3n://your-bucket/hive/command.hiveql \
--args "-d","OUTPUT=s3n://my-bucket/output/`date --utc +%Y%m%d'T'%H%M%S'Z'`/" \
-c ~/.aws/credentials.json
The format for credentials.json is like so:
{
"access_id": "AWS Access Key ID",
"private_key": "AWS Secret Access Key",
"keypair": "Key pair to start the EMR instances with",
"key-pair-file": "The path the the private key (.pem) file for the keypair",
"log_uri": "Path to S3 bucket, (ex: s3n://my-bucket/logs/)",
"region": "Region to run the job in. One of the following: us-east-1, us-west-1, us-west-2, eu-west-1, ap-northeast-1, ap-southeast-1, ap-southeast-2, sa-east-1"
}For this example we will save into ~/.aws/credentials.json.
~/.aws/credentials.json
1
2
3
4
5
6
7
8
{
"access_id": "C99F5C7EE00F1EXAMPLE",
"private_key": "a63xWEj9ZFbigxqA7wI3Nuwj3mte3RDBdEXAMPLE",
"keypair": "my-key",
"key-pair-file": "~/.ssh/my-key.pem",
"log_uri": "s3n://my-bucket/hadoop/",
"region": "us-east-1"
}
Parts in this series
- HowTo: Install AWS CLI
- HowTo: Install AWS CLI - Prerequisites
- HowTo: Install AWS CLI - Security Credentials
- HowTo: Install AWS CLI - AWS Command Line Interface
- HowTo: Install AWS CLI - Amazon Auto Scaling
- HowTo: Install AWS CLI - Amazon CloudFormation
- HowTo: Install AWS CLI - Amazon CloudFront
- HowTo: Install AWS CLI - Amazon CloudWatch
- HowTo: Install AWS CLI - Amazon ElastiCache
- HowTo: Install AWS CLI - Amazon Elastic Compute Cloud (EC2) - AMI Tools
- HowTo: Install AWS CLI - Amazon Elastic Compute Cloud (EC2) - API Tools
- HowTo: Install AWS CLI - Amazon Elastic Load Balancing (ELB)
- HowTo: Install AWS CLI - Amazon Elastic MapReduce Ruby Client
- HowTo: Install AWS CLI - Amazon Identity and Access Management (IAM)
- HowTo: Install AWS CLI - Amazon Relational Data Services (RDS)
- HowTo: Install AWS CLI - Amazon Route 53 - cli53
- HowTo: Install AWS CLI - Amazon Route 53 - dnscurl.pl
- HowTo: Install AWS CLI - Amazon Simple Email Service (SES)
- HowTo: Install AWS CLI - Amazon Simple Notification Service (SNS)
- HowTo: Install AWS CLI - Amazon Simple Storage Service (S3) - s3cmd
- HowTo: Install AWS CLI - Amazon Simple Storage Service (S3) - s3curl.pl