AWS Credentials
From Notes
AWS provides several pairs of keys, secrets and certificates. This article will detail the typical credentials offered, when and how to use them, and suggested means of keeping this information safe and accessible. With access to the described files and credentials, you will be able to quickly and easily utilize AWS APIs and Tools.
Contents |
Account Credentials
Your account credentials can be access thought the "Your Account" page by clicking on the "Security Credentials" link.
From this page, you will see three "tabs""
- Access Keys
- X.590 Certificates
- Key Pairs
This article will assume storage of various files on your EC2 instance at /opt/aws/creds (referred here on out as $CREDS_DIR). This directory should be owned by root:root, and have access set appropriately. To begin, set the directory to 0500 and the files to 0400.
Access Keys
Access keys are used to provide quick and easy authentication to AWS API tools. From time to time, you may be required to provide the Access Key ID and/or Secret Access Key. Copy and paste the Access Key ID to $CREDS_DIR/AWS-AccessKeyID. The Secret Access Key requires a little extra to be sure the resulting file contains ONLY the 40 character Secret Access Key. The below code will result in a properly formatted $CREDS_DIR/AWS-SecretAccessKey. file.
echo "lkTwZRalREYSU7lbSS5VoUhdYREcwsasEXAMPLEQ" > $CREDS_DIR/AWS-SecretAccessKey
Credentials File
Some API tools, such as AWS SES require an AWS Credentials file (or your access key ID & secret key exported as environment variables). Create the AWS Credentials, as described below, in the file $CREDS_DIR/AWS-Credentials:
AWSAccessKeyId=YourAccessKeyID AWSSecretKey=YourSecretKey
Route 53
Route 53 (AWS hosted DNS) required an entirely different format for the same data. Fill in the Access Key ID and Secret Access Key as show below in the file $CREDS_DIR/AWS-Route53-Access
%awsSecretAccessKeys = (
"my-aws-account" => {
id => "0F1V9UKMN23IEXAMPLE2",
key => "lkTwZRalREYSU7lbSS5VoUhdYREcwsasEXAMPLEQ",
},
);
bash_profile
For convenience, you may want to export pointers to your credential files.
## ~/.bash_profile ... export EC2_PRIVATE_KEY=/opt/aws/creds/AWS-x590-PrivateKey-2011.03.23.pem export EC2_CERT=/opt/aws/creds/AWS-x590-Certificate-2011.03.23.pem ...
X.509 Certificates
X.509 Certificates are used by most AWS API tools to provide authentication to AWS services. For example, to create a new snapshot of a disk, the tool ec2-create-snapshot will require your X.509 certificate and key.
Change to the X.509 "tab". If a certificate has not already been created, create one now. During the creation process, you will be prompted to download both the certificate and the private key. Be sure to download the private key. This is your only chance to do so!. Save the X.509 Certificate as $CREDS_DIR/AWS-x509-Certificate.pem and the private key as $CREDS_DIR/AWS-x509-PrivateKey.pem.
Key Pairs
Key Pairs allow remote access to servers and/or CloudFront resources. In terms of Linux server access, EC2 key pairs are essentially ssh keys. If you have not yet created an EC2 instance, changes are, you have not generated any EC2 key pairs. If you did create an EC2 instance, you were prompted to name and create a key pair (and download the key). To access your key pairs (or create new keys), go to the AWS Console, click on the EC2 tab and then click Key Pairs. From here you may generate new key pairs and download the PEM formated keys.
- Save the key file as $CREDS_DIR/SSHKey-$KEY_NAME.pem
Account Number
From time to time, you account number is required for some CLI utilities. It is convenient to store this number in a plain text file. To determine your account number, go to the "Your Account" page and then click the "Account Activity" link. Near the upper right side of the page, you should see your name with your account number printed below. Copy/paste this to $CREDS_DIR/AccountNumber
