To run experiments on AWS, I need to set up the AWS command line interface. This has a
config step where it prompts me for public and secret keys. How do I get these?
aws configure AWS Access Key ID [None]: ??????
aws configure AWS Secret Access Key [None]: ???????
In the question above: You are configuring the AWS Command Line Interface or CLI. This command can conduct business on the AWS cloud remotely, say from your laptop, like getting resources (that cost money); so configuring the CLI requires authentication. The straightforward approach is to generate and use an Access Key which consists of two long strings: A Public key and a secret key. However like any password an Access Key must be managed / handled with great care to ensure it does not fall into the wrong hands. In this case “the wrong hands” can run up a $15,000 bill on your AWS account in a matter of an hour or two. So in what follows: Never store Access Keys in a public location and never use them in the context of logging software that will store them in some log file.
Here is the procedure to generate Access Keys:
- Log on to the AWS console
- Services > Security, Identity and Compliance > IAM
- IAM is an abbreviation of Identity and Access Management
- On the IAM Dashboard: Use the left menu to select Users
At this point either you have an IAM User account (the one you are logged in with) or you will need to create a new one. To create a new IAM User you will need appropriate access credentials; which is beyond the scope of this post. I will continue by supposing you are signed in to the console as an IAM User with appropriate credentials, continuing from the IAM > Users table in the AWS Console.
- Select the User from this table who needs an Access Key using the hyperlink User name
- On the configuration page for this User select the Security credentials tab
- If there are no Access Keys in use: The table below “Access Keys” should be empty
- Click on the Create access key button
- Download the access key file to a safe location
The access key file contains both the public and secret strings that are needed to configure the AWS CLI. Again: Make sure when you configure the CLI that no logging software is making copies of these keys, particularly the secret key.
If your access keys are compromised in some way: Immediately Disable the key on the AWS Console. This is the only way to be sure it can’t be used by the uninvited party. After you Disable the key you can delete it and generate a new one.