AWS Install & Configure CLI

IAM Overview

It is not reccomended to use the rootuser for any workloads/CLI/SDK access, rather setup a IAM users and grant access either by policy (single rule) or role. Think of a role as a hat that the user can wear to then have access to resources.

“An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.”

“A role is intended to be assumable by anyone or thing who needs it.”

“An IAM role is similar to a user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. A role is intended to be assumable by anyone or thing who needs it. A role does not have standard long-term credentials (password or access keys) associated with it. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.”

Prerequisites

To configure the below you will need the required access key id and secret access key which you can get from the AWS AMI Console (Identity and Access Management) you will need to be logged in. Any commands that point to a .json configuration file are available on github.

AWSCLI

Updated 05/03/2022

1. Install using the CLI

• https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

This will live in C:\Program Files\Amazon\AWSCLI and should then work from any terminal.

2. Check version

aws --version

This could show v1 or v2 - I had to uninstall v1 to get v2 to work, there may be a switcher as v2 have breaking changes.

aws-cli/1.21.7 Python/3.6.0 Windows/10 botocore/1.22.7
aws-cli/2.4.23 Python/3.8.8 Windows/10 exe/AMD64 prompt/off

3. Configure with the keys you got from the IAM in the amazon console.

C:\> aws configure
AWS Access Key ID [None]: HOEHOEHOEHOHEOHEOHE
AWS Secret Access Key [None]: HO/hehOehoHEOHEhohEOHeohEOH+EohOEe
Default region name [None]: ap-southeast-2
Default output format [None]:

This creates these text files in the following location:

• %USERPROFILE%\.aws\credentials (windows)
• ~/.aws/credentials (linux)

~ C:\Users\[USERNAME]\.aws\credentials
[default]
aws_access_key_id = HOEHOEHOEHOHEOHEOHE                    
aws_secret_access_key = HO/hehOehoHEOHEhohEOHeohEOH+EohOEe

• %USERPROFILE%\.aws\config (windows)
• ~/.aws/config (linux)

~ C:\Users\[USERNAME]\.aws\config 
[default]
region = ap-southeast-2

4. Then you can test it works

aws iam list-roles

5. Create the task execution IAM role

--- Create the task execution role
C:\dev\aws\ami>
aws iam --region ap-southeast-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json

--- Attach the task execution role policy
aws iam --region ap-southeast-2 attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

More than one profile

As I have more than one profile I use --profile carlos this means my default profile is not used

config

[default]
region = us-west-2

[profile carlos]
region = ap-southeast-2

[profile localstack]
region = us-east-1

credentials

[default]
aws_access_key_id = ACB 
aws_secret_access_key = abcdef

[carlos]
aws_access_key_id = HIJ
aws_secret_access_key = hijklm

[localstack]
aws_access_key_id = dummyaccess
aws_secret_access_key = dummysecret

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

References

• https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/creds-file.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

ECSCLI (Elastic Container Service)

This will live in C:\Program Files\Amazon\ECSCLI

1. Run windows powersell as administrator

--- create folder
New-Item C:\Program Files\Amazon\ECSCLI -type directory

--- install
Invoke-WebRequest -OutFile ‘C:\Program Files\Amazon\ECSCLI\ecs-cli.exe’ https://amazon-ecs-cli.s3.amazonaws.com/ecs-cli-windows-amd64-latest.exe

2. Edit the environment variables and add C:\Program Files\Amazon\ECSCLI to the PATH variable field

3. Restart powersell and check version

ecs-cli --version

4. Configure with the same keys used above

I used the profile names carl_ecs_cli_profile and carl_configuration_name below when setting up ECS for the Lexicon via the AWS CLI.

ecs-cli configure profile --profile-name carl_ecs_cli_profile --access-key HOEHOEHOEHOHEOHEOHE --secret-key HO/hehOehoHEOHEhohEOHeohEOH+EohOEe

ecs-cli configure --cluster ClusterName1 --default-launch-type FARGATE --region ap-southeast-2 --config-name carl_configuration_name

Note that --cluster needs to satisfy regular expression pattern: [a-zA-Z][-a-zA-Z0-9]*

This creates these files which you can edit with any text editor.

~ C:\Users\[USERNAME]\AppData\Local\ecs\config
: carl_configuration_name

~ C:\Users\[USERNAME]\AppData\Local\ecs\credentials 
: carl_ecs_cli_profile

References

• https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html#install-msi-on-windows
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_CLI_installation.html
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_CLI_Configuration.html
• https://console.aws.amazon.com/iam/
• https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html