Paul SerbanSoftware Engineer

AWS IAM - Setting Up AWS CLI with Access KeysSecurely Configuring AWS CLI Using IAM Access Keys

Introduction: Understanding AWS CLI and IAM Access Keys

AWS Command Line Interface (CLI) is a powerful tool that enables developers and system administrators to interact with AWS services directly from the terminal. It allows users to automate tasks, deploy resources, and manage AWS environments efficiently. However, securing access to AWS resources is critical, especially when using IAM access keys to authenticate API requests.

IAM (Identity and Access Management) in AWS allows organizations to control access to AWS services and resources. When setting up AWS CLI, users must configure IAM access keys, which consist of an access key ID and a secret access key. These credentials grant programmatic access to AWS, making proper configuration and security practices essential to prevent unauthorized access and data breaches.

AWS Access Methods: How Users Interact with AWS Services

AWS provides multiple ways for users to access and manage its services. Choosing the right access method depends on use cases, security requirements, and automation needs.

1. AWS Management Console (Web UI)

  • What it is: A web-based interface for managing AWS services.

  • How users authenticate:

    • IAM User + Password
    • IAM User + MFA (if enabled)
    • IAM Role (via AWS SSO or Assume Role)
    • Root Account (not recommended for daily use)

  • Best for:

    • Beginners, administrators, and non-technical users.
    • Managing services visually.
    • Quick configurations.

  • Limitations:

    • Not ideal for automation.
    • Can be slow for bulk operations.

  • Access via: AWS Console

2. AWS Command Line Interface (AWS CLI)

  • What it is: A command-line tool for interacting with AWS services.
  • How users authenticate:
    • IAM User + Access Key + Secret Key
    • IAM Role (via aws sts assume-role)
    • AWS SSO (if configured)
  • Best for:
    • Automating tasks with scripts.
    • Managing AWS from a terminal.
    • Running bulk operations.
  • Limitations:
    • Requires installation (aws-cli).
    • Can be complex for beginners.

Example Usage

aws s3 ls  # List S3 buckets
aws ec2 describe-instances  # Get EC2 details

3. AWS SDKs (Software Development Kits)

  • What it is: Libraries for integrating AWS with programming languages.
  • How users authenticate:
    • IAM User + Access Key + Secret Key
    • IAM Role (for EC2, Lambda, etc.)
    • AWS SSO
  • Best for:
    • Building applications that interact with AWS.
    • Automating AWS tasks within software.
    • Serverless functions (Lambda, API Gateway).
  • Supported SDKs:
    • JavaScript / TypeScript (aws-sdk for Node.js)
    • Python (boto3)
    • Java (AWS SDK for Java)
    • Go, .NET, Ruby, PHP, C++, etc.

Example: Using AWS SDK in Python (boto3)

import boto3

s3 = boto3.client('s3')
buckets = s3.list_buckets()
print(buckets)

Setting Up AWS CLI with IAM Access Keys

1. Generate AWS Access Keys

Step 1: Sign in to AWS IAM

  1. Go to the AWS IAM Console:
  2. Navigate to Users → Select your IAM user.
  3. Click Security credentials → Scroll to Access keys.
  4. Click Create access key.
  5. Choose the purpose:
    • CLI access (for personal use).
    • Application (for programmatic access).
  6. Click Create access key and download the .csv file (store it securely).

2. Configure AWS CLI with the Keys

Option 1: Using aws configure (Recommended)

Run the following command in your terminal:

aws configure

Enter the credentials when prompted:

AWS Access Key ID [None]: AKIAxxxxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Default region name [None]: us-east-1
Default output format [None]: json
  • Stored in: ~/.aws/credentials (Linux/macOS) or C:\Users\USERNAME\.aws\credentials (Windows).

Option 2: Manually Edit the Credentials File

  1. Open ~/.aws/credentials (Linux/macOS) or C:\Users\USERNAME\.aws\credentials (Windows).
  2. Add the following:
[default]
aws_access_key_id=AKIAxxxxxxxxxxxxxxx
aws_secret_access_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  1. Open ~/.aws/config and add:
[default]
region=us-east-1
output=json

3. Verify AWS CLI Access

Test that your setup is working:

aws sts get-caller-identity

Expected output:

{
  "UserId": "AIDAEXAMPLEID",
  "Account": "123456789012",
  "Arn": "arn:aws:iam::123456789012:user/YourUser"
}

If you see this, AWS CLI is successfully configured!

4. Security Best Practices

  • Use IAM Roles instead of Access Keys whenever possible.
  • Rotate Access Keys regularly.
  • Never share or expose Access Keys (e.g., in GitHub).
  • Enable MFA for your IAM user for extra security.

Conclusion: Securely Managing AWS CLI Access

Configuring AWS CLI with IAM access keys is essential for efficient cloud management, but security should always be a priority. By following best practices, organizations can mitigate security risks while enabling automation and streamlined workflows securely.