Ref: https://learn.cantrill.io/courses/1820301/lectures/41301467

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301468

• Summary
• Contents:

Long-term and Short-term Credentials

• Credentials = information known to AWS and identities that allow authentication (i.e. logging in to an AWS account)
  • Long-term credentials persist, they don't change automatically nor regularly
    • examples: user-name + password, IAM access keys
    • YOU, as the owner of the long-term credentials, have to explicitly change them (e.g. updating your password)
  • Short-term credentials are only valid for a short time before they expire
    • Entities using them usually need to regularly fetch new credentials for extended use
• ❗ The account root user and IAM users use long-term credentials, whereas IAM roles use short-term credentials
• Credentials have a public and a private part
  • e.g. username (public) + password (private). MFA is an additional private factor.

IAM Access Keys

• Users can access AWS accounts from:
  1. Web browser → directed to AWS Management Console (AWS console UI)
  2. CLI (Command Line Interface)
  3. Within other applications using APIs (Application Programming Interfaces)
     • Access AWS APIs by using AWS SDK (Software Development Kit)
  • ❗ Access via CLI and APIs usually done with IAM access keys
• 🔧 IAM Access keys are long-term credentials available within AWS
  • A set of access keys consists of 2 parts (both are used for authentication):
    1. Access Key ID (public) e.g. AKIAIOSF0DNN7EXAMPLE
    2. Secret Access Key (private) → e.g. wJalrXUtnFEMI… (longer & more complex)
       • once provided, AWS will never show it again
    • Screenshot
• Access keys can be created, deleted, deactivated and (re)activated
  • When created, they're by default active
  • ‼️ Can not be changed!
    • You can rotate them though (delete and recreate them) → new keys
• An IAM user can have:
  • 0-1 pairs of username + password
    • some IAM users are created for only CLI or API usage, hence have no passwords
  • 0-2 sets of access keys → having 2 is useful for access key rotation
• Root users can have access keys, but it's not recommended
  • 💡 We shouldn't be using the root user for mundane tasks, so it's doubtful you need to use it in the CLI or APIs

DEMO: Creating Access Keys and Setting Up AWS CLIv2 Tools

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301468

• Create a set of access keys: Drop-down menu > Security Credentials > Create Access Key
  • Download the access keys to your local machine (e.g. via the CSV file option)