If you don't have an AWS account you need to create it here. It is pretty easy. After this, you will be able to login to your account and make any things there in UI console, but if you are going to interact with AWS via CLI or any other framework which requires storing credentials or deliver them to CI, you should create a dedicated user for programmatic access. Then if someone would steal your stored credentials somehow you will be able to revoke this user and keep your account.
So let's create a new user with programmatic access in IAM:
I will call him
batcher (you should use any name which would reflect what is the user is used for)
On the next screen create a new group
Now add a user to created group. So it should look like this:
🛑 Security Note: in most cases you don't need to give AdministratorAccess to your API users, and should limit it only to necessarily policies. In this example we do it only to simplify flow and reduce number of potential issues when readers will do their experiments related to study. If it is your developemnt account it is fine to do this
Now press download CSV file with all credentials and save it in a reliable place.
This file will give you ACCESS KEY ID and SECRET ACCESS KEY which is enough to provide access to any CLI/API/Framework.
🛑 Remember, this pair is very sensitive:
- These two values are enough to get access to all account resources which are permitted to the user (we attached to him AdministratorAccess policy so these 2 strings would allow doing anything in your account, e.g. allocate thousands of EC2 instances for mining which would cost you infinity if you did not configure balance alerts)
- They already linked to account id, so AWS knows which account to operate in when you pass these credentials in API or in the framework
- If you will destroy the user, then credentials will be revoked also