How to create AWS account

If you don't have an AWS account you need to create it here. It is pretty easy. After this, you will be able to login to your account and make any things there in UI console, but if you are going to interact with AWS via CLI or any other framework which requires storing credentials or deliver them to CI, you should create a dedicated user for programmatic access. Then if someone would steal your stored credentials somehow you will be able to revoke this user and keep your account.

So let's create a new user with programmatic access in IAM:

Press Add user button to create new user

I will call him batcher (you should use any name which would reflect what is the user is used for)

Setting up user name and selecting access type

On the next screen create a new group FulAccess with AdministratorAccess policy.

Create group with full access

Now add a user to created group. So it should look like this:

Image for a hint

🛑 Security Note: in most cases you don't need to give AdministratorAccess to your API users, and should limit it only to necessarily policies. In this example we do it only to simplify flow and reduce number of potential issues when readers will do their experiments related to study. If it is your developemnt account it is fine to do this

Press Next, Next, Create User.

Now press download CSV file with all credentials and save it in a reliable place.

Image for a hint

This file will give you ACCESS KEY ID and SECRET ACCESS KEY which is enough to provide access to any CLI/API/Framework.

🛑 Remember, this pair is very sensitive:

  • These two values are enough to get access to all account resources which are permitted to the user (we attached to him AdministratorAccess policy so these 2 strings would allow doing anything in your account, e.g. allocate thousands of EC2 instances for mining which would cost you infinity if you did not configure balance alerts)
  • They already linked to account id, so AWS knows which account to operate in when you pass these credentials in API or in the framework
  • If you will destroy the user, then credentials will be revoked also