When you are using AWS, there will be times when you will not actually need to log in to the AWS Management Console to access resources and perform specific tasks. AWS offers programmatic access to your resources through a range of SDKs and the AWS CLI. This allows users to access, modify, and control your AWS environment and resources through a Terminal window by issuing commands (instead of through the Management Console, with a point-and-click approach).
However, to do this, you have to be authenticated as a user that has the necessary authorization to perform actions; this is achieved through the use of access keys. These keys come as a pair, and can be generated for any user within IAM. They are then associated to only that user.
One key is known as the access key, and the other is the secret access key; they are constructed differently. The access key is 20 characters in length and is comprised of uppercase alphanumeric characters: for example, DWKYR45XM92EKLHP61DP. The secret access key is 40 characters in length and is made up of both uppercase and lowercase alphanumeric characters, in addition to some non-alphanumeric characters. An example of a secret access key is as follows:
SPv9S3/GWkC95Km/S24Vohr57Xs/awo07F6HEck9
When the access keys are created, they are created as a pair and are linked through a mathematical algorithm. They can be created from within IAM, or through the AWS CLI or SDK. Now, I will explain how you can use these keys to create the verification of authentication when accessing resources programmatically.
In this example, I shall explain how you can use these access keys to authenticate and verify your identity using the AWS CLI. This assumes that you have already installed the AWS CLI software and have downloaded the access keys from IAM. For more information on how to do this, please visit https://docs.aws.amazon.com/cli/latest/userguide/installing.html:
- Open a Terminal window on your local computer.
- Enter aws configure.
- Enter the AWS Access Key ID.
- Enter the AWS Secret Access Key.
- It will then ask you to enter the Default region name and Default output format.
Upon completion, when you make a request to access a resource within your AWS account, the AWS CLI is configured with your access keys, which both identify and verify who you are. This allows you to be authenticated and authorized, as per the permissions associated with your user account within IAM.
One point to mention regarding the access keys is that you are prompted to download them once they are created, and you only have one chance to do this. If you lose your secret access key, it's not possible to retrieve it, and you will have to create a new set of keys.