Introduction:
Amazon Web Services (AWS) is a cloud computing platform. AWS provides a barrage of services, including High-Performance Computing (HPC) services, for resource-intensive projects and Elastic Container Services (ECS), for container-based Application Programming Interface (API) cloud hosting.
In this post, we will cover a few basics for AWS first-time users. However, since it is natural for things to evolve, please consult AWS’s own “Getting Started Resource Center” for timely and comprehensive details. Here we:
- discuss the relevance to HTA,
- create an account on AWS,
- explain what Identity and Access Management (IAM),
- use IAM to control access to AWS services and resources,
- install AWS Command Line Interface (CLI) on a windows machine, and
- set CLI to programmatically access an IAM account.
Relevance, prerequisites and difficulty:
Relevance:
As I mentioned earlier, AWS provides, among other services and resources, HPC services. These capabilities are extremely useful in resource-intensive projects, such as ones encompassing Agent-Based models. Modeller could easily interact with AWS and run their models on their infrastructure in a mater of minutes1. Moreover, AWS ECS services are one of the good options to host containerised application such as Application Programming Interfaces (API)s and shiny-powered2 applications. ECS can handle the deployment, scaling and load balancing without much input from the modeller.
Difficulty:
The tasks or knowledge covered in this post are relatively easy to follow and or understand. Therefore, we rate this tutorial as beginner level.
Prerequisites:
There are no prerequisites for the reader to be able to follow this tutorial. We explain, demonstrate or sign-post to the requirements as we go through the tutorial. Hence, please follow along and only skip the steps you already know or completed.
Creating an account on AWS:
To create an AWS account, we need:
- email address, and
- billing information
Once you have the above requirements at hand, follow the on-screen instructions (or the gif below) to complete your registration.
Sign-up for Amazon Web Services (AWS) |
To complete the registration:
- add your name and email address,
- add your contact details,
- add your billing details,
- confirm your identity, and
- select a support plan.
When writing this post, AWS was offering a 12-months of free access to core AWS services and resources if the user signed up for a Personal - Basic account.
What is Identity and Access Management (IAM):
According to AWS, Identity and Access Management (IAM) is a
“web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources”.
Once you have created an AWS account, you can log in as a root user using your email address and password. The root user has complete access to all AWS services and resources in the account. AWS recommends that we do not use or access AWS as root users for everyday tasks, including administrative ones. Instead, they advise that we create users and give them access to the required resources or services using IAM.
To reiterate:
- using your AWS-associated email address and password to sign in to your AWS account will give you root access,
- using your root access for everyday tasks is inadvisable,
- use your root access to create one IAM account with administrative, and
- use your IAM admin account to create other IAM accounts to carry out specific tasks (for example, to host an API).
Create an IAM user:
Now that we know the difference between root and IAM access let’s create an IAM user with administrative permissions. The idea here is to create a set of IAM credentials that could allow you to manage everyday tasks, including the creation of other IAM accounts. Since this will be the main Admin account (in place of the account root user), you have the choice of allowing this account to have programmatic access. We will explain programmatic access in the next section, so do not worry about it for now.
IAM User and Role Access to Billing Information |
- Log in to your AWS root user account using the email address and password you set when registering at AWS.
- Allow IAM users access to the billing information (see the gif above).
- On your AWS page, locate and click on your account name (it should be on the top right corner of the page) and choose “Account”.
- On the next page, find “IAM User and Role Access to Billing Information” and click “Edit”.
- Select the check box next to “Activate IAM Access” and click on “update”.
- From the AWS “Services” tab (on the top left corner), find and choose IAM. If IAM is not on the “Recently visited” panel, then use the search box on top of the panel to find it (follow on the gif below).
- On the “IAM dashboard”, choose “Users” and then select “Add user”.
- On the “Add user” page, you can decide between having web, programmatic, or both types of access. Below we select both.
- Enter Administrator in the “User name” filed.
- Select the check boxes for “AWS Management Console access” and “Access key - Programmatic access”, select “Custom password”, and then type your new password in the text box.
- Click on “Permissions”.
- On the “Permissions” page:
- Select “Add user to group”.
- Choose “Create group”.
- Enter Administrators in the “Group name” field.
- Click to select the check box for the “AdministratorAccess” policy, which allows the Administrator IAM user full access to AWS services and resources.
- Choose “Create group”.
- On the page with the list of user groups, select the check box for your new user (Administrators) group.
- Click on “Tags”.
- Click on “Review”.
- On the “Complete” page, download a .csv file with login information of the user you created for future reference, including the configuration of the Command Line Interface (CLI), as we will see in the following sections.
IAM Administrator account |
Install AWS CLI:
As I mentioned, AWS Command Line Interface (CLI) enables programmatic access to AWS resources and services. Please check AWS’s web page for the CLI tool appropriate for your operating system.
For those who use Windows, the gif below shows the installation process. While this installation did not require a system restart after completion, I still recommend that you do one.
Installing AWS Command Line Interface (CLI) |
Now let’s check if AWS’s CLI was installed correctly. To do this:
- launch the Command Prompt or PowerShell in Windows by going to the “Start” menu and searching for “command prompt” or “PowerShell”. I am using Command Prompt, but PowerShell should also work fine.
- Type
aws --version
into the Command Prompt to query the version of AWS installed in your system, and press “Enter”. Should everything be okay, Windows will return the version of AWS installed (see the gif below). In my case, Windows responded withaws-cli/2.6.3 Python/3.9.11 Windows/10 exe/AMD64 prompt/off
. - For more details about the commands supported by the AWS CLI, see here.
Checking installed AWS CLI version |
Set CLI to programmatically access an IAM account:
Programmatic access allows users to interact with AWS (or any other service that supports such a feature) without a web browser. Instead, users can access these services via other applications or tools, one of which is the command line. This post will demonstrate the interaction between the command line and AWS on a Windows machine. Please check here for more information if you use a different operating system.
Apart from having AWS CLI installed locally, programmatic access requires:
- your IAM account is configured correctly (see how we enabled “Access key - Programmatic access” above, and
- you have the correct credentials for that account (see how we downloaded the .csv file containing the IAM Administrator user credentials earlier. In case you did not follow the steps above when creating your IAM user, please check here to get your IAM user programmatic access credentials.
Now let’s give our Windows machine programmatic access to AWS services and resources. You can also find more details here.
Configuring AWS CLI |
- Open Command Prompt as outlined above (remember that PowerShell would work fine).
- On the Command Prompt window, you can configure the CLI using one of three ways (see “Configuring AWS CLI” above for a quick demonstration).
- Input the IAM credentials one at a time using
aws configure
. In addition to the account credentials, you need to set “region name” (for example: “eu-west-2” which corresponds to “Europe (London)”, you can learn more about regions here) and “output format” (for example: “test”, you can find more about supported output formats here). - Read the IAM credentials saved in the earlier downloaded .csv file by executing
aws configure import --csv file://credentials.csv
, but replace “file://credentials.csv” with the destination of the .csv file. - Create a CLI profile to house the IAM credentials and settings by running
aws configure --profileName
(replace profileName with the one you want). To use the stored profile, declare the profile name in the AWS command (for example:aws s3 ls --profile profileName
, profileName is the name of the IAM profile housing the credentials). Check here to find more about AWS CLI profiles.
- Input the IAM credentials one at a time using
- You can amend the saved settings by re-running the above commands but replacing the inputs as needed (see “Amending AWS CLI user-settings” below for a quick demonstration).
Amending AWS CLI user-settings |
Conclusion:
We have taken the first steps to use AWS resources and services in this post. It might seem to some of you that we have gone into more details than required; however, I intended to provide some information to help ease the technical complexity of the process. Also, while it might not be clear why we have spent the time and energy to set AWS programmatically (I am hoping this is not the case, but anyway!), I am writing a couple of posts to put things into perspective.