TechWriterDev
  • Cloud
    • AWS
      • 00_Doubts
      • CloudPractitioner
        • Cloud Computing
        • AWS Global Infrastructure
        • Introduction to AWS EC2
        • Elastic load balancer(ELB)
        • 04_Messaging_Queuing
        • Aditional Computing Service
        • Accessing AWS resources
        • AWS Networking
        • Storage
        • Amazon Database Solutions
        • Monitoring Tools
        • AWS Security
        • Distributed Denial Of Service Attacks
      • DeveloperAssociate
        • References
        • AWS DVA-C02 Services Index
        • Services
          • 00_IAM
            • Identity and Access Management (IAM)
            • Account Protection Mechanisms
            • Access Mechanism of AWS Resources
            • Security Tools
            • Responsibility Model
            • Advanced Concepts
          • 01_EC2
            • Elastic Compute Cloud (EC2)
            • EC2 Volume Types
            • Amazon Machine Image (AMI)
            • AWS charges for IPv4 address
          • 02_SecurityGroups
            • Security Groups
          • 03_Elastic_LoadBalancing
            • Terminology
            • Elastic load balancer
            • Features
            • Basics
          • 04_AutoScaling
            • Auto Scaling
          • 05_RDS
            • Relational Database Service (RDS)
            • Aurora
            • Security
            • RDS Proxy
          • 06_ElastiCache
            • Cache
            • Cache Offerings
          • 07_Route53
            • Basics of DNS
            • Route 53
          • 08_VPC
            • Virtual Private Cloud (VPC)
          • 09_S3
            • Simple Storage Service (S3)
            • S3 Features
            • S3 Encryption
            • S3 Features
            • S3 Bucket Policy and IAM Policy
          • 10_ECS
            • Elastic Container Service (ECS)
            • Elastic Container Registry (ECR)
            • AWS Copilot
          • 11_EKS
            • Elastic Kubernetes Service (EKS)
          • 12_SDK_CLI_Tips
            • Access AWS Resources
          • 13_CloudFront
            • Cloud Front
          • 14_Messaging
            • Simple Queue Service (SQS)
            • Simple Notification Service (SNS)
            • Fan Out Pattern
            • Kinesis
            • Compare and Contrast
          • 15_ElasticBeanStalk
            • Elastic Beanstalk
          • 16_CloudFormation
            • CloudFormation
            • Dynamic References
          • 17_Monitoring
            • AWS Monitoring
            • AWS CloudWatch
            • CloudWatch Alarms
            • Synthetics Canary
            • Amazon EventBridge (formerly CloudWatch Events)
            • X-Ray
            • OpenTelemetry
            • CloudTrail
          • 18_Lambda
            • Lambda
            • Lambda Integrations
            • Configuring Lambda
            • Lambda Layers
          • 19_API_Gateway
            • API Gateway
            • API Gateway Integrations
          • 20_DynamoDB
            • DynamoDB
            • Operations
            • Indexes
            • DynamoDB Accelerator (DAX)
            • DynamoDB Streams
            • Transactions
            • Integrations
          • 21_CICD
            • CICD
            • CodeCommit
            • CodePipeline
            • CodeBuild
            • CodeDeploy
            • CodeArtifact
            • CloudGuru
          • 22_SAM
            • Serverless Application Model (SAM)
          • 23_CDK
            • Cloud Development Kit (CDK)
          • 24_StepFunctions
            • Step Functions
            • Types of step function
          • 25_AppSync
            • AppSync
          • 26_Amplify
            • Amplify
          • 27_STS
            • Security Token Service (STS)
          • 28_DirectoryService
            • Active Directory
          • 29_KMS
            • Encryption
            • KMS API
            • Features
            • Cloud Hardware Security Module (HSM)
          • 30_SSM_Store
            • SSM Parameter Store
          • 31_SecretsManager
            • Secrets Manager
          • 32_Cognito
            • Cognito
      • Questions
        • AWS_Region
        • EC2
        • IAM
  • Database
    • MongoDb
      • Mongo db Basics
      • Mongo DB Atlas
      • Document
      • Import-Export based on Data Format
      • Mongo Shell Commands
      • Query Operators
      • Indexes
      • Upsert
      • MongoDB Aggregation Framework
      • Aggregation Framework Operators
    • PostgreSQL
      • POSTGRE SQL DataTypes
      • About table
      • Constraints
  • Technologies
    • RabbitMQ
      • RabbitMQ Concepts
      • Introduction to Exchanges
      • Introduction to Queues
    • Terraform
      • 00_Introduction
      • Configuration blocks
      • Commands
      • Variables
      • Terraform Cloud
      • Modules
  • Languages
    • Java
      • Logging
        • Getting Started
      • 00_Core
        • 00_Basics
          • Java Vs C++
          • Object oriented principles
          • Steps to compile a java program
          • JVM Internals
          • Understanding Java Development Kit
          • What is JIT Compiler?
          • Java data types
          • 07_identifiers_type_conversion
          • 08_references_and_packages
          • Steps for attaching scanner
        • Concurrency
          • 00_Threads
            • Threads
          • 01_ExecutorFramework
            • Executor Framework
            • Asynchronous Computation
      • 01_Backend
        • 01_HttpAndWebServerBasics
          • HTTP
          • Content Type
          • Web Server
        • 02_J2EE_Basics
          • J2EE_Basics
          • Why HttpServlet classs is declared as abstract class BUT with 100 % concrete functionality ?
        • 03_TomCatAndSession
          • What is a Session?
          • WebContainer
        • 04_PageNavigation
          • Cookies Additional Information
          • Page Navigation Techniques
        • 05_AboutServlet
          • CGI v/s Servlet
          • Executor Framework
          • Servlet Life cycle
          • SERVLET CONFIG
          • Servlet Context
          • Servlet Listener (web application listener)
        • 08_SpringBoot
          • Spring Boot
          • Some common annotations used in spring eco system
        • 09_SpringDataJPA
          • Spring Data JPA
        • Java_Language_Changes
          • JDK enhancement tracking reference
        • 06_ORM_Hibernate
          • readmes
            • Hibernate
            • Advantages of Hibernate
            • Hibernate Caching
            • Hibernate API
            • Hibernate Query API
            • Hibernate Annotations and JPQL
            • Entity and Value Type
        • 07_SpringFramework
          • bean_validation
            • Bean Validation
          • core
            • readme
              • Spring
              • Spring Framework Modules
              • Spring MVC Request flow
              • Dependency Injection
              • Spring Beans
              • 06_Spring_Framework_Annotations
      • 03_Tools
        • Maven
          • Maven
  • SoftwareEngineering
    • DesignPatterns
      • Notes
        • Basics
        • OOP
        • SOLID Principles
        • 03_Creational
          • Abstract Factory (aka Kit)
          • Builder
          • Factory Method (aka Virtual constructor)
          • Prototype
          • Singleton
        • 04_Structural
          • Adapter (aka Wrapper)
          • Bridge (aka Handle | Body)
          • Composite
          • Decorator (aka Wrapper)
          • Facade
          • Flyweight
          • Proxy (aka Surrogate)
        • 05_Behavioral
          • Chain of Responsibility
          • Command (aka Action | Transaction)
          • Iterator (aka Cursor)
          • Observer (aka Publish-Subscribe | Dependents)
          • Strategy (aka Policy)
    • Principles
      • REST
        • REST
  • Tools
    • Containers
      • Docker
        • Docker
        • Docker Image
        • Commands
        • Compose
        • Best Practices
      • Kubernetes
        • Kubernetes
    • VCS
      • Git
        • Quick reference of useful Git commands
Powered by GitBook
On this page
  • Instance Metadata Service (IMDS)
  • AWS CLI
  • Introduction
  • Profiles
  • MFA
  • Credentials Chain Provider
  • API Limits
  • Rate Limits
  • Service Limits
  • Throttling Exception
  • Signing AWS Request API (Sig v4)
  • Reference
  1. Cloud
  2. AWS
  3. DeveloperAssociate
  4. Services
  5. 12_SDK_CLI_Tips

Access AWS Resources

Instance Metadata Service (IMDS)

  • Allows EC2 instances to learn about themselves without using an IAM role for that purpose.

  • URL is http://169.254.169.254/latest/metadata.

  • Using this feature one can extract many details other than IAM policy itself like,

    • IP address

    • IAM role name

    • Launch script

  • There are two versions

    • IMDS v1

      • Uses URL http://169.254.169.254/latest/metadata to retrieve the metadata directly.

    • IMDS v2

      • A more secure version of IMDS V1.

      • Uses token to retrieve the metadata information.

            $TOKEN = `curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

      • Use the token retrieved from above request to make the metadata request.

            curl http://169.254.169.254/latest/metadata/ -H "X-aws-ec2-metadata-token: $TOKEN"

      • Only this version is supported for Amazon Linux 2023.

AWS CLI

Profiles

  • When there are multiple accounts that need to be connected to using AWS CLI, we can use profiles to isolate the accounts and use their respective credentrials to connect to AWS.

  • To create a profile use the command below,

        aws configure --profile <profile_name>

  • To query the AWS resources using CLI and profiles use the below command.

        aws [command] [option] --profile <profile_name>
    # Example
    aws s3 ls --profile dev

MFA

  • To use MFA and CLI tool, use the STS (Security Token Service) GetSessionToken API to get a temporary session, see below for example.

        aws sts get-session-token --serial-number <arn-of-mfa-device> --token-code <token-code-from-mfa> --duration-seconds <seconds>

    • You get the arn of mfa device when register one in your account.

    • Output of above command looks like below,

        {
        "Credentials": {
            "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
            "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
            "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
            "Expiration": "2020-05-19T18:06:10+00:00"
        }
    }

    • Ensure the token obtained from the above command is added to ~/.aws/credentials file against the key aws_session_token.

Note for all the above commands to work user account should have relevant access granted.

Credentials Chain Provider

CLI

  • The CLI looks for credentials in the following order, (precedence order is high to low)

    1. CLI options

    2. Environment Variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).

    3. Default CLI credentials file (typically located at ~/.aws/credentials).

    4. CLI configuration file (typically located at ~/.aws/config).

    5. Container credentials for ECS task.

    6. Instance profile credentails for EC2 Instance Profile.

SDK

Icon

About

  • The SDK looks for credentials in the following order, (precedence order is high to low)

    1. Command line option for cli options

    2. System properties (aws.accessKeyId and aws.secretKey).

    3. Environment Variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

    4. Default credentials profile file (typically located at ~/.aws/credentials)

    5. AWS configuration file (typically located at ~/.aws/config)

    6. Container credentials for ECS containers

    7. Instance profile credentails for EC2 Instance

  • If no region is given, by default us-east-1 will be selected.

Best Practices

  • Never store credentials in code. Let them be inherited from the credentials chain.

  • Use IAM roles as per the requirement.

  • Use Named profiles or environment variables when working outside of AWS.

API Limits

Rate Limits

  • DescribeInstances API for EC2 has a limit 0f 100 request/second.

  • GetObject on S3 has a limit of 5500 GET request/second per prefix.

  • Can ask AWS to increase the limit as per the need.

Service Limits

  • Running On-Demand Standard instances: 1152 vCPU.

  • Can increase the limits as per need by asking AWS through a service ticket.

Service Quota Limits

  • These limits are enforced by AWS and can be increased by making a service quota API request programmatically.

Throttling Exception

  • This exception is raised when too many API calls are made and AWS intermittently raises this exception.

  • This exception is a sign to use exponential backoff while making request.

  • SDKs handle this behaviour inherently.

  • Using APIs directly would require explicit exponential backoff implementation.

    • For 5xx server errors should only be retried.

    • Dont implement retries for 4xx client errors.

Signing AWS Request API (Sig v4)

  • There are 3 ways of doing it

    • Authorization headers

      • Authorization

      • Signature

      • SignedHeaders

    • Query parameters

      • X-Amz-Algorithm

      • X-Amz-Credential

      • X-Amz-Date

      • X-Amz-Signature

    • Browser based uploads USING POST

Reference

Previous12_SDK_CLI_TipsNext13_CloudFront

Last updated 4 months ago

SDK Icon

AWS CLI
AWS STS
IMDS Categories
Sig V4 Request Signing
Sig V4 Headers
Credentials Precedence
Introduction