Configuring AWS access - Kubernetes Tutorial

- [Instructor] In this course, we will deploy Explore California into a real Kubernetes cluster inside of Elastic Kubernetes Service. If you would like to do this, you'll need to create a programmatic access key and secret key within AWS. This video will show you how to do that. To get started, navigate to HTTPS://console.aws.amazon.com. From here, you'll be prompted to log in. If you haven't created an AWS account yet, click on this button right here to get started. If you've already logged in, you won't see this prompt. I've already logged in, so I'm going to go ahead and go to my management console. From here, I'm going to click on the text box in the center of the screen, and I'm going to go ahead and search for IAM, which is identity access management, the service that creates access key, secrets keys, users, and roles amongst other things. So I'm going to click on IAM and it's going to bring you to your dashboard. The first thing that we're going to do is create a user. So I'm going to click on the Users tab over here on the left. And then I'm going to click on Add users up here. From here, you're going to be asked to provide a username. It can be anything you want. I'm going to name it carlos. Next, you'll be asked to provide the access type. Since we want an access key and a secret key that we'll use with our AWS CLI tool. We're going to click on programmatic access right here, we're going to check that off. Once we've done that, I'm going to click on Next Permissions on the bottom side of the screen. And then once I'm here, I'm going to click on Attach existing policies directly. And then I'm going to search for the AssumeRolePolicy. We're going to need this policy because this user isn't actually going to have any rights by itself. Instead, we're going to assume a role that we will create that will allow us to do anything we want inside AWS, but with a temporary set of credentials. Now I'm going to click on Next Tags, which is, again, towards the bottom of the screen. And then here you can add tags, I'm not going to add any, but they're key-values. You can add whatever tags you'd like. Next I'm going to click on Next Review, it's going to show me the user that I created, it's going to show me that I want programmatic access. And then it's going to show me that I have a policy attached to a called the AssumeRolePolicy right there. I like the way this looks. If you like it, you can click on Create user and then the user will be created. From here, it gives you an access key ID and a secret access key. Now, an important thing to note is that you do not want to leave this page. The reason why you do not want to leave this page is because you will only see the secret access key once. If you forget it, you'll have to create a new access key. So now that we've done this, I'm going to go ahead and open a terminal. If you're on a Mac, you can press the Command + Space button and then type terminal. If you're on windows, you should install a program called Git Bash, which comes with the bash shell, which is the same shell that I'll be using for this course. Once you have that installed, you can click on Start, then Run, then type in Git Bash in the text box and click on the first result.. From here, let's go ahead and install the AWS CLI. Since the instructions differ depending on the operating system that you're using, just follow the instructions at the link below to guide you through it. Once you've installed the AWS CLI, you can type aws configure to configure your AWS CLI tool. So the first thing that's going to ask you is for an access key ID. To enter it, I'm going to go back to my Add user screen right here. I'm going to copy the access key ID, I'm going to copy the access key ID, The next thing it's going to ask for is a secret access key. Once again, I'm going to go back to my page. I'm going to highlight this mysterious secret access key, and then I'm going to paste it into this prompt right here. The third thing it's going to ask you is for the region name. Now, how do you actually get this? Well, it's actually pretty easy. In order to get it, I'm going to click on the AWS logo here and I'm going to click on it because I've already copied the secret access key. And then you're going to click on the region next to your name. My name is right here. I'm going to click on Ohio. Now this might be a state like Ohio, it might be a town like Cape Town, or it might even be a country like Ireland. Regardless, you're want to look for the entry that's highlighted in orange. So right now, in my case, I am using the Ohio region, which is called us-east-2. So what I'm going to do is I'm going to remember that it is us-east-2 'cause I'm having hard time copying it right now, and then I'm going to type it in here and then press Enter, and then you're going to be asked for the output format, just leave it as JSON, it's pretty readable. So once you hit Enter, you are done configuring the tool. Now the user that we created doesn't have any permissions to do anything by design, we didn't give it any. So in order to demonstrate that I'm going to try and list the set of instances that I've spun up on EC2, which I haven't done any. But as you can see, when I run that command, it tells me that I'm not authorized to perform that operation because I'm not, I don't have any permissions to do that. So, how do we fix that? Well, we need to assume a role, right? That's what the AssumeRolePolicy be attach to does. So let's create an admin role that we can assume. So I'm going to go back to my user screen and then I'm going to click on roles over here and now I'm going to create a new role. Now, the first thing I need to do is I need to click on this button right here, Another AWS account. This is a little counterintuitive because we're actually going to provide our own account. But in order for assume role to work, we need to provide the account ID that the account is assuming from. In order to get that account ID, you're going to click on your name and then you're going to highlight the number next to My Account over here. So I'm going to highlight this number here and I'm going to paste it into this field. Next, I'm going to click on require external ID. This is like a password sense without this assuming anyone knows what this role is called and what accountants in, they can assume this role and still become an admin of your account, which you do not want to have happen. So this is like a password that prevents that from happening. For our example, I'm going to make that explorecalifornia. Then I'm going to click on Next Review Permissions. And this is where I give this role administrator access. So this role has the ability to be a super user inside of AWS, but your account doesn't directly. Now, I'm going to click on Tags. Don't need any tags here, so I'm going to click on Next Review. From here, I'm going to give this role a name. I'm going to call it admin-access-explore-california. You can give it a description if you like, I'm not going to give it one. And then I'm going to click on Create Role right here. And the role got created, which is awesome. So now what I'm going to do is click on this role and I'm going to copy what's called its Amazon Resource Number or ARN or A-R-N. This is an identifier that tells AWS where your role is, which is going to be important when we assume it. So I'm going to copy that, and then I'm going to go back into my terminal and I am going to use the sts assume role command. This is the command is going to allow us to get a set of temporary credentials. So the first thing I'm going to enter is the role ARN, that's what we just copied earlier, so I'm going to go ahead and paste it in there, and I'm going to put quotes inside of it, just for safety. Next, I'm going to provide a role session name, this can be anything you want, it's really just a way of identifying your session locally, so I'm going to call it MySession. And then finally, I need to give it the password, which in this case is done through the external ID command line flag. And from here, I'm going to go ahead and enter explore-california. Now that I have all that I'm going to hit enter, and once I do that, you'll get this big old thing of JSON back, which tells you that AWS accepted all your terms and gave you admin access for an hour because by default, the access key ID and secret access key are only good for an hour. So the last thing we need to do is configure our shell to use the data in here. So we're going to do that through environment variables. The first environment variable that I'm going to create is called the AWS_ACCESS_KEY_ID environment variable. And we're going to go ahead and set that to the access key ID inside of this JSON right here of the same name, as you can see up here. So I'm going to copy this string right here, which starts with ASI. I'm going to paste it down here. Next, I'm going to set in AWS_SECRET_ACCESS_KEY, which is like the password for this access key. So I'm going to go ahead and copy the secret access key, and I'm going to paste it down here. Finally, I'm going to set another environment variable called AWS_SESSION_TOKEN because this access key right here, the only way that AWS knows how to use it is with the session token, because it was provided by STS. So I'm going to say equals here and now I'm going to copy this long string with the quotes, because it has special characters in here. And now I'm going to paste that and now it's set. And with that, I'm now an admin. Let's run the command that we ran earlier, the EC2 command to prove it. So I'm going to go ahead and hit Enter. And as you can see, now I'm actually authorized to see the list of instances inside of the service, because I am using my user assume as this role right here with a temporary set of credentials. With that, that's how you create secure temporary credentials for a user inside of AWS. When you run the scripts that come with the scores, you'll need to do this in order for them to work.