aws-api doesn't really do anything special here, it just uses a typical (for aws) https://github.com/cognitect-labs/aws-api#credentials. For granting access to particular resources like S3 buckets you would have to look into https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html, which is how you assign permissions to credentials in aws, and would be a more useful thing to search for learning materials than anything aws-api specific. The aws web console should be fairly user-friendly to step though the iam console to create a new dev user with permissions for what you're trying to do and give you credentials to use for that.

Better link for the credential chain: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

Once you get the creds taken care of you should be able to step through any of these at the repl: https://github.com/cognitect-labs/aws-api/tree/main/examples

I've created an IAM user and added to a group that has AwsS3FullAccess But that doesnt seem to tie up with the credential provider chain, so creating a group doesnt seem to be relevant unless a group is also a profile, in which case it makes sense... but I am not certain that is the case.

I assume I should create Access keys in the user I created and use aws configure set to set the right values (or just type them into the ~/.aws/config

yeah that would work. And also make sure you dont somehow have the AWS_ACCESS_KEY_ID, etc, environment vars set. (I've spent hours stuck on not realizing these were being set). Alternatively you could just set those to the new access keys you created. Those are checked before ~/.aws/config

although when creating Access Keys, AWS is kindly suggesting I use AWS CloudShell (not heard of before) or AWS CLI V2 (which I have installed). so will consider those once I get some Access Key access 😆

Yeah there are definitely a lot of "choose your own adventure options" that could come up 😅 I guess I would just recommend ignoring everything not directly involved in getting some minimally scoped creds, and get to using aws-api from clojure asap, and then you kind of get feel for iam naturally over time

Its curious how AWS tells me to not save keys in plain text but encourages me to download a CSV with the keys in plain text :rolling_on_the_floor_laughing: . I guess the secret only lives for a max of 12 hours anyway..

Still hunting how to create the `aws_session_token` which seems to be needed...

There is an example in the aws api repo which you can adapt, hold on

https://github.com/cognitect-labs/aws-api/blob/main/examples/assume_role_example.clj

You don't necessarily need the session token, if it's not provided when you generate the creds you shouldn't need it? I think?

I'll try the assume_role as I get {:Code AccessDenied, ,,,} without it

You're going to need to be authenticated with some creds already, and have some specific permissions, to get that example working though. But you're stuck at the part of getting any api call working in AWS right?

I assume if I had a session token in the .aws/credentials along with the access key and secret, then start the REPL and the examples to https://github.com/cognitect-labs/aws-api#explore should work...

Yeah I believe so

I though I had it with the command

aws sts get-session-token --duration-seconds 129600

OMG... I have figured it out... and its working... I didnt need the session token I had created a group with the AwsS3FullAccess permission, but neglected to add the IAM user to the group. Once the IAM user was added to the group then the Clojure code worked (of course)

Is configuring AWS account in around 5 hours some kind of record :rolling_on_the_floor_laughing: (good or bad I am not sure)....

Probably a good record 🙃

I joined a company a couple of years ago and 3 of us spend most of the day trying to configure AWS... I'll write up my notes for what I did at http://practical.li/amazon-web-services/ this evening before I forget everything again. Thanks @U064UGEUQ for your suggestions (which helped keep me going)

The Clojure code in Cognitect Labs AWS API is really easy to understand (especially in comparison to understanding AWS )

> The Clojure code in Cognitect Labs AWS API is really easy to understand It's very well designed 🙂 I especially love cognitect.aws.client.api/ops e.g. these are the available SNS operations

[:ListOriginationNumbers :SetTopicAttributes :ListTagsForResource :GetSMSSandboxAccountStatus :DeleteSMSSandboxPhoneNumber :Unsubscribe :TagResource :UntagResource :GetSubscriptionAttributes :CheckIfPhoneNumberIsOptedOut :PublishBatch :ListTopics :CreateSMSSandboxPhoneNumber :ListSubscriptionsByTopic :SetEndpointAttributes :ListEndpointsByPlatformApplication :CreatePlatformApplication :AddPermission :ListPhoneNumbersOptedOut :ConfirmSubscription :Publish :CreatePlatformEndpoint :Subscribe :GetEndpointAttributes :DeletePlatformApplication :ListSMSSandboxPhoneNumbers :CreateTopic :GetDataProtectionPolicy :GetTopicAttributes :GetSMSAttributes :ListPlatformApplications :SetSMSAttributes :GetPlatformApplicationAttributes :OptInPhoneNumber :RemovePermission :DeleteEndpoint :ListSubscriptions :DeleteTopic :SetPlatformApplicationAttributes :SetSubscriptionAttributes :VerifySMSSandboxPhoneNumber :PutDataProtectionPolicy]

{:name "ListTopics", :documentation "<p>Returns a list of the requester's topics. Each call returns a limited list of topics, up to 100. If there are more topics, a <code>NextToken</code> is also returned. Use the <code>NextToken</code> parameter in a new <code>ListTopics</code> call to get further results.</p> <p>This action is throttled at 30 transactions per second (TPS).</p>", :request {:NextToken string}, :response {:Topics [:seq-of {:TopicArn string}], :NextToken string}}

In the usual situation, you setup an AWS account once and never touch it again - I recommend: • using some sort of infra as code (Terraform would be my pick) • IAM roles for everything that runs in AWS • AWS SSO for local access - this way you can avoid generating any static AWS creds and use SSO profile to access all AWS API and in my experience it's much easier than assume-role mechanism • all of the above makes working with aws-api much easier

I woke interested to find a SSO service that has a free their I can use for my education/open source work. Hopefully I can use something like okta, need to check if that is only commercial (I don't have and don't want windows active directory) From the AWS docs I've read (the ones I understood and weren't out of date), what I have seems to be the only alternative. Terraform adds another layer of abstraction and I still need to know what to set up in order to put it into Terraform. Whilst I agree in principle, it's actually the details of making this all work in the first place that took many hours to piece together (and still some way to go)

I'll also give https://github.com/localstack/localstack amother try, although am sure it was a lot easier to use when I used it a few years ago 😜

Localstack is great, if you need only S3, then minio also works but has few missing pieces (at least last time I checked ACLs worked somewhat differently and pre-signing URLs didn't work)

But overall yes, setting up an AWS account getting the fundamentals (IAM, VPC networking) is a pain and in larger orgs, once you setup one you use stuff like Controltower to replicate base settings in sub accounts. Obviously AWS doesn't care about individual users, that's not where the $$$ comes from

Forgot about one thing - the cool bit with AWS SSO is that you can use it with Google Workspace for example, much cheaper and easier to setup than Okta

I would require a free SSO service as I don't generate income from my educational content, it's all freely available. I couldn't justify the cost for the use of AWS, not when other services provided limited free service for deployment (http://render.com, http://fly.io, etc.) I don't really want to put a paywall around the Clojure content I produced. But it's useful to know there are other options I can suggest to people. I used localstack for several services a couple of years ago, it seems very feature rich, but of course there will be limits Thanks for the ideas

FYI re: localstack, it's great but https://docs.localstack.cloud/user-guide/aws/feature-coverage/

@U05254DQM Absolutely, in education context - requiring AWS for learning is a huge ask. Arguably employers should pay for that 😉

Article (final draft I think) on https://practical.li/blog-staging/posts/access-aws-with-clojure-from-scratch/, using the simplest possible approach I could come up with (not the best or recommended approach though 😄 ) It does seem that AWS IAM Identity Center is a recommended way even for personal projects, although its likely to involve some more form filling (needs an Organisation too), so I'll create a revised approach next week (hopefully) For now this seems a good enough approach for just trying out the excellent Cognitect Labs AWS CLI tools https://practical.li/blog-staging/posts/access-aws-with-clojure-from-scratch/ (this is a staging site, so a temporary link. I'll pushing live tonight or tomorrow (unless people notice things that need fixing)

That's a good starter guide for sure - it gets the job done! One thing I'd include though - is stressing that the AWS free tier is anything but if things go wrong it's at their support's discretion to help (e.g. linking this post https://www.lastweekinaws.com/blog/aws-has-a-moral-responsibility-to-fix-the-free-tier/ as a precaution).

Published the very simplistic (and relatively quick approach to AWS accounts) https://clojurians.slack.com/archives/C8NUSGWG6/p1684532249922339

I will do a follow up on using AWS IAM Identity Center as an SSO provider (managing accounts in its own directory). It takes up to 24 hours to activate an AWS Organisation that is required to enable the IAM Identity Center, so will revisit next week.