1

I've been trying to set up the AWS command-line tools following Eric's most useful guide at http://alestic.com/2012/09/aws-command-line-tools.

I can't seem to find a good how-to for how to generate the x509 certificate and private key, and how that relates to the various security files the guide creates.

Update:

I have found a couple of links that describe the some steps. These steps seem to work, however I'm not sure if this is secure & the best way to do it:

1) Create a private key

openssl genrsa -out my-private-key.pem 2048

2) Create x.509 cert

openssl req -new -x509 -key my-private-key.pem -out my-x509-cert.pem -days 365

Hit enter to accept all of the defaults.

Then, from the IAM Dashboard, User, select a user & click on the "Security Credentials" tab. Click on "Manage Signing Certificates", then "Upload Signing Certificate", paste in the contents of my-x509-cert.pem, click OK and it should be accepted.

One step that is discussed, but not required for me, was the addition and subsequent removal of a pass phrase on the private key. Should I have been prompted for one, and is my cert potentially unsafe because of this?

chris
  • 3,993
  • 6
  • 28
  • 37
  • 3
    Those dark blue things in his guide are links. Click on them. – Michael Hampton Oct 15 '12 at 18:03
  • @MichaelHampton: The link to https://aws-portal.amazon.com/gp/aws/securityCredentials DOES NOT WORK if you are using a user created in IAM. So maybe there's some magic pixie dust there that addresses my problem, but I can't get to it, and frankly your condescending answer is not helpful. – chris Oct 15 '12 at 18:48
  • 1
    If you've already tried things, you need to indicate this when you first ask the question. – Michael Hampton Oct 15 '12 at 18:51

1 Answers1

2

You can access, create, and rotate your primary AWS credentials here on Amazon's web site: https://portal.aws.amazon.com/gp/aws/securityCredentials

Using the primary AWS account, you can also create IAM (Identity and Access Management) credentials through the API, command line tools, and AWS console: https://console.aws.amazon.com/iam/home

If you are already using an IAM user account, then the owner of the master account may need to generate and give you your AWS IAM user's credentials. IAM users cannot currently access the securityCredentials page: https://forums.aws.amazon.com/message.jspa?messageID=262105

If your IAM user has been given access to the AWS console (through a unique username/password) and your IAM user has been given access to read and modify IAM data (through IAM policies) then you can modify your own IAM credentials through the "Security Credentials" tab on your IAM user: https://console.aws.amazon.com/iam/home?#s=Users

Eric Hammond
  • 11,163
  • 1
  • 36
  • 56
  • Eric - That link does not appear to be reachable if you are using a user account created under the main AWS account. – chris Oct 15 '12 at 18:52
  • 1
    chris: If you are using an IAM user account, then the owner of the master account will probably need to generate and give you your AWS IAM user's credentials. [added to body of answer] – Eric Hammond Oct 15 '12 at 19:01
  • I have IAM permissions, so can generate & upload certs, but just can't view that link. – chris Oct 15 '12 at 19:23
  • This means that your IAM user has been given access to read and write to the IAM data. It also means that your IAM user has been given access to the AWS console through a separate user/password login. I don't expect these are true of most IAM users, but it can be done. [added further notes to answer] – Eric Hammond Oct 16 '12 at 00:16
  • IAM stuff is in a different location (work account is IAM based, personally account is not). X509 generation is not implemented for IAM, and given the move away from that, my guess is it never will be. – Skaperen Oct 16 '12 at 01:07