= OREILLY appendix A Authenticating to AWS The AWS provider for Terraform provisions infrastructure to Amazon Web Services (AWS) using cloud service APIs. This appen- dix walks through the steps necessary to set up a new AWS account, create an IAM user, and configure access credentials using the CLI. | Creating an AWS account The AWS free tier is automatically activated for all new accounts, providing access to many AWS services free of charge (within quota limits). To create a new AWS account (see http://mng.bz/K42P), fol- low these steps: 1. In the web browser, open the AWS home page ‘https://aws.amazon.com), and click the Create an AWS Account button. 2. Enter your account information, and choose Continue. 3. If you’re creating a personal account, choose Personal Account, and enter all the personal information. You will receive an email confirming that your account has been created. After you verify your email, you can sign in to the console using your root account email and password. : Creating an IAM user Using the AWS root account is not recommended except for tasks that specifically require root user access. Instead, create an Identity and Access Management (IAM) user, grant it administrator access,and sign in with that user. You create an administrator IAM user as follows (see http://mng.bz/9NOx): . Sign in to the IAM console, and choose Add User. n . Select the check box for AWS Management Console access, select Custom Password, and type in your new password. wo . On the Permissions page, either directly attach the AdministratorAccess policy or add the user to a group that al- ready has this policy. Under the Security Credentials tab, you can then create access keys to authenticate against AWS service APIs. You can either set these directly as environment variables ( AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY ; see http://mng.bz/jBgz) or place them in an AWS config file. If you choose the second option, you will first need to install the AWS CLI. } Installing the AWS CLI (optional) The AWS CLI is a tool that allows programmatic access against AWS services. It’s distributed for Windows, Mac, and Linux operating systems and is available for download at https://aws.amazon.com/cli. | Configuring the credentials file The AWS CLI stores credentials information in a credentials file (see http://mng.bz/WrP4). On Linux and Mac, this is ~/.aws/credentials; and on Windows, it’s %USERPROFILE%\.aws\credentials. You can use the aws configure command to quickly set and view your cre- dentials. The optional -profile flag creates a named profile. If you do not set this, the profile you create is the default profile.The following sample code configures credentials via the CLI. Replace the access keys and region with your own: $ aws configure-profile tf-user AKIAIOSFODNN7EXAMPLE wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json Once you’re finished, the credentials are stored in your credentials file: [tf-user] output = json region = us-west-2 aws_access_key_id = AKIATOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY i} Configuring the AWS provider in Terraform Now that you’ve obtained credentials and stored them in a profile, you can use them in Terraform. You can do this by declaring a provider block: r “aws" { profile = "tf-user" NOTE If you are using the default profile, you can simply have an empty provider declaration. There are other ways to configure the AWS provider. Consult the provider documentation page for more information(http://mng.bz/8WpZ).