1
00:00:00,300 --> 00:00:02,550
‫So now let's talk about a theory lecture

2
00:00:02,550 --> 00:00:05,890
‫on the credentials provided chain in AWS.

3
00:00:05,890 --> 00:00:08,010
‫This is something that can come up in one question

4
00:00:08,010 --> 00:00:10,680
‫on the exam, so good for you to know about it.

5
00:00:10,680 --> 00:00:12,390
‫So when you use the CLI,

6
00:00:12,390 --> 00:00:16,080
‫it will look for credentials in the following order.

7
00:00:16,080 --> 00:00:18,070
‫So it will look for command line options.

8
00:00:18,070 --> 00:00:21,570
‫So if you specify a region, output, a profile

9
00:00:21,570 --> 00:00:24,470
‫or you specify the excess key ID, secret access key

10
00:00:24,470 --> 00:00:26,600
‫and session token in the command line option

11
00:00:26,600 --> 00:00:29,450
‫this has a priority over anything.

12
00:00:29,450 --> 00:00:31,170
‫Then the second place it looks in

13
00:00:31,170 --> 00:00:32,860
‫is the environment variables.

14
00:00:32,860 --> 00:00:35,890
‫So if you set one of these environment variables

15
00:00:35,890 --> 00:00:37,410
‫and you haven't set a command line option

16
00:00:37,410 --> 00:00:39,260
‫then this will take precedence.

17
00:00:39,260 --> 00:00:42,250
‫Then it will look into the CLI credentials file

18
00:00:42,250 --> 00:00:44,840
‫when we run AWS configure,

19
00:00:44,840 --> 00:00:47,890
‫then it will look into the CLI configuration file.

20
00:00:47,890 --> 00:00:50,110
‫Same way it is configured.

21
00:00:50,110 --> 00:00:52,440
‫Then it will look into the container credentials.

22
00:00:52,440 --> 00:00:53,760
‫So if you have an ECS task

23
00:00:53,760 --> 00:00:55,880
‫it will look at the container credentials.

24
00:00:55,880 --> 00:00:58,890
‫And we haven't seen what ETS is yet, but very, very soon.

25
00:00:58,890 --> 00:01:02,900
‫And then finally, if we're using EC2 instance profiles,

26
00:01:02,900 --> 00:01:05,590
‫then he will look at the instance profile credentials.

27
00:01:05,590 --> 00:01:08,120
‫So as we can see, the most priority

28
00:01:08,120 --> 00:01:09,410
‫is going to be command line options,

29
00:01:09,410 --> 00:01:10,350
‫then environment variables.

30
00:01:10,350 --> 00:01:12,290
‫And the least priority is going to be

31
00:01:12,290 --> 00:01:14,620
‫around the EC2 profile credentials

32
00:01:14,620 --> 00:01:17,390
‫or the ECS container credentials.

33
00:01:17,390 --> 00:01:19,120
‫So the idea is that there is a priority

34
00:01:19,120 --> 00:01:21,420
‫and this will be important in one scenario question

35
00:01:21,420 --> 00:01:23,650
‫that it will explain to you very, very soon.

36
00:01:23,650 --> 00:01:27,260
‫So if we look at an SDK, for example, the Java SDK

37
00:01:27,260 --> 00:01:29,060
‫then there will be a similar idea.

38
00:01:29,060 --> 00:01:31,530
‫So the first property that will be taken into place

39
00:01:31,530 --> 00:01:33,580
‫will be the Java system properties.

40
00:01:33,580 --> 00:01:37,060
‫Then we will have the very important environment variables,

41
00:01:37,060 --> 00:01:39,880
‫such as access, key ID and secret access key.

42
00:01:39,880 --> 00:01:41,960
‫And they have higher precedence than anything else

43
00:01:41,960 --> 00:01:44,350
‫except the Java system properties.

44
00:01:44,350 --> 00:01:47,010
‫Then we have the default credential profile files

45
00:01:47,010 --> 00:01:49,490
‫the Amazon ECS container credentials

46
00:01:49,490 --> 00:01:52,090
‫and the instance profile file credentials.

47
00:01:52,090 --> 00:01:54,820
‫So what we want to remember here is that

48
00:01:54,820 --> 00:01:58,360
‫the environment variables still have a higher precedence

49
00:01:58,360 --> 00:02:02,870
‫over for example, the EC2 instance profile credentials.

50
00:02:02,870 --> 00:02:04,703
‫So why am I saying this to you?

51
00:02:05,650 --> 00:02:07,260
‫Well, here is the scenario

52
00:02:07,260 --> 00:02:09,210
‫and this is the kind of things you have to remember.

53
00:02:09,210 --> 00:02:13,000
‫So, say you deploy an application on an EC2 instance

54
00:02:13,000 --> 00:02:15,210
‫and you're using environment variables

55
00:02:15,210 --> 00:02:18,830
‫from an IAM user to call the Amazon S3 API.

56
00:02:18,830 --> 00:02:22,380
‫That's very bad practice to do it, but say, you've done it.

57
00:02:22,380 --> 00:02:25,400
‫So these IAM user you've been using the permissions of

58
00:02:25,400 --> 00:02:28,400
‫has S3 FullAccess permissions.

59
00:02:28,400 --> 00:02:30,590
‫That means that it can do anything it wants

60
00:02:30,590 --> 00:02:33,720
‫on every single buckets in Amazon S3.

61
00:02:33,720 --> 00:02:35,800
‫So the application though deployed

62
00:02:35,800 --> 00:02:38,240
‫only uses one Amazon S3 bucket.

63
00:02:38,240 --> 00:02:39,850
‫So according to best practices

64
00:02:39,850 --> 00:02:41,490
‫because you've been watching this course

65
00:02:41,490 --> 00:02:45,910
‫you are defining an IAM role and an EC2 instance profile

66
00:02:45,910 --> 00:02:50,470
‫that you are creating and assigning on to the EC2 instance.

67
00:02:50,470 --> 00:02:52,920
‫And this role was assigned the minimum permissions

68
00:02:52,920 --> 00:02:55,600
‫to access only that one S3 buckets

69
00:02:55,600 --> 00:02:57,430
‫that the application is using.

70
00:02:57,430 --> 00:02:58,960
‫So you've done everything I said in this course

71
00:02:58,960 --> 00:03:00,970
‫you're doing the minimum permissions.

72
00:03:00,970 --> 00:03:03,600
‫You're creating EC2 instance profiles

73
00:03:03,600 --> 00:03:05,110
‫and something happens, right?

74
00:03:05,110 --> 00:03:05,943
‫You've incite it.

75
00:03:05,943 --> 00:03:09,100
‫And then even though the instance profile was assigned

76
00:03:09,100 --> 00:03:10,620
‫to the EC2 instance,

77
00:03:10,620 --> 00:03:14,990
‫it still has access to all the S3 buckets.

78
00:03:14,990 --> 00:03:16,880
‫The question is, why?

79
00:03:16,880 --> 00:03:19,870
‫So from what I've said, can you guess the answer?

80
00:03:19,870 --> 00:03:22,630
‫Well, the answer is that the credentials chain

81
00:03:22,630 --> 00:03:24,440
‫is still giving priorities

82
00:03:24,440 --> 00:03:27,590
‫to the environment variables that you've set from before.

83
00:03:27,590 --> 00:03:30,220
‫So the only way for you to get rid of them

84
00:03:30,220 --> 00:03:33,210
‫is to unset these environment variables.

85
00:03:33,210 --> 00:03:36,720
‫And then by looking into the credentials change priority

86
00:03:36,720 --> 00:03:40,550
‫it will at the end leverage the EC2 instance profile

87
00:03:40,550 --> 00:03:43,880
‫and the permissions that come out of it.

88
00:03:43,880 --> 00:03:45,720
‫So this is a common scenario question

89
00:03:45,720 --> 00:03:47,730
‫and hopefully that makes sense for you.

90
00:03:47,730 --> 00:03:49,760
‫So credentials best practices though,

91
00:03:49,760 --> 00:03:53,260
‫never, ever, ever, ever store your credentials in your code.

92
00:03:53,260 --> 00:03:55,650
‫That is extremely bad practice.

93
00:03:55,650 --> 00:03:57,350
‫The best practice is for the credentials

94
00:03:57,350 --> 00:04:00,590
‫to be inherited from the credentials chain.

95
00:04:00,590 --> 00:04:01,910
‫So that means that if you're working

96
00:04:01,910 --> 00:04:05,800
‫within AWS use IAM roles as much as possible.

97
00:04:05,800 --> 00:04:08,300
‫That means that you must use ECS instance role

98
00:04:08,300 --> 00:04:12,270
‫for EC2 instances or ECS roles for ECS tasks

99
00:04:12,270 --> 00:04:14,910
‫or as we'll see Lambda roles for Lambda functions.

100
00:04:14,910 --> 00:04:16,110
‫You get the idea.

101
00:04:16,110 --> 00:04:19,790
‫Within AWS use IAM roles as much as possible.

102
00:04:19,790 --> 00:04:22,510
‫If you're working outside of AWS,

103
00:04:22,510 --> 00:04:25,350
‫then use the environment variables

104
00:04:25,350 --> 00:04:27,550
‫or named profile just like we've been doing

105
00:04:27,550 --> 00:04:29,690
‫when we configured our CLI, okay.

106
00:04:29,690 --> 00:04:32,950
‫But never, ever, ever store your credentials

107
00:04:32,950 --> 00:04:33,940
‫directly in your code.

108
00:04:33,940 --> 00:04:35,800
‫That is horrible practice.

109
00:04:35,800 --> 00:04:36,700
‫So that's it.

110
00:04:36,700 --> 00:04:37,740
‫Hope that was helpful.

111
00:04:37,740 --> 00:04:39,690
‫And I will see you in the next lecture.