Menu
AWS Cloud9
User Guide

Calling AWS Services from an Environment in AWS Cloud9

You can call AWS services from an AWS Cloud9 development environment. For example, you can:

  • Upload and download data in Amazon Simple Storage Service (Amazon S3) buckets.

  • Send broadcast notifications through Amazon Simple Notification Service (Amazon SNS) topics.

  • Read and write data in Amazon DynamoDB (DynamoDB) databases.

You can call AWS services from your environment in several ways. For example, you can use the AWS Command Line Interface (AWS CLI) to run commands from a terminal session. You can also call AWS services from code you run within your environment, using AWS SDKs for programming languages such as JavaScript, Python, Ruby, PHP, Go, and C++. For more information, see the AWS CLI User Guide and AWS SDKs.

Each time the AWS CLI or your code calls an AWS service, the AWS CLI or your code must provide a set of AWS access credentials along with the call. These credentials determine whether the caller has the appropriate permissions to make the call. If the credentials don't cover the appropriate permissions, the call will fail.

There are several ways to provide credentials to your environment. The following table describes some approaches.

Environment type Approach

Amazon EC2

Use AWS managed temporary credentials.

We recommend this approach for an EC2 environment. AWS managed temporary credentials manage AWS access credentials in an EC2 environment on your behalf, while also following AWS security best practices.

If you are using an EC2 environment, you can skip the rest of this topic, as AWS managed temporary credentials are already set up for you in the environment.

For more information, see AWS Managed Temporary Credentials.

Amazon EC2

Attach an IAM instance profile to the instance.

You should only use this approach if for some reason you can't use AWS managed temporary credentials. Similar to AWS managed temporary credentials, an instance profile manages AWS access credentials on your behalf. However, you must create, manage, and attach the instance profile to the Amazon EC2 instance yourself.

For instructions, see Create and Use an Instance Profile to Manage Temporary Credentials.

Amazon EC2 or SSH

Store your permanent AWS access credentials within the environment.

This approach is less secure than using temporary AWS access credentials. However, it is the only supported approach for an SSH environment.

For instructions, see Create and Store Permanent Access Credentials in an Environment.

Amazon EC2 or SSH

Insert your permanent AWS access credentials directly into your code.

We discourage this approach because it doesn't follow AWS security best practices.

Because we discourage this approach, we do not cover it in this topic.

Create and Use an Instance Profile to Manage Temporary Credentials

Note

You cannot use this procedure for an AWS Cloud9 SSH development environment. Instead, skip ahead to Create and Store Permanent Access Credentials in an Environment.

We recommend using AWS managed temporary credentials instead of an instance profile. Follow these instructions only if for some reason you cannot use AWS managed temporary credentials. For more information, see AWS Managed Temporary Credentials.

In this procedure, you will use the IAM and Amazon EC2 consoles to create and attach an IAM instance profile to the Amazon EC2 instance that connects to your environment. This instance profile will manage temporary credentials on your behalf. This procedure assumes you have already created a environment in AWS Cloud9. To create a environment, see Create an Environment.

To create an instance profile

Note

If you already have an IAM role that contains an instance profile, skip ahead to the next procedure, To attach an instance profile to an instance.

  1. Sign in to the IAM console, at https://console.aws.amazon.com/iam.

    For this step, we recommend you sign in using credentials for an IAM administrator user in your AWS account. If you cannot do this, check with your AWS account administrator.

  2. In the navigation bar, choose Roles.

    Note

    You cannot use the IAM console to create an instance profile by itself. You must create an IAM role, which contains an instance profile.

  3. Choose Create New Role.

  4. On the Step 1: Set Role Name page, for Role Name, type a name for the role, for example my-demo-cloud9-instance-profile.

  5. Choose Next Step.

  6. On the Step 2: Select Role Type page, with AWS Service Roles already chosen, next to Amazon EC2, choose Select.

    Note

    The Create Role wizard skips the Step 3: Establish Trust page. This is because on the Step 2: Select Role Type page, you chose for the role to trust Amazon EC2.

  7. On the Step 4: Attach Policy page, in the list of policies, select the box next to AdministratorAccess, and then choose Next Step.

    Note

    The AdministratorAccess policy allows unrestricted access to all AWS actions and resources across your AWS account. It should be used only for experimentation purposes. For more information, see Overview of IAM Policies in the IAM User Guide.

  8. On the Step 5: Review page, choose Create Role.

To attach the role's instance profile to the instance, see the next procedure, To attach an instance profile to an instance.

To attach an instance profile to an instance

  1. Sign in to the Amazon EC2 console, at https://console.aws.amazon.com/ec2.

    For this step, we recommend you sign in using credentials for an IAM administrator user in your AWS account. If you cannot do this, check with your AWS account administrator.

  2. In the navigation bar, be sure the region selector displays the AWS Region that matches the one for your environment. For example, if you created your environment in the US East (Ohio) region, choose US East (Ohio) in the region selector here as well.

  3. Choose the Running Instances link or, in the navigation pane, expand Instances, and then choose Instances.

  4. In the list of instances, choose the instance with the Name that includes your environment name. For example, if your environment name is my-demo-environment, choose the instance with the Name that includes my-demo-environment.

  5. Choose Actions, Instance Settings, Attach/Replace IAM Role.

    Note

    Although you are attaching a role to the instance, the role contains an instance profile.

  6. On the Attach/Replace IAM Role page, for IAM role, choose the name of the role you identified or that you created in the previous procedure, and then choose Apply.

  7. Back in the environment, use the AWS CLI to run the aws configure command. Do not specify any values for AWS Access Key ID or AWS Secret Access Key (press Enter after each of these prompts). For Default region name, specify the AWS Region closest to you or the region where your AWS resources are located. For example, us-east-2 for the US East (Ohio) Region. For a list of regions, see AWS Regions and Endpoints in the Amazon Web Services General Reference. Optionally, specify a value for Default output format (for example, json).

You can now start calling AWS services from your environment. To use the AWS CLI to call AWS services, see the AWS CLI Sample. To call AWS services from your code, see our other samples.

Create and Store Permanent Access Credentials in an Environment

Note

If you are using an AWS Cloud9 EC2 development environment, we recommend you use AWS managed temporary credentials instead of AWS permanent access credentials. To work with AWS managed temporary credentials, see AWS Managed Temporary Credentials.

To create permanent access credentials

In this procedure, you use the AWS Identity and Access Management (IAM) console to generate a set of permanent credentials that the AWS CLI or your code can use when calling AWS services. This set includes an AWS access key ID and an AWS secret access key, which are unique to your user in your AWS account. If you already have an AWS access key ID and an AWS secret access key, note those credentials, and then skip ahead to the next procedure, To store permanent access credentials in an environment.

  1. Sign in to the IAM console, at https://console.aws.amazon.com/iam.

    For this step, we recommend you sign in using credentials for an IAM administrator user in your AWS account. If you cannot do this, check with your AWS account administrator.

  2. In the navigation bar, choose Users.

  3. In the list of users, choose the name of the user you created or identified in Team Setup.

  4. Choose the Security credentials tab.

  5. For Access keys, choose Create access key.

  6. In the Create access key page, choose Show, and make a note of the Access key ID and Secret access key values. We recommend you also choose Download .csv file and save these credentials in a secure location.

To store your permanent access credentials in an environment, see the next procedure, To store permanent access credentials in an environment.

To store permanent access credentials in an environment

In this procedure, you use the AWS Cloud9 IDE to store your permanent AWS access credentials in your environment. This procedure assumes you have already created an environment in AWS Cloud9, opened the environment, and are displaying the AWS Cloud9 IDE in your web browser. For more information, see Creating an Environment and Opening an Environment.

Note

The following procedure shows how to store your permanent access credentials by using environment variables. If you have the AWS CLI installed in your environment, you can use the aws configure command to store your permanent access credentials instead. For instructions, see Quick Configuration in the AWS CLI User Guide.

  1. With your environment open, in the AWS Cloud9 IDE, start a new terminal session, if one is not already started. To start a new terminal session, on the menu bar, choose Window, New Terminal.

  2. Run each of the following commands, one command at a time, to set local environment variables representing your permanent access credentials. In these commands, YOUR-ACCESS-KEY-ID is your AWS access key ID, YOUR-SECRET-ACCESS-KEY is your AWS secret access key, and YOUR-DEFAULT-REGION-ID is the AWS Region identifier associated with the AWS Region closest to you (or your preferred AWS Region). For a list of available identifiers, see AWS Regions and Endpoints in the Amazon Web Services General Reference. For example, for the US East (Ohio) Region, you would use us-east-2.

    export AWS_ACCESS_KEY_ID=YOUR-ACCESS-KEY-ID export AWS_SECRET_ACCESS_KEY=YOUR-SECRET-ACCESS-KEY export AWS_DEFAULT_REGION=YOUR-DEFAULT-REGION-ID
  3. Note that the preceding environment variables are valid only for the current terminal session. To make these environment variables available across terminal sessions, you must add them to your shell profile file as user environment variables. To do this, do the following:

    1. In the Environment window of the IDE, choose the gear icon, and then choose Show Home in Favorites. Repeat this step and choose Show Hidden Files as well.

    2. Open the ~/.bashrc file.

    3. Type or paste the following code at the end of the file. In these commands, YOUR-ACCESS-KEY-ID is your AWS access key ID, YOUR-SECRET-ACCESS-KEY is your AWS secret access key, and YOUR-DEFAULT-REGION-ID is the AWS Region identifier associated with the AWS Region closest to you (or your preferred AWS Region). For a list of available identifiers, see AWS Regions and Endpoints in the Amazon Web Services General Reference. (For example, for the US East (Ohio) Region, you would use us-east-2.)

      export AWS_ACCESS_KEY_ID=YOUR-ACCESS-KEY-ID export AWS_SECRET_ACCESS_KEY=YOUR-SECRET-ACCESS-KEY export AWS_DEFAULT_REGION=YOUR-DEFAULT-REGION-ID
    4. Save the file.

    5. Source the ~/.bashrc file to load these new environment variables.

      . ~/.bashrc

You can now start calling AWS services from your environment. To use the AWS CLI to call AWS services, see the AWS CLI Sample. To call AWS services from your code, see our other samples.