# Intro

The two tools that you will need to follow along in this book is `aws-cli` and `boto3`. The `aws-cli` (AWS command line interface) is a command line tool that you may use to issue commands against AWS. It is essentially a higher-level wrapper around `boto3`, which is a Python SDK (software development kit). Sometimes, you will find it easier to use `aws-cli` over `boto3`, or vice-versa, depending on the context. The documentation for [aws-cli](https://docs.aws.amazon.com/cli/index.html) and [boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) are available.

## Check versions

To check your version of `aws-cli`.

In [1]:
%%sh
aws --version

aws-cli/1.16.292 Python/3.7.4 Linux/5.3.0-23-generic botocore/1.13.28


To check your version of `boto3`.

In [2]:
%%sh
conda list | grep boto3

boto3                     1.10.28                    py_0    conda-forge


## Usage examples

### Listing bucket contents

Here's an example of running using the ``aws-cli`` to list the contents of a `S3` bucket.

In [3]:
%%sh
aws s3 ls s3://aws-certified-developer.oneoffcoder.com

2019-12-01 23:20:00         14 hello-world.txt


Here's an example using `boto3` to list the contents of the same `S3` bucket.

In [4]:
import boto3

s3 = boto3.resource('s3')
bucket = s3.Bucket(name='aws-certified-developer.oneoffcoder.com')

response = bucket.objects.all()
print(response)

for r in response:
    print(r)

s3.Bucket.objectsCollection(s3.Bucket(name='aws-certified-developer.oneoffcoder.com'), s3.ObjectSummary)
s3.ObjectSummary(bucket_name='aws-certified-developer.oneoffcoder.com', key='hello-world.txt')


### Using Polly service

Here's an `aws-cli` example to use the `Polly` service to synthesize speech.

In [5]:
%%sh
aws polly synthesize-speech \
    --output-format mp3 \
    --voice-id Joanna \
    --text 'Hello world! One Off Coder is great!' \
    _static/artifacts/intro/output/hello-cli.mp3

{
    "ContentType": "audio/mpeg",
    "RequestCharacters": "36"
}


Listen to the downloaded `mp3` file below.

<audio src="_static/artifacts/intro/output/hello-cli.mp3" controls>hello, world</audio>

Here's a `boto3` example to use `Polly` to synthesize speech. Note we specify a different voice here using `Aditi` instead of `Joanna`.

In [6]:
import boto3

polly = boto3.client('polly')
result = polly.synthesize_speech(
    Text='Hello world! One Off Coder is great!', 
    OutputFormat='mp3', 
    VoiceId='Aditi')
audio = result['AudioStream'].read()
with open('_static/artifacts/intro/output/hello-boto3.mp3', 'wb') as f:
    f.write(audio)

Listen to the downloaded `mp3` file below.

<audio src="_static/artifacts/intro/output/hello-boto3.mp3" controls>hello, world</audio>

## Services

As of December 2019, AWS offers 146 services across 23 major categories.

| Category | Number of Services |
|----------|--------------------|
| Compute | 9 |
| Storage | 6 |
| Database | 7 |
| Migration & Transfer | 7 |
| Network & Content Delivery | 8 |
| Developer Tools | 6 |
| Customer Enablement | 3 |
| Robotics | 1 |
| Satellite | 1 |
| Management & Governance | 15 |
| Media Services | 9 |
| Machine Learning | 13 |
| Analytics | 11 |
| Security, Identity, & Compliance | 15 |
| AWS Cost Management | 3 |
| Mobile | 4 |
| AR & VR | 1 |
| Application Integration | 6 |
| Customer Engagement | 3 |
| Business Applications | 3 |
| End User Computing | 4 |
| Internet of Things | 10 |
| Game Development | 1 |

## Regions

AWS services and resources are hosted in separate, distinct locations around the world called `AWS Regions`. Each `AWS Region` itself is composed of multiple, separate `Availability Zones`, which are stated to be essentially different data centers. AWS resources such as `S3` buckets are duplicated across multiple (at least 3 for `S3`) `Availability Zones` for `high availability`. However, resources are **not** duplicated automatically between `AWS Regions`, and users are expected to duplicate resources manually. Any API call through `aws-cli` or `boto3` must specify the `AWS Region`, and such calls will only impact services and resources within that region. Some services like `IAM` (Identity Access Management), however, do cover and apply across all `AWS Regions`. Here are `AWS Regions` with example API endpoints for `RDS` (Relational Database Service).

| Region Name | Region | Endpoint| Protocol |
|-------------|--------|---------|----------|
| US East (Ohio) | us-east-2 | rds.us-east-2.amazonaws.com | HTTPS |
| US East (N. Virginia) | us-east-1 | rds.us-east-1.amazonaws.com | HTTPS |
| US West (N. California) | us-west-1 | rds.us-west-1.amazonaws.com | HTTPS |
| US West (Oregon) | us-west-2 | rds.us-west-2.amazonaws.com | HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 | rds.ap-east-1.amazonaws.com | HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 | rds.ap-south-1.amazonaws.com | HTTPS |
| Asia Pacific (Osaka-Local) | ap-northeast-3 | rds.ap-northeast-3.amazonaws.com | HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 | rds.ap-northeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 | rds.ap-southeast-1.amazonaws.com | HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 | rds.ap-southeast-2.amazonaws.com | HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 | rds.ap-northeast-1.amazonaws.com | HTTPS |
| Canada (Central) | ca-central-1 | rds.ca-central-1.amazonaws.com | HTTPS |
| China (Beijing) | cn-north-1 | rds.cn-north-1.amazonaws.com.cn | HTTPS |
| China (Ningxia) | cn-northwest-1 | rds.cn-northwest-1.amazonaws.com.cn | HTTPS |
| EU (Frankfurt) | eu-central-1 | rds.eu-central-1.amazonaws.com | HTTPS |
| EU (Ireland) | eu-west-1 | rds.eu-west-1.amazonaws.com | HTTPS |
| EU (London) | eu-west-2 | rds.eu-west-2.amazonaws.com | HTTPS |
| EU (Paris) | eu-west-3 | rds.eu-west-3.amazonaws.com | HTTPS |
| EU (Stockholm) | eu-north-1 | rds.eu-north-1.amazonaws.com | HTTPS |
| Middle East (Bahrain) | me-south-1 | rds.me-south-1.amazonaws.com | HTTPS |
| South America (Sao Paulo) | sa-east-1 | rds.sa-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 | rds.us-gov-east-1.amazonaws.com | HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 | rds.us-gov-west-1.amazonaws.com | HTTPS |

Note the pattern in the API endpoint: `<service>.<region>.amazonaws.com`. All `AWS Regions` are not created equal, as some may lack certain services and features. Here's a criteria for selecting a particular `AWS Region`.

* `Service availability`: does the region have all the services you need?
* `Proximity and latency`: how close is the region to the users?
* `Data residency`: is the region compliant with regulations or contract agreements? 
* `Business continuity`: which regions are best for disaster recovery?
* `Price`: is operating within the region cheaper or more expensive?

## API credentials

API access through `aws-cli` or `boto3` is controlled through `IAM`. In `IAM`, there are three types of objects.

* `Users` represent a user or application with `long-term` security credentials
* `Groups` represent a collection of users
* `Roles` represents a user or application with `short-term` security credentials

Users may be granted access to the `Management Console` or programmatic access. When accessing the Management Console, an IAM User authenticates with a user name and password; when making programmatic calls, an IAM user authenticates through an `Access Key ID` and `Secret Access Key` pair. An IAM Role must define trusted `principals` that may assume the role. In addition to an `Access Key ID` and `Secret Access Key` pair, an IAM Role also has a `session token` generated by the `AWS Security Token Service`. 

Both IAM Users and Roles are allowed or denied access to API actions based on `IAM Policies`. IAM Policies may be managed (preset) or customized. Whe creating custom IAM Policies, the `Effect`, `Action` and `Resources` must be defined. An example of a customized IAM Policy is as follows.

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.oneoffcoder.com/*"
        }
    ]
}
```

Note the `Resource` uses an `Amazon Resource Name` or `ARN`. An `ARN` follows the convention

* `arn:<partition>:<service>:<region>:<account_id>:<resource>`
    
A resource may not require all parts of an ARN (as in the case of S3 above). IAM Policies are tricky and difficult to write and test. However, there are tools to help you write and test your IAM Policies.

* [Visual Policy Editor](https://aws.amazon.com/blogs/security/use-the-new-visual-editor-to-create-and-modify-your-aws-iam-policies/)
* [IAM Policy Simulator](https://policysim.aws.amazon.com)