# aws command line interface (`cli`)

## what is the `aws cli`?

up until this point, all of the work we've done with aws services has been via their point-and-click web console. the console is pretty good (inconsistently formatted, but generally self-explanatory), but it is not the only way to interact with aws services.

amazon has also created a command line interface (`cli`) tool which can be used to perform many (all?) of the actions one might perform on the console via a `python` program used on the command line.

## why use the `cli`

there are many reasons you may wish to use the `cli`, but the primary motivations are that

1. it is possible to script and automate actions with the `cli`, and not so easy (or possible) via the web console
2. it can be called from within `python` scripts
3. the authentication process is different and -- depending on your perspective -- less onerous
4. the interface from one service to the next is actually more consistent than the web console
5. you can plug it in to other command line tools (e.g. your data science pipeline process!)
6. I'm telling you you should and I have great authority

### an example

maybe it would help to understand the sorts of things you might want to do with the `cli`. One project we are working on for "fun" at ERI is predictive modeling of power outages. we found out that a Connecticut power company (Eversource) posted [their reported outages](https://www.eversource.com/clp/outage/outagemap.aspx) on a webpage as a `json` request.

we started downloading those files every 15 minutes, and we used an `aws` `ec2` instance to do that download. We actually saved those files to that machine, but we *could* have pushed them to `s3` instead -- it would have been as easy as

```bash
aws s3 cp outage.json s3://data.eri.com/eversource/outages/
```

the `cli` exposes every service as if it were a linux tool -- that's pretty cool.

## installing the `cli`

the `cli` is available for windows (download page [here](https://aws.amazon.com/cli/)), but we will all be using it from our beautiful new `ec2` instances.

in the linux and mac world, you install the `awscli` python package. let's do that!

first thing's first: log in to your `ec2` instance now.

you may already have the `cli` installed (given that we picked the aws-maintained free tier ubuntu `ami`). let's check:

```bash
which aws
```

if the result of the above was nothing or an error, we need to install the `cli`. we will do that using `pip`:

```bash
# the default pip in this linux ami is pip2. no idea why
sudo apt install python3-pip
pip3 install awscli
```

*note*: we didn't `conda` install this package because aws doesn't offer their package via `conda`. this is rare, but not uncommon. I suggest you always try to `conda` install first, and then `pip` install if that is not possible

the documentation recommends that all users attempt to update their `cli` immediately after installation, so whether you already had it installed or just `pip`-installed it yourself, you should run the following:

```bash
aws --version
pip3 install --upgrade --user aws
aws --version
```

## using the `cli`

the `cli` acts as a standalone service when interfacing with all the different `aws` services we may own and operate.

because `aws` considers it to be on the same level as a "user," the `cli` needs to "sign in" to those services the same way we would. the authentication method and credentials we use to sign in to our console account are not fit for sharing in this way, so we use an alternative (and standard) authentication method: "access keys."

often times, when you sign up for a REST api (application program interface), you are given an API key or authentication key -- this is generally a unique public and private key pair that allow the api to know that the "owner" (in this case: you) "knows about" the requests that are being made to that api in their (your) name.

back in the very very very first lecture so many days ago, you *downloaded a csv* with a bunch of information in it, including an access key id and access key value for your account.

you still have that right?

**right?**

<div align="center">**access key creation exercise**</div>
<div align="center">**https://console.aws.amazon.com/iam/home?region=us-east-1#/users/**</div>
<br><br>
<div align="center">*make sure to save the access key value somewhere secure -- you can't ever get it again*</div>

each `iam` user has the ability to have up to two access keys. to create one for yourself:

1. head over to the [`iam` `users` dashboard](https://console.aws.amazon.com/iam/home?region=us-east-1#/users/).
2. select your personal user account.
3. click on the "Security credentials" tab
4. click on the "Create access key" button
5. SAVE THIS ACCESS KEY VALUE!!!
    1. **you can't ever get this again**
    2. you can create other access keys, so it's not the literal end of the world
6. click "ok"

ok. at this point we should all have:

1. an access key ID (recoverable at any time from the `iam` console
2. an access key *value* (if you don't have it, you done goofed, and have to do it again)

so how do we *use* this access key?

let's log in to our `ec2` server and try it out!

<div align="center">**log in to your ec2 instance if you haven't already**</div>

the first thing we do is run the `aws configure` command to add our access key information.

**best practice note**: `cli` supports a concept called "profiles" -- you could add more than one set of access keys to a single `ec2` instance and user account. 

for example, suppose you have one `ec2` server for generic web-scraping or etl work, but several different client projects. you could create a separate "profile" for each project.

I recommend using profiles from the beginning. let's create one with the same name as your user account for now:

```bash
aws configure --profile [whatever you want to use as your profile name]
```

the prompts that follow will request the access key id and access key value, so I hope you've gotten the message at this point that you should save them somewhere you won't lose them...

just kidding, after you've done this, they're actually saved in plain text on your file system: check out

```bash
less ~/.aws/config
```

what do you think of this? how secure is or isn't this? who can see this?

let's verify that everything worked:

```bash
aws ec2 describe-instances --profile [whatever you used as your profile name]
```

you should see a big, sloppy mess of info from this -- if not, let's debug!

<div align="center">***all aboard the terminal train***</div>
<img src="https://i.stack.imgur.com/KbxXW.png"></img>

# END OF LECTURE

next lecture: [AWS `s3` (simple storage service)](007_s3.ipynb)