# Controlling the Cloud with Boto3

The cloud is a big buzz word in modern day computer. Virtualised computers can be managed with our favorite programming language to allow us to control and automate it. Taking care of the tasks that we don't want to!

To undertake this work station you will need an AWS Account. If you are prepared to give your details to AWS you can get a Developers account for free [here](https://portal.aws.amazon.com/billing/signup?refid=em_127222&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start)

## Setting up API access
Once we have created our account we will need to create a user for our tests. Browse to the [IAM](https://console.aws.amazon.com/iam/home#/home) section of the AWS Account and add a user - to do this:
- Click Add User
- Give it a Name
- Under Access Types select - Programmatic Access
- Then Select the permissions page: 
- Attach existing policies directly
- Search for the "AmazonFullAdminAccess" and apply this.

On the final screen of the user creation you will be given an access and secret key. Remember these and keep them private! They are the Username and Password to your AWS Account for your robot user!

## Setting up the Workstation
If we are working from our local workstations we need to install the `boto3` module with pip:
```
$ pip install awscli boto3 -U --ignore-installed six
```
works for me to install the module as well as a handy command line tool. It also ignores a default module that generally causes more hastle with deployment than it is worth.

## Working with our Account
There are many ways to give your credentials to the boto3 module.

### Shared Credentials File
The Shared credentials file will be default live in your home directory under `.aws/credentials` but can be changed with the `AWS_SHARED_CREDENTIALS_FILE` environment variable.

This file will contain the details needed for the module to access the account as we program it to.
It should look like:
```
[default]
aws_access_key_id=foo
aws_secret_access_key=bar
```

We could have many profiles:

```
[default]
aws_access_key_id=foo
aws_secret_access_key=bar

[dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2

[prod]
aws_access_key_id=foo3
aws_secret_access_key=bar3
```
and use all of the them in a program or from the command line.

### Environment Variables
You can specify your Keys on the command line as environment variables the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` can be exported as your keys to allow you to work with them.

Those not following along will see this in the console as we run our code.


### All Set?

If you are working locally and followed along you should be able to run:
```
aws ec2 describe-vpcs --region eu-west-2
```
...and it shouldn't crash! 😹

This commands describes the default Virtual Networks in AWS which we can deploy to.

### One final way to add our variables.
We can also add our variables directly to our code. This can be useful when we need to handle more than one persona or more than one AWS account.

In [0]:
!pip install boto3
# Do not hard code credentials
client = boto3.client(
    's3',
    # Hard coded strings as credentials, not recommended.
    aws_access_key_id='AKIAIO5FODNN7EXAMPLE',
    aws_secret_access_key='ABCDEF+c2L7yXeGvUyrPgYsDnWRRC1AYEXAMPLE'
)

## Hard Coding is Bad!
It let's people like me steal your code, especially if it is public on GitHub or in a Google drive - ALWAYS tidy up! Come back and delete the precious strings the moment you have finished with them from the code exercises if you put them in.

In fact I recommend deleting the user and the account once you have finished with it tonight.

## Many ways to hide the Credentials
As seen we can hide the secret codes in so many places. The above code should ONLY be done for test purposes and even then, abstracted away from the code base that might get committed. 

There have been many cases of the keys being found in the public eye and then used. Websites from Github and Google Drive to StackOverFlow, many people have been victim.

There are even some python modules like `truffleHog` and `gittyleaks` can be used to look through GitHub/GitLab/BitBucket to find these secret strings and report them back to their operator.

As long as we are careful we can do some magical things:

In [0]:
!pip install boto3
!export AWS_ACCESS_KEY_ID="KEY-HERE"
!export AWS_SECRET_ACCESS_KEY="KEY-HERE"
import boto3
ec2 = boto3.resource('ec2')
for instance in ec2.instances.all():
    print({instance.id: instance.state})

### What's Happening
Not much... we install the module to the environment and export our Keys as required

within the code we are import the module and calling the elastic compute API to list all the instances that are running... We probably don't have any running

### Tasks
- Explore the `boto3` objects - read around the subject as well!
- Boot some free public instances and watch them on the script
- Change the output so it logs and is all nice and pretty!
- EXTRA - Create a command line script out of this
- shut everything down and make sure everything is deleted!
- make sure all your passwords are removed from workbooks and code!

Now we have it working let's look at some more things we can do