# Python Web Conference 2021

## <https://2021.pythonwebconf.com/>

![Python Web Conference 2021 Logo](PWC2021.png)

# Automating AWS with Python: The Easy Way To The Cloud

## [MONDAY,  MAR 22 | 09:00AM - 12:00PM US ET](https://2021.pythonwebconf.com/tutorials/automating-aws-with-python-the-easy-way-to-the-cloud)

## David Sol

### T-Systems Cloud Architect

### Twitter: [@soldavidcloud](https://twitter.com/soldavidcloud)

### Repository: <https://gitlab.com/soldavid/pwc2021-aws>

# What is Cloud Computing

Public Cloud Computing - Use of on-demand technology information resources from a public provider

![Clouds](Clouds.jpg)

* Remote - You are (mostly) not dependent on where the resources are, or care about it
* Virtual - The resources (network, storage, computing) are (mostly) virtual
* Self-Service - You don't need to talk to a human agent of the provider to provision your resources
* Automated - You don't _need_ to perform manual tasks to provition the resources
* Elastic - You can *automatically* scale up and down your resources to match your needs
* Pay-per-use (provision) - You pay only for what you use (or if you forget to turn it off, provision)

# How to use the cloud - The Console

We can always use the console

![AWS Console](Console.png)

It works fine to learn, perform specific tasks, and to manage a few resources

**But it doesn't SCALE**

**It is prone to errors**

# How to use the cloud - AWS Command Line Interface

![AWS CLI Icon](CLIIcon.png)

The [AWS CLI](https://aws.amazon.com/cli/) lets you issue commands from the command line

![AWS CLI](CLI.png)

Unless you are very good with shell programming, it works well for individual commands, but not processes with control logic

**We can do better!**

Note: Use [Version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)

# How to use the cloud - Software Development Kits

![AWS SDK Icon](SDKIcon.png)

<https://aws.amazon.com/getting-started/tools-sdks/>

You can use the cloud in your favorite language

![Different SDKs](SDKs.png)

# BOTO3 - AWS Python SDK

## In our case, that means Python

<https://aws.amazon.com/sdk-for-python/>

![Python Logo](Python.png)

## The SDK for Python in AWS is named Boto3

It is special. Is the only one that has a "name", and its probably the most complete nad supported of all of the SDKs

To install it you just need to add the module with pip or conda

### PIP

``` bash
pip install boto3
```

### CONDA

``` bash
conda install boto3
```

## Conda Example

![Anaconda Logo](anaconda.png)

<https://www.anaconda.com/>

### Create a new environment:

``` bash
conda create --name pwc2021 python=3.9
```

**Result**

``` text
Collecting package metadata (current_repodata.json): done
Solving environment: done

## Package Plan ##

  environment location: C:\Anaconda3\envs\pwc2021

  added / updated specs:
    - python=3.9


The following NEW packages will be INSTALLED:

  ca-certificates    conda-forge/win-64::ca-certificates-2020.12.5-h5b45459_0
  certifi            conda-forge/win-64::certifi-2020.12.5-py39hcbf5309_1
  openssl            conda-forge/win-64::openssl-1.1.1j-h8ffe710_0
  pip                conda-forge/noarch::pip-21.0.1-pyhd8ed1ab_0
  python             conda-forge/win-64::python-3.9.2-h7840368_0_cpython
  python_abi         conda-forge/win-64::python_abi-3.9-1_cp39
  setuptools         conda-forge/win-64::setuptools-49.6.0-py39hcbf5309_3
  sqlite             conda-forge/win-64::sqlite-3.34.0-h8ffe710_0
  tzdata             conda-forge/noarch::tzdata-2021a-he74cb21_0
  vc                 conda-forge/win-64::vc-14.2-hb210afc_4
  vs2015_runtime     conda-forge/win-64::vs2015_runtime-14.28.29325-h5e1d092_4
  wheel              conda-forge/noarch::wheel-0.36.2-pyhd3deb0d_0
  wincertstore       conda-forge/win-64::wincertstore-0.2-py39hcbf5309_1006


Preparing transaction: done
Verifying transaction: done
Executing transaction: done
#
# To activate this environment, use
#
#     $ conda activate pwc2021
#
# To deactivate an active environment, use
#
#     $ conda deactivate
```

### Activate the new environment and install Boto3

``` bash
conda activate pwc2021

conda install boto3
```

**Result**

``` text
Collecting package metadata (current_repodata.json): done
Solving environment: done

## Package Plan ##

  environment location: C:\Anaconda3\envs\pwc2021

  added / updated specs:
    - boto3


The following NEW packages will be INSTALLED:

  boto3              conda-forge/noarch::boto3-1.17.33-pyhd8ed1ab_0
  botocore           conda-forge/noarch::botocore-1.20.33-pyhd8ed1ab_0
  brotlipy           conda-forge/win-64::brotlipy-0.7.0-py39hb82d6ee_1001
  cffi               conda-forge/win-64::cffi-1.14.5-py39h0878f49_0
  cryptography       conda-forge/win-64::cryptography-3.4.6-py39hd8d06c1_0
  idna               conda-forge/noarch::idna-3.1-pyhd3deb0d_0
  jmespath           conda-forge/noarch::jmespath-0.10.0-pyh9f0ad1d_0
  pycparser          conda-forge/noarch::pycparser-2.20-pyh9f0ad1d_2
  pyopenssl          conda-forge/noarch::pyopenssl-20.0.1-pyhd8ed1ab_0
  pysocks            conda-forge/win-64::pysocks-1.7.1-py39hcbf5309_3
  python-dateutil    conda-forge/noarch::python-dateutil-2.8.1-py_0
  s3transfer         conda-forge/noarch::s3transfer-0.3.6-pyhd8ed1ab_0
  six                conda-forge/noarch::six-1.15.0-pyh9f0ad1d_0
  urllib3            conda-forge/noarch::urllib3-1.26.4-pyhd8ed1ab_0
  win_inet_pton      conda-forge/win-64::win_inet_pton-1.1.0-py39hcbf5309_2


Preparing transaction: done
Verifying transaction: done
Executing transaction: done
```

# Boto3 Quickstart

<https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html>

# Credentials - How to connect to AWS

First off two points to always have in mind:

**1) NEVER store credentials or keys in your code**

**2) NEVER store credentials or keys in your code, I mean it**

So how to connect?

<https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html>

## With a user

You need to create a User and create an Access Key for it. *Note: least privilege applies*

![First user creating screen](user1.png)

You will get an Access key ID and a Secret access key. *Note: If you lose it, it is gone, but you can create a new onw*

![Second user creating screen](user2.png)

## If you have AWS CLI installed

You can create a Profile. If you don't specify a named your you use the **Default** profile:

![Setting up the Default Profile](DefaultProfile.png)

But I recommend you to use named profiles:

![Seeting up a Named Profile](NamedProfile.png)

## If you don't have AWS CLI installed

You can use the .aws/credentials and .aws/config files in your home directory to create the profiles directly:

**credentials file**

``` text
[default]
aws_access_key_id = AKIAWF3HKOXJUZXM4M5F
aws_secret_access_key = You write the secret key here

[PWC2021]
aws_access_key_id = AKIAWF3HKOXJUZXM4M5F
aws_secret_access_key = You write the secret key here
```

**config file**

``` text
[default]
output=json
region=us-west-2

[PWC2021]
output=json
region=us-west-2
```

Or you can set up *environment variables*:

* AWS_ACCESS_KEY_ID - The access key for your AWS account.
* AWS_SECRET_ACCESS_KEY - The secret key for your AWS account.
* AWS_SESSION_TOKEN - The session key for your AWS account. This is only needed when you are using temporary credentials. 

``` bash
AWS_ACCESS_KEY_ID=AKIAWF3HKOXJUZXM4M5F
AWS_SECRET_ACCESS_KEY=You write the secret key here
```

Priority order:

1) Parameters when creating the Session Object - **DO NOT USE FOR CREDENTIALS**
2) Environment variables
3) Configuration file

In [None]:
# Using the default profile
from pprint import pprint
import boto3
iam = boto3.client('iam')
response = iam.get_user()
pprint(response)

## Using named profiles, the Session object

**RECOMMENDED**

You need a Session for each region you want to use.

In [None]:
# Using a named profile with the session object
session = boto3.Session(
    profile_name='PWC2021',
    region_name='us-west-2'
)
iam = session.client('iam')
response = iam.get_user()
print(f"User {response['User']['UserName']}")

In [None]:
print(f"User {response['User']['UserName']} created on {str(response['User']['CreateDate'])}")

In [None]:
for tag in response['User']['Tags']:
    print(f"{tag['Key']}: {tag['Value']}")

### Extra tip

All the information you could need in a report you should store it in the resources tags

For example in IAM:

* Real user name
* Department
* Supervisor
* Email
* Phone
* Expiration Date
* Notes

# Roles

There is another way!

Instead of using "fixed" credentials, we can assign temporary ones with a role

![IAM Role Icon](IAMRole.png)

A Role is a set of permissions a user, **or a resource** can assume. They are not given *by default*

In [None]:
import json

# This policy allows only EC2 instances to assume the role
ec2_assume_role_policy_document = json.dumps({
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
        }
    ]
})

In [None]:
print(ec2_assume_role_policy_document)

In [None]:
# To create the role we need a more powerful user, we create a new session for it
david = boto3.Session(
    profile_name="david21",
    region_name="us-west-2"
)

# And a new client
davidiam = david.client("iam")

# We create the role with the new client
response = davidiam.create_role(
    RoleName="ec2-readonly",
    AssumeRolePolicyDocument=ec2_assume_role_policy_document,
    Description="Allows an instance to ec2 read-only access",
    Tags=[
        {
            "Key": "PWC2021",
            "Value": "For the Python Web Conference 2021"
        },
    ]
)

In [None]:
pprint(response)

In [None]:
ec2_readonly_role_name = response["Role"]["RoleName"]
print(ec2_readonly_role_name)

In [None]:
# We create the corresponding instance profile
response = davidiam.create_instance_profile(
    InstanceProfileName=ec2_readonly_role_name,
    Tags=[
        {
            'Key': 'PWC2021',
            'Value': 'For the Python Web Conference 2021'
        },
    ]
)
pprint(response)

In [None]:
# We assign the EC2 Read Only managed policy to the new role
davidiam.attach_role_policy(
    PolicyArn='arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess',
    RoleName=ec2_readonly_role_name
)

In [None]:
# We assign the role to the instance profile
response = davidiam.add_role_to_instance_profile(
    InstanceProfileName=ec2_readonly_role_name,
    RoleName=ec2_readonly_role_name
)
pprint(response)

In [None]:
# New client for EC2
davidec2 = david.client("ec2")
# We attach the role to an instance
response = davidec2.associate_iam_instance_profile(
    IamInstanceProfile={
        'Name': ec2_readonly_role_name
    },
    InstanceId='i-01e4968eff0c5a32e'
)

Seems complex?

Well, we can create a function that does everything so we don't need to remind all of the steps, automate the process, and make sure all of the rules are followed

In [None]:
from time import sleep

def grant_role_to_instance (session: boto3.session.Session,
                            instance_id: str,
                            role_name: str,
                            role_description: str,
                            policy_to_grant: str) -> None:
    # This policy allows only EC2 instances to assume the role
    ec2_assume_role_policy_document = json.dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
            }
        ]
    })
    # IAM client
    iam = session.client("iam")
    # We create the role with the new client
    iam.create_role(
        RoleName=role_name,
        AssumeRolePolicyDocument=ec2_assume_role_policy_document,
        Description=role_description
    )
    # We create the corresponding instance profile
    iam.create_instance_profile(
        InstanceProfileName=role_name,
    )
    # We assign the EC2 Read Only managed policy to the new role
    iam.attach_role_policy(
        PolicyArn=policy_to_grant,
        RoleName=role_name
    )
    # We assign the role to the instance profile
    iam.add_role_to_instance_profile(
        InstanceProfileName=role_name,
        RoleName=role_name
    )
    # Wait for the changes to propagate
    sleep(10)
    # EC2 client
    ec2 = session.client("ec2")
    # We attach the role to the instance
    ec2.associate_iam_instance_profile(
        IamInstanceProfile={
            'Name': role_name
        },
        InstanceId=instance_id
    )

In [None]:
grant_role_to_instance (session = david,
                        instance_id = "i-02904f631ba3108f9",
                        role_name = "function_role",
                        role_description = "Created via a function",
                        policy_to_grant = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess")

# AWS is asynchronous

Many times the calls to the AWS API return, with a "success" code, even if the requested action hasn't finished yet

For example, the function fails because the instance profile is not ready when we try to assign it to the instance

## Waiters

There are specific commands to "wait" for a resource to be ready

For example: *iam.get_waiter('instance_profile_exists')*

Polls IAM.Client.get_instance_profile() every 1 seconds until a successful state is reached. An error is returned after 40 failed checks.

``` python
waiter = iam.get_waiter('instance_profile_exists')
waiter.wait(
    InstanceProfileName='string',
    WaiterConfig={
        'Delay': 123, # Default: 1
        'MaxAttempts': 123  # Default: 40
    }
)
```

The bad news is that now always work. In this case, it doesn't

# How to connect to AWS Summary

The best way is by using roles. Temporary credentials that are harder to come by, and that expire after some time

If not you need access and secret keys. They can be stored in the credential and config files or in environment variables

**NEVER STORE THEM IN CODE**

# Get information if there are not much data

If we only have a couple instances, there is no problem is getting their information in one go

In [None]:
ec2 = session.client("ec2")
response = ec2.describe_instances()
pprint(response, depth=1)

In [None]:
print(len(response["Reservations"]))

In [None]:
pprint(response["Reservations"][0], depth=1)

In [None]:
print(len(response["Reservations"][0]["Instances"]))

In [None]:
pprint(response["Reservations"][0]["Instances"][0], depth=1)

In [None]:
print(len(response["Reservations"][0]["Instances"][0]["Tags"]))
pprint(response["Reservations"][0]["Instances"][0]["Tags"][0])
pprint(response["Reservations"][0]["Instances"][0]["Tags"][1])

In [None]:
for reservation in response["Reservations"]:
    for instance in reservation["Instances"]:
        print(f"{instance['InstanceId']} is {[tag['Value'] for tag in instance['Tags'] if tag['Key'] == 'color'][0]}")

# We can filter our queries

In [None]:
response = ec2.describe_instances(InstanceIds=["i-01e4968eff0c5a32e"])
pprint(response["Reservations"][0]["Instances"][0])

In [None]:
response = ec2.describe_instances(
    Filters=[
        {
            "Name": "instance.group-name",
            "Values": ["bastion"]
        }
    ])
pprint(response["Reservations"][0]["Instances"][0])

In [None]:
response = ec2.describe_instances(
    Filters=[
        {
            "Name": "tag:color",
            "Values": ["blue"]
        }
    ])
pprint(response["Reservations"][0]["Instances"][0])

# If there is too much data: Pagination

In most cases we must be ready to deal with too much data. We don't want to look for too much data at one time

For that we use pagination

In [None]:
response = iam.list_policies(
    Scope='All',
    OnlyAttached=False,
    PolicyUsageFilter='PermissionsPolicy',
    MaxItems=10
)
pprint(response, depth=1)
print("-----------")
for policy in response["Policies"]:
    print("    " + policy["PolicyName"])
next_marker=response["Marker"]

In [None]:
response = iam.list_policies(
    Scope='All',
    OnlyAttached=False,
    PolicyUsageFilter='PermissionsPolicy',
    MaxItems=10,
    Marker=next_marker
)
pprint(response, depth=1)
print("-----------")
for policy in response["Policies"]:
    print("    " + policy["PolicyName"])
next_marker=response["Marker"]

# We can automate all of that with paginators

In [None]:
paginator = iam.get_paginator('list_policies')
response_iterator = paginator.paginate(
    Scope='All',
    OnlyAttached=True,
    PolicyUsageFilter='PermissionsPolicy',
    PaginationConfig={
        'MaxItems': 1000,
        'PageSize': 3
    }
)

In [None]:
for page in response_iterator:
    pprint(page)

In [None]:
for page in response_iterator:
    for policy in page["Policies"]:
        print(f"{policy['PolicyName']}")

# We can automate everything

In [None]:
cloudwatch = session.client("cloudwatch")
cadena_widget = (
    '{'
    '"metrics": ['
    '    [ "AWS/EC2", "EBSWriteOps", "InstanceId", "i-01e4968eff0c5a32e", { "color": "#ff7f0e" } ]'
    '],'
    '"view": "timeSeries",'
    '"stacked": true,'
    '"stat": "Average",'
    '"period": 300,'
    '"annotations": {'
    '    "horizontal": ['
    '        {'
    '            "label": "Expected",'
    '            "value": 20'
    '        }'
    '    ]'
    '},'
    '"title": "i-01e4968eff0c5a32e",'
    '"width": 1000,'
    '"height": 300,'
    '"start": "-PT3H",'
    '"end": "P0D"'
    '}'
)
respuesta = cloudwatch.get_metric_widget_image(MetricWidget=cadena_widget)

In [None]:
respuesta["MetricWidgetImage"]

In [None]:
from IPython.display import Image
Image(respuesta["MetricWidgetImage"]) 

In [None]:
cloudwatch = session.client("cloudwatch")
response = ec2.describe_instances()
for reservation in response["Reservations"]:
    for instance in reservation["Instances"]:
        instance_id = instance["InstanceId"]
        cadena_widget = (
            '{'
            '"metrics": ['
            '    [ "AWS/EC2", "EBSWriteOps", "InstanceId", "' + instance_id + '", { "color": "#ff7f0e" } ]'
            '],'
            '"view": "timeSeries",'
            '"stacked": true,'
            '"stat": "Average",'
            '"period": 300,'
            '"annotations": {'
            '    "horizontal": ['
            '        {'
            '            "label": "Expected",'
            '            "value": 20'
            '        }'
            '    ]'
            '},'
            '"title": "' + instance_id + '",'
            '"width": 1000,'
            '"height": 300,'
            '"start": "-PT3H",'
            '"end": "P0D"'
            '}'
        )
        respuesta = cloudwatch.get_metric_widget_image(MetricWidget=cadena_widget)
        with open(instance_id + ".png", "wb") as pngfile:
            pngfile.write(respuesta["MetricWidgetImage"])

# References

Boto3 documentation: <https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#>

AWS CDK (Cloud Development Kit): <https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html>

AWS CDK Workshop: https://cdkworkshop.com/

# Thank You!

## David Sol

## <https://twitter.com/soldavidcloud>

## Repository: <https://gitlab.com/soldavid/pwc2021-aws>

## <https://2021.pythonwebconf.com/>

![Python Web Conference 2021 Logo](PWC2021.png)

# Automating AWS with Python: The Easy Way To The Cloud