Setting up AWS tools

Written by

Yandex Cloud

To access the database via the Document API in AWS DynamoDB-compatible mode, you can use AWS tools:

AWS CLI: The AWS command line interface.
AWS SDK: The software development kit.

Warning

You can only access document tables via the Document API.

To use the AWS tools, follow these steps:

Create a service account on behalf of which you are going to access the database.

The service account must be created in the same folder with the database.
Management console

CLI

API
1. Log in to the management console.
2. Click the line with the name of the folder where you want to create a service account.
3. Go to the Service accounts tab.
4. Click Create service account.
5. Enter the name of the service account.
  
  Name format requirements:
  - The length can be from 3 to 63 characters.
  - It may contain lowercase Latin letters, numbers, and hyphens.
  - The first character must be a letter. The last character can't be a hyphen.
  Make sure the service account name is unique within your cloud.
6. To assign the service account a role for the current folder, click Add role and select a role such as editor.
  
  To assign a role for another resource, use the CLI or API by following the instructions Assigning roles to a service account.
7. Click Create.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
1. See the description of the command for creating a service account:
  yc iam service-account create --help
2. Create a service account named my-robot:
  yc iam service-account create --name my-robot
  - The length can be from 3 to 63 characters.
  - It may contain lowercase Latin letters, numbers, and hyphens.
  - The first character must be a letter. The last character can't be a hyphen.
To create a service account, use the create method for the ServiceAccount resource.
Assign the editor role to the service account.

A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

In the management console, you can only grant a service account roles to folders in the same cloud as the service account's folder and to the cloud itself. To assign it a role for another resource, use the CLI or API.
Management console

CLI

API

Terraform
You assign roles to a service account the same way as to a user account.

To assign a service account a role for the folder:
1. In the management console, go to the desired folder.
2. Go to the Access rights tab.
3. Click Assign roles.
4. In the Configure access rights window, click Select user.
5. Go to the Service accounts tab.
6. Select a service account from the list or use the search.
7. Click Add role.
8. Select a role in the folder.
9. Click Save.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign the service account a role for a resource, run:
```
yc <service-name> <resource> add-access-binding <resource-name>|<resource-id> \
  --role <role-id> \
  --subject serviceAccount:<service-account-id>
```
Where:
- <service-name>: The name of the service whose resource a role is assigned for (for example, resource-manager).
- <resource>: The resource category, for example, cloud.
- <resource-name>: The name of the resource. You can specify a resource by its name or ID.
- <resource-id>: The resource ID.
- <role-id>: The role ID, for example, resource-manager.clouds.owner.
- <service-account-id>: The identifier of the service account assigned the role.
For example, to assign a service account the viewer role for the my-folder folder:
1. Find out the service account ID by its name:
  yc iam service-account get my-robot
  Result:
  id: aje6o61dvog2h6g9a33s folder_id: b1gvmob95yysaplct532 created_at: "2018-10-15T18:01:25Z" name: my-robot
  If you don't know the name of the service account, get a list of service accounts with their IDs:
  yc iam service-account list
  Result:
  +----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2h6g9a33s | my-robot | my description | +----------------------+------------------+-----------------+
2. Assign a role to the my-robot service account using its ID:
  yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2h6g9a33s
1. Get the ID of the folder with service accounts.
2. Get a list of folder service accounts to find out their IDs:
  export FOLDER_ID=b1gvmob95yysaplct532 export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
  Result:
  { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:
  
  body.json:
  { "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2dpblin8pe", "type": "serviceAccount" } } } ] }
4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:
  export FOLDER_ID=b1gvmob95yysaplct532 export IAM_TOKEN=CggaATEVAgA... curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
1. In the configuration file, describe the parameters of resources that you want to create:
  - folder_id: ID of the folder. Required parameter.
  - role: The role assigned. Required parameter.
  - members: List of users or service account the role is being assigned to. Specified in the following format: userAccount:<user ID> or serviceAccount:<service account ID>. Required parameter.
  resource "yandex_resourcemanager_folder_iam_binding" "admin-account-iam" { folder_id = "<folder ID>" role = "<role>" members = [ "serviceAccount:<Service account ID>", ] }
  For more information about the parameters of the yandex_resourcemanager_folder_iam_binding resource, see the provider documentation.
2. Make sure that the configuration files are correct.
  1. In the command line, go to the directory where you created the configuration file.
  2. Run the check using the command:
    
    terraform plan
  If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.
3. Deploy the cloud resources.
  1. If the configuration doesn't contain any errors, run the command:
    
    terraform apply
  2. Confirm the resource creation: type yes in the terminal and press Enter.
  Afterwards, all the necessary resources are created in the specified folder. You can verify that the resource has been created in the management console or with the following CLI command:
  yc resource-manager folder list-access-bindings <folder name>|<folder ID>
Get the key ID and access key of the created service account:
Management console

CLI

API
1. Go to the folder that the service account belongs to.
2. Go to the Service accounts tab.
3. Choose a service account and click the line with its name.
4. Click Create new key in the top panel.
5. Click Create static access key.
6. Enter a description of the key so that you can easily find it in the management console.
7. Save the ID and private key.
  
  Alert
  
  After the dialog is closed, the private key value will be unavailable.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
1. See the description of the create static access key command:
  yc iam access-key create --help
2. Select a service account (for example, my-robot):
  yc iam service-account list +----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2h6g9a33s | my-robot | | ...
3. Create an access key for the my-robot service account:
  yc iam access-key create --service-account-name my-robot access_key: id: aje6t3vsbj8lp9r4vk2u service_account_id: ajepg0mjt06siuj65usm created_at: "2018-11-22T14:37:51Z" key_id: 0n8X6WY6S24N7OjXQ0YQ secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI9hxtzMP1
4. Save the ID key_id and secret key. You will not be able to get the key value again.
To create an access key, use the create method for the AccessKey resource.
Install the AWS CLI.
Configure the AWS CLI environment: Run the aws configure command and enter the previously saved key ID and secret access key one-by-one. Use ru-central1 as the region:
```
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: ru-central1
Default output format [None]:
```
As a result, the files ~/.aws/credentials and ~/.aws/config will be created (C:\Users\USERNAME\.aws\credentials and C:\Users\USERNAME\.aws\config on Windows).
Check that the settings are correct by running the table listing command against the created DB. As the --endpoint value, specify the Document API endpoint available on the Overview tab of your database in the management console.
```
aws dynamodb list-tables \
--endpoint https://docapi.serverless.yandexcloud.net/ru-central1/b1gia87mbaomkfvs6rgl/etnudu2n9ri35luqe4h1
```
Result:
```
{
    "TableNames": [
    ]
}
```

Setting up AWS tools

Was the article helpful?