### Install ape-aws via setuptools Source: https://github.com/apeworx/ape-aws/blob/main/README.md Installs the ape-aws plugin by cloning the repository and using setuptools. This method is useful for obtaining the most up-to-date version directly from the source code. ```bash git clone https://github.com/ApeWorX/ape-aws.git cd ape-aws python3 setup.py install ``` -------------------------------- ### Install ape-aws via pip Source: https://github.com/apeworx/ape-aws/blob/main/README.md Installs the latest release of the ape-aws plugin using pip. This is the recommended method for most users. ```bash pip install ape-aws ``` -------------------------------- ### Direct KMS Key Operations Source: https://context7.com/apeworx/ape-aws/llms.txt Provides examples of interacting directly with KMS keys using the KmsKey object for operations like retrieving metadata, signing raw message hashes, and managing key policies. Requires an initialized AwsClient and a specific key. ```python from ape_aws.client import AwsClient from eth_utils import keccak client = AwsClient() key = client.keys.get("my-signing-key") # Get key metadata print(f"Alias: {key.alias}") print(f"Key ID: {key.id}") print(f"ARN: {key.arn}") print(f"Enabled: {key.enabled}") # Get the public key and derive Ethereum address public_key = key.public_key # Raw 64-byte public key address = key.address # Checksummed Ethereum address # Sign a raw 32-byte message hash msg_hash = keccak(b"Hello, World!") der_signature = key.sign(msg_hash) # Returns DER-encoded signature # Manage key policies policy = key.get_policy() print(f"Policy statements: {len(policy['Statement'])}") # Add user access to key key.set_policy(users_to_add=["arn:aws:iam::123456789012:user/signer"]) # Remove user access key.set_policy(users_to_remove=["arn:aws:iam::123456789012:user/old-signer"]) # Schedule key deletion (WARNING: 30-day minimum waiting period) key.delete(days=30) ``` -------------------------------- ### AWS Environment Variable Configuration Source: https://context7.com/apeworx/ape-aws/llms.txt Explains how environment variables like AWS_PROFILE, AWS_DEFAULT_REGION, AWS_ACCOUNT_ID, and AWS_SECRET_KEY can override configuration settings or be used for direct credential provision. Provides an example of setting environment variables for `ape console`. ```bash # Environment variables take precedence over config # AWS_PROFILE - Use specific AWS profile # AWS_DEFAULT_REGION - Override default region # AWS_ACCOUNT_ID + AWS_SECRET_KEY - Use direct credentials (for containers) # Example: Run ape console with IAM user credentials # env $(cat .env.my-signer | xargs) ape console ``` -------------------------------- ### Ape AWS CLI Commands Source: https://github.com/apeworx/ape-aws/blob/main/README.md Demonstrates various commands for managing AWS resources and keys using the ape aws CLI tool. Includes listing commands, checking login status, creating/deleting users, managing access keys, and generating/scheduling deletion of signing keys. ```bash ape aws -h ape aws whoami ape aws users new USER ape aws users remove USER ape aws users tokens new USER > .env.USER ape aws keys generate KEY ape aws keys remove KEY ape aws keys grant KEY -u USER ``` -------------------------------- ### Manage IAM Users with AwsClient Source: https://context7.com/apeworx/ape-aws/llms.txt Demonstrates programmatic management of IAM users, including listing users, creating new users, adding policies, creating access keys, and deleting access keys. Requires AWS credentials. ```python from ape_aws.client import AwsClient client = AwsClient() # List all users for name, user in client.users.items(): print(f"User: {name}") print(f" ARN: {user.arn}") print(f" Is Admin: {user.is_admin}") print(f" Policies: {list(user.policies.keys())}") # Create a new user user = client.create_user("new-automation-user") # Add policy to user key_policy = client.policies.get("ApeAwsKeyAccessV1") if not key_policy: key_policy = client.create_key_policy() user.add_policy(key_policy) # Create access credentials access_key = user.create_access_key() env_vars = access_key.to_environment() # AWS_ACCOUNT_ID=AKIA... # AWS_SECRET_KEY=... # List user's access keys for key_id, key in user.access_keys.items(): print(f"Key: {key_id}, Status: {key.status}, Created: {key.creation}") # Delete an access key user.delete_access_key("AKIA1234567890EXAMPLE") ``` -------------------------------- ### Create IAM User (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Creates a new IAM user and automatically attaches the necessary 'ApeAwsKeyAccessV1' policy for KMS signing. Additional policies can also be specified during creation. ```bash # Create a new IAM user for signing ape aws users new my-signer # Output: # Created my-signer (arn:aws:iam::123456789012:user/my-signer) # Policy 'ApeAwsKeyAccessV1' added to user 'my-signer'. # Create user with additional policies ape aws users new automation-user --policy ReadOnlyAccess --policy AmazonS3ReadOnlyAccess ``` -------------------------------- ### Show KMS Key Information (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Displays detailed information about a specific KMS key, including its ARN and access policies. This is useful for auditing and understanding key permissions. ```bash # Show key info and access rights ape aws keys show my-signing-key # Output: # arn:aws:iam::123456789012:user/my-signer: # arn:aws:kms:us-east-1:123456789012:key/...: kms:Sign, kms:Verify, kms:GetPublicKey ``` -------------------------------- ### List KMS Signing Keys (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Retrieves and displays a list of all available KMS signing keys within the current AWS profile. This command helps in identifying available keys for signing operations. ```bash # List all available KMS keys ape aws keys list # Output: # 'my-signing-key' (id: 12345678-1234-1234-1234-123456789abc) # 'production-key' (id: 87654321-4321-4321-4321-cba987654321) ``` -------------------------------- ### Configure AWS Settings in ape-config.yaml Source: https://context7.com/apeworx/ape-aws/llms.txt Shows how to configure default AWS region and profile settings within the project's `ape-config.yaml` file. This simplifies client initialization. ```yaml # ape-config.yaml aws: default_region: us-east-1 default_profile: my-aws-profile ``` -------------------------------- ### Ape AWS IPython Usage Source: https://github.com/apeworx/ape-aws/blob/main/README.md Shows how to use the ape-aws plugin within an IPython console to interact with AWS KMS. This includes loading a KMS key and signing a message. It also demonstrates how to use the generated environment file to access the console with specific AWS credentials. ```python In [1]: kms_signer = accounts.load("KEY") In [2]: kms_signer.sign_message("12345") Out[2]: ``` ```bash env $(echo .env.USER | xargs) ape console ``` -------------------------------- ### Sign Messages with KmsAccount (Python) Source: https://context7.com/apeworx/ape-aws/llms.txt Demonstrates how to load a KMS-based account using Ape's account management system and sign arbitrary messages using EIP-191 standards. This leverages the `AccountAPI` interface. ```python from ape import accounts # Load a KMS account by its alias kms_signer = accounts.load("my-signing-key") ``` -------------------------------- ### Sign Ethereum Transactions with KMS Source: https://context7.com/apeworx/ape-aws/llms.txt Shows how to connect to an Ethereum network, load a KMS signer, prepare, sign, and send an Ethereum transaction with EIP-155 replay protection. Requires network connection and a loaded KMS signer. ```python from ape import accounts, networks # Connect to network and load KMS signer with networks.ethereum.sepolia.use_provider("alchemy"): kms_signer = accounts.load("my-signing-key") # Get the signer's Ethereum address print(f"Address: {kms_signer.address}") # Create and sign a transaction txn = kms_signer.prepare_transaction( to="0xa5D3241A1591061F2a4bB69CA0215F66520E67cf", value="1 ether", gas_limit=21000, ) # Sign the transaction (signature is attached to txn object) signed_txn = kms_signer.sign_transaction(txn) print(f"Signature: v={signed_txn.signature.v}, r={signed_txn.signature.r}") # Send the signed transaction receipt = kms_signer.call(signed_txn) ``` -------------------------------- ### List Access Tokens for IAM User (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Displays all currently active access tokens associated with a specific IAM user. This helps in managing credentials and identifying active access keys. ```bash # List access tokens for a user ape aws users tokens list my-signer # Output: # AKIA1234567890EXAMPLE (Active) - Created: 2024-01-15 10:30:00 ``` -------------------------------- ### Manage AWS KMS Keys with AwsClient Source: https://context7.com/apeworx/ape-aws/llms.txt Illustrates using the AwsClient to programmatically manage AWS KMS keys, including listing, generating new keys, and setting key policies for user access. Requires AWS credentials. ```python from ape_aws.client import AwsClient # Initialize client with default profile client = AwsClient() # Or use a specific AWS profile client = AwsClient("my-aws-profile") # List all available KMS keys for alias, key in client.keys.items(): print(f"Key: {alias}") print(f" ID: {key.id}") print(f" Address: {key.address}") print(f" Enabled: {key.enabled}") # Generate a new KMS key new_key = client.generate_key("my-new-key") print(f"Created key with ID: {new_key.id}") print(f"Ethereum address: {new_key.address}") # Grant user access to a key user = client.users.get("my-signer") key = client.keys.get("my-new-key") key.set_policy(users_to_add=[user.arn]) # Create an IAM user new_user = client.create_user("automation-signer") print(f"Created user: {new_user.arn}") # Create access key for the user access_key = new_user.create_access_key() print(access_key.to_environment()) ``` -------------------------------- ### Check AWS Profile Configuration (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Displays the current AWS profile and credentials being used. This is helpful for debugging authentication issues, especially in containerized environments. ```bash # Check current AWS profile and credentials ape aws whoami # Output: # Region: us-east-1 # Profile: default # Access Key: AKIA... ``` -------------------------------- ### Configure AWS Credentials and Region Source: https://github.com/apeworx/ape-aws/blob/main/README.md Provides bash commands to create the `~/.aws/credentials` and `~/.aws/config` files for Mac and Linux users. These files store AWS access key ID, secret access key, and the default region for AWS CLI and SDKs. ```bash mkdir ~/.aws cat < ~/.aws/credentials [default] aws_access_key_id = YOUR_ACCESS_KEY aws_secret_access_key = YOUR_SECRET EOF cat < ~/.aws/config [default] region = YOUR_REGION output = json EOF ``` -------------------------------- ### List IAM Users (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Retrieves and displays a list of all IAM users accessible under the currently configured AWS profile. This command helps in managing user access within your AWS environment. ```bash # List all available IAM users ape aws users list # Output: # my-signer-user (arn:aws:iam::123456789012:user/my-signer-user) # automation-user (arn:aws:iam::123456789012:user/automation-user) ``` -------------------------------- ### Create Access Token for IAM User (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Generates AWS access credentials (access key ID and secret access key) for a specified IAM user. These credentials are often saved to a .env file for use in containerized environments. ```bash # Create access token and save to .env file ape aws users tokens new my-signer > .env.my-signer # Output (to stderr): # SUCCESS: Access key created for 'my-signer' # WARNING: Access key will not be available after this command # Output (to stdout, saved to .env.my-signer): # AWS_ACCOUNT_ID=AKIA... # AWS_SECRET_KEY=... ``` -------------------------------- ### Generate KMS Signing Key (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Creates a new ECC_SECG_P256K1 KMS key suitable for Ethereum signing. The command can also optionally grant access to specified IAM users. ```bash # Generate a new KMS key ape aws keys generate my-new-key # Output: # Key created '12345678-1234-1234-1234-123456789abc'. # Key policies updated for my-new-key # Generate key and grant access to users ape aws keys generate shared-key -u user1 -u user2 ``` -------------------------------- ### Sign Messages and Data with KMS Source: https://context7.com/apeworx/ape-aws/llms.txt Demonstrates signing various data types including text, hex strings, bytes, and EIP-712 typed messages using a KMS signer. Requires a configured KMS signer. ```python from ape import accounts, networks from eip712 import EIP712Message # Connect to network and load KMS signer with networks.ethereum.sepolia.use_provider("alchemy"): kms_signer = accounts.load("my-signing-key") # Sign a text message signature = kms_signer.sign_message("Hello, World!") print(f"v={signature.v}, r={hex(signature.r)}, s={hex(signature.s)}") # Sign a hex message signature = kms_signer.sign_message("0xdeadbeef") # Sign bytes signature = kms_signer.sign_message(b"\x00\x01\x02\x03") # Sign an EIP-712 typed message class MyMessage(EIP712Message): _name_ = "MyApp" value: int msg = MyMessage(value=42) signature = kms_signer.sign_message(msg) ``` -------------------------------- ### Grant KMS Key Access (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Grants signing permissions on a specified KMS key to one or more IAM users. This command modifies the key's policy to allow access. ```bash # Grant key access to users ape aws keys grant my-signing-key -u user1 -u user2 # Output: # Key policies updated for my-signing-key ``` -------------------------------- ### Schedule KMS Key Deletion (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Schedules a KMS key for deletion. AWS KMS enforces a 30-day waiting period before the key is permanently destroyed, allowing for recovery if scheduled in error. ```bash # Schedule key deletion (WARNING: takes 30 days) ape aws keys remove my-old-key ``` -------------------------------- ### Remove IAM User (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Permanently deletes an IAM user, including all associated access keys and policy attachments. Use this command with caution as the action is irreversible. ```bash # Remove an IAM user (WARNING: permanent) ape aws users remove my-signer # Output: # Removed my-signer (arn:aws:iam::123456789012:user/my-signer) ``` -------------------------------- ### Revoke KMS Key Access (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Removes signing permissions from IAM users for a specific KMS key. This is crucial for managing access control and revoking permissions when necessary. ```bash # Revoke key access from users ape aws keys revoke my-signing-key -u user1 # Output: # Key policies updated for my-signing-key ``` -------------------------------- ### Remove Access Token for IAM User (CLI) Source: https://context7.com/apeworx/ape-aws/llms.txt Deletes a specific access token from an IAM user. This is a security measure to revoke credentials when they are no longer needed or compromised. ```bash # Remove an access token ape aws users tokens remove my-signer AKIA1234567890EXAMPLE # Output: # Access key AKIA1234567890EXAMPLE removed from my-signer ``` -------------------------------- ### Delete User Account in Ape AWS Source: https://context7.com/apeworx/ape-aws/llms.txt This function deletes a user account within the Ape AWS plugin. It first ensures that all associated access keys and policies are removed before proceeding with the user deletion. This is a crucial step for maintaining security and compliance when managing user accounts in AWS. ```python user.delete() ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.