Your Alexa Dashboards Settings

Set Up Credentials for an Amazon Web Services (AWS) Account

If you are managing an Alexa skill through the Alexa Skills Kit Command-Line Interface (ASK CLI), and this Alexa skill uses an AWS Lambda function, then you require the credentials for an AWS account. ASK CLI accesses these in a credential file found in the following location:

  * Linux/Mac: ~/.aws/credentials 
  * Windows:  %USERPROFILE%\.aws\credentials 

If you are already an Amazon Web Services developer, you likely have these credentials already, although you must still check the permissions for the user as described in #6 below. Otherwise, to obtain these credentials, follow these instructions:

  1. Open the IAM Identity and Access Management Console. Sign in with your AWS developer account that you use to create AWS Lambda functions for your Alexa skills.
  2. Click Users in the left-hand menu.
  3. Click Add user.
  4. Enter the desired User name. For the AWS access type, select both Programmatic access and AWS Management Console access.
  5. Click Required password reset, if desired.
  6. Click Next permissions. In order to complete skill-related tasks, the user requires various policies. If you attach the policies to the user directly, attach the following policy. You can also create a user group with the appropriate policies and add a user to it.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:GetRole",
        "iam:AttachRolePolicy",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/ask-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:CreateFunction",
        "lambda:GetFunction",
        "lambda:UpdateFunctionCode",
        "lambda:ListFunctions"
      ],
      "Resource": "arn:aws:lambda:*:*:function:ask-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:FilterLogEvents",
        "logs:getLogEvents",
        "logs:describeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/ask-*"
    }
  ]
}

For more information about creating users and user groups, see the related AWS documentation.

  1. Click Next: review.
  2. Review the page. If it appears as expected, click Create user. A Success page occurs, containing the access key and secret access key. Download the Excel file containing those.
  3. Using a text editor, edit your credentials file on your computer, at the location shown above, to contain this information. Follow the format shown below, and include at least the default profile. You can keep multiple sets of credentials for multiple profiles in the same file. ASK CLI will use the default credentials unless prompted to use a different set, as described in the following section.

This example shows the credential file format, with two non-default profiles included in addition to the default one.

[default]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

[some_profile_name]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

[another_profile_name]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

Each set of credentials represents a unique profile. For example, if you want developers, each with their own developer account, to have access to the same skills, you can enter the credentials for each of these developer accounts in the credentials file, naming each profile with the desired name.

If you are hosting your skill code as a web service, then you can still use ASK CLI, and you do not require AWS credentials.

How to Use a Non-Default Profile

By default, the default profile in the credentials file is used when ASK CLI is initialized. You can specify a different profile, or you can set the environment variable ASK_DEFAULT_PROFILE to your current running profile. ASK CLI will check --profile first, then ASK_DEFAULT_PROFILE profile, and then the “default” profile. Note that ASK_DEFAULT_PROFILE refers to the ASK profile which represents the AWS profile plus the Alexa Skills Kit developer account. The profiles in the AWS credentials file refer only to the AWS profile.

For example, to initialize with a profile named “some_profile_name”, the command is:

ask init -p some_profile_name