Associate AWS Credentials with ASK CLI

If you are managing an Alexa skill through the Alexa Skills Kit Command Line Interface (ASK CLI), and this Alexa skill uses an AWS Lambda function, then you require the credentials for an AWS account. ASK CLI accesses these in a credential file found in the following location:

  * Linux/Mac: ~/.aws/credentials
  * Windows:  %USERPROFILE%\.aws\credentials

If you are already an Amazon Web Services developer, you likely have these credentials already, although you must still verify that the credentials you are using have the permissions described in the policy shown below. Otherwise, to obtain these credentials, follow these instructions.

  1. Open the IAM Identity and Access Management Console. Sign in with your AWS account that you use to create AWS Lambda functions for your Alexa skills.
  2. Click Policies in the left-hand menu.
  3. Click Create Policy and click the JSON tab. Copy the following policy into the JSON tab, replacing the text that is there.
    {
      "Version": "2012-10-17",
      "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:GetRole",
        "iam:AttachRolePolicy",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/ask-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:CreateFunction",
        "lambda:GetFunction",
        "lambda:UpdateFunctionCode",
        "lambda:ListFunctions"
      ],
      "Resource": "arn:aws:lambda:*:*:function:ask-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:FilterLogEvents",
        "logs:getLogEvents",
        "logs:describeLogStreams"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/ask-*"
    }
      ]
    }
    
  4. Save the policy with name of your choice. You will now attach this policy to a user.
  5. Click Users in the left-hand menu.
  6. Click Add user.
  7. Enter the desired User name. For the AWS access type, select both Programmatic access and AWS Management Console access.
  8. Click Required password reset, if desired.
  9. Click Next permissions. In order to complete skill-related tasks, the user profile requires the policy you created. You can attach the policy you created to the user directly. You can also create a user group with the appropriate policies and add a user to it. For more information about creating users and user groups, see the related AWS documentation.
  10. To attach the policy to the user, click Attach existing policies directly. Select the policy you just created. Search for it if required.
  11. Click Next: review. Review the page. If it appears as expected, click Create user. A Success page occurs, containing the access key and secret access key. You can click Show to see the key. Download the CSV file that contains those. Keep the AWS console open, as you will need to copy and paste the keys in the next steps.
  12. Next, you will initialize ASK CLI to configure the AWS credentials. Run the CLI command ask init to configure a new ASK profile, or run ask init --aws-setup to configure the AWS credentials only. When prompted, enter the access key and the secret access key by copying and pasting it from the AWS console or the downloaded CSV file. Your credentials file will then be created automatically. See Quick Start Alexa Skills Kit Command Line Interface for more information on using ASK CLI.

If desired, you can locate your credentials file at the location listed at the top of the page and view its contents of your credentials file in a text editor.

This example shows the credential file format, with two non-default profiles included in addition to the default one.

[default]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

[some_profile_name]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

[another_profile_name]
aws_access_key_id = ACCESS_KEY
aws_secret_access_key = SECRET_KEY

Each set of credentials represents a unique AWS profile. For example, if you have multiple AWS accounts, you can easily switch between them using multiple profiles.

If you are hosting your skill code as a web service with an HTTPS endpoint, or if you are managing your AWS Lambda functions separately, you can still use ASK CLI without AWS credentials.

When ASK CLI is initialized (ask init), you will be prompted to create an ASK profile by logging in through a browser window and associate it to an AWS profile to use for deployments to AWS Lambda. An ASK profile represents the AWS profile plus the Amazon developer account used for Alexa skill deployments. ASK profile and AWS profile can have different names, and you can have multiple ASK profiles associated with a single AWS profile, if desired. You might do this if you have skills in multiple Amazon developer accounts, but the skills are backed by AWS Lambda functions in one AWS account.

When running other commands in the CLI, you can specify the name of the ASK profile you want to use using the --profile option, or you can set the environment variable ASK_DEFAULT_PROFILE to the desired profile name. ASK CLI will check --profile first, then ASK_DEFAULT_PROFILE environment variable, and then finally fall back to the "default" ASK profile.

For example, to initialize with an ASK profile named "some_profile_name", the command is:

ask init -p some_profile_name