Gracias por tu visita. Esta página solo está disponible en inglés.

Manage Credentials with ASK CLI

The Alexa Skills Kit Command Line Interface (ASK CLI) stores your Amazon developer credentials so that it can authenticate you when you clone an existing skill, deploy a skill, or otherwise interact with Amazon developer services. If you use ASK CLI to manage skills that use AWS Lambda for the skill's backend code, then it also stores a reference to your Amazon Web Services (AWS) credentials. The following sections explain how to set up and manage your Amazon developer and AWS credentials with ASK CLI.

Understand profiles

ASK CLI uses profiles, which you can think of as containers that store sets of credentials. With profiles, you can configure sets of different Amazon developer and AWS credentials and use any of them with ASK CLI. Profiles make it easier to manage skills that are owned by different Amazon developer organizations, and backend code in AWS Lambda that is owned by different AWS accounts. The following sections explain how you can configure different sets of credentials into profiles.

By default, ASK CLI stores Amazon developer credentials in the profile named default. Use the default profile when you have only one set of Amazon developer credentials. When you need to use more than one set of Amazon developer credentials, use the ask init command to create a new profile. Then use the -p or --profile option with an ASK CLI command to specify which profile to use, or use an environment variable named ASK_DEFAULT_PROFILE. Set the variable's value to the name of the profile that you want ASK CLI to use, for example profile_2.

Order of precedence for profiles

ASK CLI searches for profiles in the following order:

  1. When an ASK CLI command uses the -p or --profile option, ASK CLI uses the profile specified with that option.
  2. When the command doesn't use the -p or --profile option, ASK CLI uses the profile that's specified in the value of the ASK_DEFAULT_PROFILE environment variable.
  3. When the command doesn't use the -p or --profile option and there's no ASK_DEFAULT_PROFILE environment variable, ASK CLI uses the profile named default in the ASK CLI configuration file, named cli_config.

    For more information about the configuration file, see Manage your Amazon developer credentials directly.

For information about the profiles that are stored in the ASK CLI configuration file, use the ask init --list-profiles command.

Configure credentials with the 'ask init' command

Use the ask init command to set up your Amazon developer and AWS credentials with ASK CLI.

When you run ask init for the first time, ASK CLI opens a web browser so you can sign in to your Amazon Developer account. After you sign in to your Amazon developer account, use the web page to allow ASK CLI the access that it needs. Then ASK CLI creates a configuration file and stores your Amazon developer credentials in the file in a profile named default. For more information about the configuration file, see Manage your Amazon developer credentials directly.

When the ASK CLI has a configuration file, and then you run ask init, ASK CLI asks whether you want to overwrite an existing ASK CLI profile or create a new one. ASK CLI also searches for existing AWS profiles, and if found, asks whether you want to use an existing AWS profile or create a new one. For more information about how AWS credentials work with ASK CLI, see Manage your AWS credentials directly.

To use ask init in an environment without a web browser, add the --no-browser option (ask init --no-browser).

To see the full syntax and all available options for the ask init command, see init command in the ASK CLI Command Reference.

Manage your Amazon developer credentials directly

You can use the ask init command to manage the Amazon developer credentials that ASK CLI uses. With ask init, you can perform the following tasks:

  • Use ask init to create a new profile or overwrite an existing one.
  • Use ask init --list-profiles to view a list of your existing ASK CLI profiles and their associated AWS profiles.
  • Use ask init -p <profile name> to create or overwrite a specific profile.

You can also manage the Amazon developer credentials that ASK CLI uses by directly editing the ASK CLI configuration file or by using the ASK CLI environment variables, as explained in the following sections.

ASK CLI configuration file

The ASK CLI configuration file is stored in your home directory, in a folder named .ask, in a file named cli_config. The following example shows the contents of the ASK CLI configuration file.

{
  "profiles": {
    "default": {
      "aws_profile": "ask_cli_default",
      "token": {
        "access_token": "Atza| ... ",
        "refresh_token": "Atzr| ... ",
        "token_type": "bearer",
        "expires_in": 3600,
        "expires_at": "2019-01-21T01:13:37.228Z"
      },
      "vendor_id": "ABCD1234 ..."
    },
    "profile2": {
      "aws_profile": "ask_cli_2",
      "token": {
        "access_token": "Atza| ... ",
        "refresh_token": "Atzr| ... ",
        "token_type": "bearer",
        "expires_in": 3600,
        "expires_at": "2019-01-21T02:02:07.833Z"
      },
      "vendor_id": "ABCD1234 ..."
    }
  }
}

You can edit this file directly to make changes to your ASK CLI profiles. For example, you can change a profile name, change the associated AWS profile, or change the Amazon developer vendor ID.

AWS profile

The value of aws_profile represents a profile in the AWS configuration file. For more information about AWS profiles, see Manage your AWS credentials directly.

Vendor ID

The value of vendor_id represents the Amazon developer vendor ID associated with the ASK CLI profile. Every Amazon developer account has a customer ID and one or more vendor IDs. To see them, go to https://developer.amazon.com/mycid.html and sign in with your Amazon developer account. When you run ask init and sign in to an Amazon developer account with more than one vendor ID, ASK CLI asks you to choose the one to use.

Associate a profile with the environment variables

You can store your Amazon developer credentials in environment variables instead of using the ASK CLI configuration file. In this case, you don't need the ASK CLI configuration file at all. For more information, see ASK CLI environment variables.

ASK CLI environment variables

You can use the ASK CLI environment variables in conjunction with or in addition to the ASK CLI configuration file. The following list describes the ASK CLI environment variables.

ASK_DEFAULT_PROFILE
Use this environment variable in conjunction with the ASK CLI configuration file. When you set the value of this environment variable to one of the profiles in the configuration file, ASK CLI uses the credentials in that profile.
ASK_ACCESS_TOKEN
Use this environment variable to store an Amazon developer access token. When this environment variable exists, ASK CLI uses it instead of the credentials in the configuration file.
ASK_REFRESH_TOKEN
Use this environment variable to store an Amazon developer refresh token. When this environment variable exists, ASK CLI uses it instead of the credentials in the configuration file. When this environment variable and ASK_ACCESS_TOKEN both exist, ASK CLI uses this one.
ASK_VENDOR_ID
Use this environment variable to store an Amazon developer vendor ID. When this environment variable exists, ASK CLI uses it instead of the one it the configuration file.

Manage your AWS credentials directly

If you use ASK CLI to create and manage skills that use AWS Lambda for the skill's backend code, then you need AWS credentials. If you're an AWS developer, you might already have AWS credentials. If you don't already have AWS credentials or you're not sure, see Create AWS credentials.

You can use the ask init command to manage the AWS credentials that ASK CLI uses. With ask init, you can perform the following tasks:

  • Use ask init --aws-setup to create a new AWS profile or overwrite an existing one.
  • Use ask init --list-profiles to view a list of your existing ASK CLI profiles and their associated AWS profiles.

You can also manage the AWS credentials that ASK CLI uses by directly editing the AWS credentials file or by using the AWS environment variables, as explained in the following sections.

AWS credentials file

If you're an AWS developer, you might already have AWS credentials stored in the AWS credentials file. For more information about how to create AWS credentials to use with ASK CLI, see Create AWS credentials.

ASK CLI uses the AWS credentials stored in the AWS credentials file, if one exists. When you use the ask init command to configure AWS credentials, ASK CLI adds them to the AWS credentials file, creating the file if necessary. By default, ASK CLI stores your AWS credentials in a profile named ask_cli_default in the AWS credentials file.

For more information about the AWS credentials file, see Configuration and Credential Files and Named Profiles in the AWS documentation.

AWS environment variables

You can store AWS credentials in environment variables instead of the AWS credentials file. If the AWS environment variables exist, ASK CLI uses them instead of the values in the AWS credentials file. ASK CLI searches for the following AWS environment variables:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

For more information about the AWS environment variables, see Environment Variables in the AWS documentation.

Create AWS credentials

If you use ASK CLI to create and manage skills that use AWS Lambda for the skill's backend code, then you need AWS credentials. If you're an AWS developer, you might already have AWS credentials. If you don't already have AWS credentials or you're not sure, follow these instructions to create them.

To create AWS credentials

  1. Sign in to the AWS Management Console.
  2. Open the IAM console. AWS IAM (Identity & Access Management) is the service that you use to manage AWS credentials.
  3. Click Policies, then click Create policy.
  4. On the Create policy page, do the following:
    1. Click the JSON tab, then delete the contents of the policy field.
    2. Copy the following policy, then paste it in the policy field.
      {
        "Version": "2012-10-17",
        "Statement": {
          "Effect": "Allow",
          "Action": [
            "iam:CreateRole",
            "iam:GetRole",
            "iam:AttachRolePolicy",
            "iam:PassRole",
            "lambda:AddPermission",
            "lambda:CreateFunction",
            "lambda:GetFunction",
            "lambda:UpdateFunctionCode",
            "lambda:ListFunctions",
            "logs:FilterLogEvents",
            "logs:getLogEvents",
            "logs:describeLogStreams"
          ],
          "Resource": "*"
        }
      }
      
    3. Click Review policy.
  5. On the Review policy page, do the following:
    1. For Name, enter a name for the policy. For example, ASK-CLI.
    2. (Optional) For Description, enter a description. For example, Allows the permissions that ASK CLI needs.
    3. Click Create policy.
  6. Click Users, then click Add user.
  7. On the Set user details page, do the following:
    1. In the User name field, enter a name for the user. For example, ASK-CLI.
    2. For Access type, select the Programmatic access check box.
    3. Click Next: Permissions.
  8. On the Set permissions page, do the following:
    1. Make sure Add user to group is selected.
    2. Click Create group. Then, in the Create group window, do the following:
      1. In the Group name field, enter a name for the group. For example, ASK-CLI.
      2. Click Filter policies, then select the Customer managed check box.
      3. Select the check box next to the name of the policy that you created previously (step 5). If you followed these steps exactly, the policy name is ASK-CLI.
      4. Click Create group.
    3. Click Next: Tags.
  9. Click Next: Review.
  10. Click Create user.
  11. On the Success page, click Download .csv to download a copy of the user's access key. Save the file in a safe location.

The file that you downloaded in the final step is named credentials.csv. This file contains the AWS IAM user's access key ID and secret access key. Use these values when you configure AWS credentials with the ASK CLI's ask init command.