AWS Auth Runbook — alai-cli-deployer IAM key (MC #9523)

AWS Auth Runbook (post-MC #9523)

Status

Active as of 2026-04-27. IAM access key created, activated, verified.

Primary auth

• IAM User: alai-cli-deployer
• UserId: AIDAUXDEHCNUHSS72WSYC
• Arn: arn:aws:iam::324480209768:user/alai-cli-deployer
• Access Key ID: AKIAUXDEHCNUBIP6OGV5
• Credentials file: ~/.aws/credentials profile [alai-cli-deployer] (mode 0600)
• Bitwarden item: "AWS IAM Access Key — alai-cli-deployer" (ID: 0605acce-fb80-4a36-ac11-3b55ffe66a3e)
• Primary region: eu-west-1 (Drop App Runner + ECR)
• Secondary region: eu-north-1

Shell activation

AWS_PROFILE=alai-cli-deployer is exported in ~/.zshrc (added MC #9523, 2026-04-27). No interactive login needed. All aws commands use this profile by default.

Override for a single command: AWS_PROFILE=alai-cli-deployer aws

Daily use

No login needed. All aws CLI commands authenticate via the access key in ~/.aws/credentials.

Verification at any time: aws sts get-caller-identity Expected: UserId AIDAUXDEHCNUHSS72WSYC, Arn arn:aws:iam::324480209768:user/alai-cli-deployer

aws apprunner list-services --region eu-west-1 aws ecr describe-repositories --region eu-west-1

IAM Policies (as of MC #9523, 2026-04-27)

Policy | Rationale AWSAppRunnerFullAccess | Drop deploy - create/update/start App Runner services AmazonEC2ContainerRegistryFullAccess | Push/pull Docker images to ECR (Drop API + Web) SecretsManagerReadWrite | Read/write Drop secrets (DB, API keys) AmazonS3FullAccess | Build artifacts, CodeBuild source/output buckets CloudWatchLogsFullAccess | App Runner + CodeBuild runtime logs AWSCodeBuildAdminAccess | MC #9540 Drop CodeBuild (future)

Key rotation (every 90 days - next due 2026-07-26)

1. Create new access key: aws iam create-access-key --user-name alai-cli-deployer > /tmp/new-key.json

2. Update credentials file (use Python, do NOT print secret to terminal): python3 -c " import os, json, configparser new = json.load(open('/tmp/new-key.json'))['AccessKey'] cfg_path = os.path.expanduser('~/.aws/credentials') config = configparser.ConfigParser() config.read(cfg_path) config['alai-cli-deployer']['aws_access_key_id'] = new['AccessKeyId'] config['alai-cli-deployer']['aws_secret_access_key'] = new['SecretAccessKey'] with open(cfg_path, 'w') as f: config.write(f) os.chmod(cfg_path, 0o600) print('Updated:', new['AccessKeyId']) "

3. Verify: AWS_PROFILE=alai-cli-deployer aws sts get-caller-identity

4. Delete old key: aws iam delete-access-key --user-name alai-cli-deployer --access-key-id OLD_KEY_ID

5. Update Bitwarden item 0605acce-fb80-4a36-ac11-3b55ffe66a3e with new key values

6. Shred temp file: shred -u /tmp/new-key.json

Recovery (if credentials file lost)

1. Retrieve key from Bitwarden: SESSION=0L9KMqYMX1/HfMdDBLJ3MsNZwATGz5Bv++fCFat2uT1RPCrvy1mCrcsNiL0uGxeiyTIJXKWkWV28W0vjZEjq4A== BW_SESSION= bw --nointeraction get item 0605acce-fb80-4a36-ac11-3b55ffe66a3e | jq -r '.login.username, .login.password'

2. Re-create ~/.aws/credentials profile with recovered values (mode 0600)

3. Verify: AWS_PROFILE=alai-cli-deployer aws sts get-caller-identity

Recovery (if Bitwarden unavailable - last resort)

1. Authenticate as a user with IAM admin access
2. Create new access key: aws iam create-access-key --user-name alai-cli-deployer
3. Update credentials file + Bitwarden
4. Delete old key after verification

Security notes

• Credentials file at ~/.aws/credentials is local convenience copy (mode 0600)
• Bitwarden (vault.basicconsulting.no) is source of truth for recovery
• DO NOT print SecretAccessKey to terminal - always write directly to file via Python
• DO NOT commit credentials to any git repo
• AWS account: 324480209768 (ALAI)
• IAM user has NO console access (programmatic only)

Services accessible with this profile

• App Runner: drop-api (RUNNING), drop-web (RUNNING) - eu-west-1
• ECR: drop-api, drop-web repositories - eu-west-1
• Secrets Manager: all secrets in account
• S3: all buckets
• CloudWatch Logs: all log groups
• CodeBuild: all projects (for MC #9540)