> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backant.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS

> Using the built-in AWSClient and boto3 for S3, Cognito, and other AWS services.

BackAnt projects ship with a pre-built `AWSClient` wrapper in `api/apis/aws/AWSClient.py`. It wraps a `boto3.Session` and supports all three authentication methods: IAM credentials, AWS profiles, and ECS task role credentials.

## AWSClient

```python theme={null}
# api/apis/aws/AWSClient.py
import boto3

class AWSClient:
    def __init__(
        self,
        aws_access_key_id=None,
        aws_secret_access_key=None,
        aws_session_token=None,
        region_name=None,
        profile_name=None,
    ):
        if profile_name:
            self.session = boto3.Session(profile_name=profile_name, region_name=region_name)
        elif aws_access_key_id and aws_secret_access_key:
            self.session = boto3.Session(
                aws_access_key_id=aws_access_key_id,
                aws_secret_access_key=aws_secret_access_key,
            )
        else:
            # Falls back to ECS task role / instance profile credentials
            self.session = boto3.Session(region_name=region_name)
```

## Authentication methods

### IAM credentials (from environment)

Set the S3 credentials in your `.env`:

```env theme={null}
S3_ACCESS_KEY=AKIA...
S3_SECRET_KEY=abc123...
```

Then instantiate with them from `Environment.py`:

```python theme={null}
from startup.Environment import myEnvironment
from apis.aws.AWSClient import AWSClient

aws = AWSClient(
    aws_access_key_id=myEnvironment.S3_ACCESS_KEY,
    aws_secret_access_key=myEnvironment.S3_SECRET_KEY,
    region_name="eu-central-1",
)
```

### ECS task role (production)

When running on ECS, leave credentials empty and boto3 picks up the task role automatically:

```python theme={null}
aws = AWSClient(region_name="eu-central-1")
```

No credentials needed in `.env` — IAM permissions are attached to the ECS task definition.

### AWS profile (local development)

```python theme={null}
aws = AWSClient(profile_name="my-profile", region_name="eu-central-1")
```

## Using AWS services

Call `self.session.client()` to get a service client:

### S3

```python theme={null}
class StorageService:
    def __init__(self):
        self.aws = AWSClient(
            aws_access_key_id=myEnvironment.S3_ACCESS_KEY,
            aws_secret_access_key=myEnvironment.S3_SECRET_KEY,
            region_name="eu-central-1",
        )
        self.s3 = self.aws.session.client("s3")

    def upload_file(self, file_bytes: bytes, bucket: str, key: str):
        self.s3.put_object(Body=file_bytes, Bucket=bucket, Key=key)

    def get_file_url(self, bucket: str, key: str, expires_in: int = 3600):
        return self.s3.generate_presigned_url(
            "get_object",
            Params={"Bucket": bucket, "Key": key},
            ExpiresIn=expires_in,
        )

    def delete_file(self, bucket: str, key: str):
        self.s3.delete_object(Bucket=bucket, Key=key)
```

### SES (email)

```python theme={null}
ses = aws.session.client("ses", region_name="eu-central-1")
ses.send_email(
    Source="no-reply@yourapp.com",
    Destination={"ToAddresses": ["user@example.com"]},
    Message={
        "Subject": {"Data": "Welcome"},
        "Body": {"Text": {"Data": "Hello!"}},
    },
)
```

### Cognito

```python theme={null}
cognito = aws.session.client("cognito-idp", region_name=myEnvironment.COGNITO_REGION)

cognito.admin_create_user(
    UserPoolId=myEnvironment.COGNITO_USERPOOL_ID,
    Username="user@example.com",
    TemporaryPassword="Temp1234!",
)
```

## Adding a new external API

To add a new third-party API (e.g. Stripe, Google, Twilio):

1. Create a client wrapper in `api/apis/<name>/`:

```
api/apis/
├── aws/
│   └── AWSClient.py
└── stripe/
    └── StripeClient.py
```

2. Instantiate it as a singleton and inject it into the service that needs it.

3. Add any required credentials to `Environment.py` and `.env`.
