I m starting to learn Cloudformation Modules,
When I run cfn submit to register the module, it will go to my AWS default credentials
And I m not able to run cfn submit --profile $profile_name?
it shows this below
cfn: error: unrecognized arguments: --profile $profile_name
And I use -h to check it looks like currently doesn't have this arguments support?
cfn submit --help
usage: cfn submit [-h] [-v] [--dry-run] [--endpoint-url ENDPOINT_URL] [--region REGION] [--set-default] [--role-arn ROLE_ARN | --no-role]
This sub command uploads the resource type to CloudFormation. Projects can be created via the 'init' sub command.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Increase the output verbosity. Can be specified multiple times.
--dry-run Package the project, but do not submit.
--endpoint-url ENDPOINT_URL
CloudFormation endpoint to use.
--region REGION AWS Region to submit the resource type.
--set-default If registration is successful, set submitted version to the default.
--role-arn ROLE_ARN Role ARN that CloudFormation will use when invoking handlers.
--no-role Register the type without an explicit execution role (Will not be able to invoke AWS APIs).
I m wondering how to create modules if I have multiple accounts and I want to use profile this options.
Thanks for any help!
Related
aws iam list-users command not working
I have setup AWS CLI in Windows. The path has been added under the system environment variable.
When I try the commands aws --version and aws configure, it is successful. But to see the list of users the command aws iam list-users is throwing this error:
'more' is not recognized as an internal or external command, operable program or batch file.
I am stuck. Could anyone help please?
It sounds like the AWS CLI is trying to use an output paginator that is not in the path.
Put simply, AWS CLI sends its output via a utility that lets you 'page' through the results. In your case, it is trying to use the more command.
You can tell the AWS CLI not to use a paginator by putting this in the .aws/config file:
[default]
cli_pager=
For more details, see: Using AWS CLI pagination options - Client-side pager - AWS Command Line Interface
I am running a cdk deploy build on circleCi, and when the step CDK deploy comes it gives me "Need to perform AWS calls for account ************, but no credentials have been configured".
But for the troubleshooting i tried other commands as well like
aws s3 ls
aws aws cloudformation list-stacks
These above commands we working fine, also able to run command to create a cloudformation with same config but not able to run cdk deploy. the access key and secret i am using has Admin access.
Set the creds with a profile name using aws-cli Orb in CircleCI and
try using the below command to deploy with CDK
cdk deploy --all --profile cdkprofile
For reference, in CircleCI
orbs:
aws-cli: circleci/aws-cli#2.0.3
commands:
env-setup:
description: AWS Env Setup
steps:
- aws-cli/setup:
profile-name: cdkprofile
aws-access-key-id: AWS_ACCESS_KEY_ID
aws-secret-access-key: AWS_SECRET_ACCESS_KEY
And assumption is AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set as CircleCI env variables
As a starting note: The best way to troubleshoot is with cdk [command] --verbose (see CLI ref)
CDK has an internal mechanism for finding credentials not directly using AWS CLI (AWS CLI is not a requirement for CDK to run)
In a similar situation with a CI tool, the issue was simply that the ~/.aws/credentials file did not exist (not that you need it with AWS CLI, but in the situation for CDK, it was required)
Credit to this issue reporting: https://github.com/aws/aws-cdk/issues/6947#issue-586402006
Solution tested for above:
For an EC2 running CI tool, with EC2 IAM role
Where ~/.aws/config exists and defined profile(s) with:
credential_source = Ec2InstanceMetadata
role_arn = arn:aws:iam:::role/role-to-assume-in-acctId
Create empty ~/.aws/credentials file
Example error for the problem solved above (from verbose output)
Resolving default credentials
Notices refreshed
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile myprofile did not include credential process
Other causes found in other issues/comments could relate to:
Duplicate profiles
Having credential_process in the profile, set to empty
Needing --profile parameter to be added
Background:
I have jenkins installed in AWS Account #1 (account1234) and it has iam Role-jenkins attached to it. There's github configured with Jenkins.
When I click build job in Jenkins, jenkins pulls all the files from github and can be found in
/var/lib/jenkins/workspace/.
There's an application running in AWS Account #2 (acccount5678) in an ec2 instance (i-xyz123) and the project files are in /home/app/all_files/ ; This ec2 instance role has app-role attached to it.
What I'm trying to achieve:
When I click build, I want jenkins to push files from account 1234 to account 5678 by opening an SSM session from Jenkins ,to the ec2 instance on which app is running.
What I tried:
In the jenkins as part of build shell script I added:
aws ssm send-command --region us-east-1 --instance-ids i-xyz123 --document-name AWS-RunShellScript --comment IP config --parameters commands=ifconfig --output text
to test it. (If successful, I want to pass cp var/lib/jenkins/workspace/ /home/app/all_files/ as the command)
Error:
An error occurred (AccessDeniedException) when calling the SendCommand operation: User: arn:aws:sts::account1234:assumed-role/Role-Jenkins/i-01234abcd is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:account1234:instance/i-xyz123
Build step 'Execute shell' marked build as failure
Finished: FAILURE
Issue 1: instance/i-xyz123 is in account5678 but error above shows ssm trying to connect to instance in account1234 ( which shouldn't be happening)
Q1: How do I update my command so that it tries to open an ssm session
with instance/i-xyz123 present in account5678 to accomplish what I'm
trying to do.
I believe I would also need to make each role added as a trusted relationship to the other.
(Note I want to do it via sessions manager as I won't have to deal with credentials of any sort)
If I've understood correctly then you're right; to interact with the resources in account5678, there needs to be a trust relationship so that the Jenkins account can assume the relevant role in account5678 and call SSM from there.
Once you've configured the role relationship (ref: IAM cross account roles )
You should be able to achieve what you need by assuming the role first in your shell script and then running the ssm command. That way Jenkins will use the temp creds and execute the command in the correct account (5678).
This site steps through it pretty well :
Tom Gregory - Jenkins Assume Role
If you just cmd/ctrl f on that page ^ and search for 'shell' you should get to the section you need. Hope this somewhat helps.
I'm currently working on AWS serverless lambda function deployment and try to distribute and test with AWS SAM. However, when I followed the AWS SAM hello world template tutorial on official website, I can't really deploy my code to AWS.
I've already
Assigned a working IAM account
Install every package we need for AWS SAM (brew, aws-sam-cli...etc)
Set up AWS configuration
Using a function template provided by AWS
Yet, I got error message
Error: Stack aws-sam-cli-managed-default is missing Tags and/or
Outputs information and therefore not in a healthy state (Current
state:aws-sam-cli-managed-default). Failing as the stack was likely
not created by the AWS SAM CLI
Took me a minute to figure out too.
Open up CloudFormation in AWS and delete the aws-sam-cli-managed-default stack then try to redeploy.
Every time your deploy fails you'll likely have to do this again.
It's aws credentials error - because you not configure it right or not config at all.
If you didn't have aws cli installed on your computer, find aws cli installer for
your filesystem, for mac it's https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html.
Go to https://console.aws.amazon.com/iam and create new user with AdministratorAccess permission and get aws_access_key_id and aws_secret_access_key.
Go to your terminal and type aws configure.
Enter your credentials.
Try to run sum build && sum deploy --guided
Now it's need to work.
Like #Eli Meiler says, it may well be a credential issue. If you need to see more details here try
$ aws cloudformation describe-change-set --change-set-name InitialCreation --stack-name aws-sam-cli-managed-default
...FAILED User: arn:aws:iam::123:user/<human user> is not authorized to perform:
cloudformation:CreateChangeSet
on resource: arn:aws:cloudformation:eu-central-1:aws:transform/Serverless-2016-10-31
with an explicit deny in an identity-based policy
EDIT
Even though I had full permissions in that AWS account, what I was not aware was that MFA / 2-factor auth is kinda troublesome here.
The advice that worked for me was this github comment to
generate an sts token
set the env vars and
then try sam deploy --guided again
$ aws sts get-session-token --serial-number arn:aws:iam::<account_id>:mfa/<human.user> --duration-seconds 15000 --token-code 123456
The structure of the wait command is:
$ aws <command> wait <subcommand> [options and parameters]
However in DevOps it only seems to support:
$ aws <command> <subcommand> [options and parameters]
See example below where there is a Command and Subcommand. Where does the Wait go? I'm trying to run this command https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticbeanstalk/wait/environment-updated.html
I had to set the Subcommand to wait and move the environment-updated down into the Options and parameters
It looks that you want be able to do this using extension. However, you have aws CLI installed on the agent so what you need is to setup few variables and then call your commands from powershell step.
Supply standard AWS environment variables in the build agent process
You can specify credentials with standard named AWS environment variables. These variables can be used to get credentials from a custom credentials store.
The following are all the supported standard named AWS environment variables:
AWS_ACCESS_KEY_ID – IAM access key ID.
AWS_SECRET_ACCESS_KEY – IAM secret access key.
AWS_SESSION_TOKEN – IAM session token.
AWS_ROLE_ARN – Amazon Resource Name (ARN) of the role you want to assume.
AWS_REGION – AWS Region code, for example, us-east-2.
You can also create a feature request on github to support wait command by extension.