I have a few versions of a SecureString value in AWS Parameter Store. When the following command is invoked locally:
aws ssm get-parameter --with-decryption --name "/my/secret/path" --output text --query Parameter.Value
I get the latest version of the parameter. However, when this is enacted via a GitHub runner, it is only ever getting version 1 of the parameter. When I attempt to specify the version:
aws ssm get-parameter --with-decryption --name "/my/secret/path:4" --output text --query Parameter.Value
I get a message back saying that version 4 of the parameter doesn't exist, although the query does execute when run locally.
I have tried running it with Parameter.Version without the version number specified to confirm and have confirmed when I run it locally, version 4 comes back, but when the runner executes it, version 1 comes back.
AWS CLI 2.8.6 is being used both locally and on the Runner. The documentation says that this should be returning the latest version when no version is specified
Has anyone experienced this before and are there any tricks to getting this to work?
Much appreciation to Marcin above who very quickly pointed out that there may be a difference in accounts coming into effect. The secret had been updated in one but not the other, and the identical naming was throwing the investigation off. I was able to resolve this by updating the secret in both the account that the local environment and the GitHub environment were using.
Related
When I run
aws ec2 describe-images
on one EC2 machine, I get no results at all, not even an empty response.
However, when I run the same command with the same IAM user on another machine, I get the expected responses. My IAM user has AmazonEC2FullAccess, which includes DescribeImages.
I have tried rebooting the machine, aws configure, and updating all packages, and nothing has changed this behaviour.
Using the --debug option, I saw that this was a MemoryError.
As the command was running on a t2.nano instance, upgrading to a t2.micro solved this issue.
We are attempting to grant permissions (using the AWS CLI) for a user to have SELECT permissions on all tables in a database in AWS Lake Formation.
Based on documentation; Lake Formation Permissions Reference and Granting Table Permissions
We attempted the following command:
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::000000000000:user/spongebob --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ ""Table"": { ""DatabaseName"": ""somedatabase"", ""TableWildcard"": {} } }'
Which returned the following error:
Parameter validation failed: Missing required parameter in Resource.Table: "Name" Unknown parameter in Resource.Table: "TableWildcard", must be one of: DatabaseName, Name
We tried some variations of the command (the documentation does say this needs to be an empty dictionary though), and we've come to the conclusion that it must be something to do with the API version that we are calling when executing the command.
Would anyone be able to confirm whether this is an API version issue, or if there is something missing from the documentation (linked above) we have missed.
Cheers
It's definitely a version mismatch. The same error was faced due to older boto3 version in lambda.
Update the aws cli and try again:
sudo pip3 install awscli --force-reinstall --upgrade
I'm using
GitBash v2.17.0
AWS CLI v1.16.67
Windows 10
Problem
I've created a SecureString parameter in the AWS SSM Parameter Store. For sake of example, let's call the parameter
/levelOne/levelTwo
I'm trying to retrieve the parameter using the AWS CLI. To do this I am using the following command:
aws ssm get-parameters --names '/levelOne/LevelTwo' --with-decryption
The problem is that the result returned is this:
As you can see, the parameter is being prefixed with C:/Program Files/Git.
Can anyone explain what I have done wrong please?
Thanks
This is caused by POSIX path conversion in MinGW.
You can work around this by substituting // for the leading /, and then replacing the subsequent forward slashes with backslashes, e.g.
aws ssm get-parameters --names '//levelOne\levelTwo'
This command will only run correctly in MinGW, i.e. it will fail in Bash or Windows CMD.
I faced the same issue.
Check the region selected while you create the parameter store from the console.
The reason for this is that Aws-ssm is regional service.
aws ssm get-parameters --names "/levelOne/LevelTwo" --region us-west-1 --with-decryption
i got it working by adding a space in front of the names parameter value. To get it working os independent.
aws ssm get-parameters --names " /levelOne/LevelTwo" --with-decryption
I am creating an aws ec2 instance using this tutorial, and I can't find any information on troubleshooting my issue, or any evidence that anyone else has even experienced this!
I used an IAM user with admin permissions to set up an ec2 instance, and when I run
$> aws ec2 get-console-output --instance-id <my-ec2-id>
a blank line is output, followed by
'Output'
and nothing else!
According to the tutorial, this command would enable me to see the remote RSA fingerprint to verify I'm making the right connection.
I can log into my ec2 instance just fine (though I suppose without the previous step there's no way to be absolutely sure).
Additionally, the IAM user I'm working with is not my CLI's default user, and I set up a profile to handle it. But if I try
$> aws ec2 get-console-output --profile <user-profile> --instance-id <my-ec2-id>
I still get the same results as before. The maddening thing is that I have solved this problem before, but I can't remember how.
Certain AWS CLI operations may not explicitly state if the credentials are invalid or if users are lacking the roles/permissions to access the resources defined. In this case, it is likely due to the Access Credentials being invalid - and you can verify this with a describe-instances or similar command.
In older versions of the CLI (~1.7), in order to easier debug this, you can use the --debug argument, such as:
> aws ec2 get-console-output --instance-id i-<id> --debug
<Errors><Error><Code>InvalidInstanceID.NotFound</Code><Message>The instance ID 'i-e7bffa43' does not exist</Message></Error></Errors>
In newer versions of the CLI (1.9) this particular argument gives a bit more detail in its error:
> aws ec2 get-console-output --instance-id i-<id>
A client error (InvalidInstanceID.NotFound) occurred when calling the GetConsoleOutput operation: The instance ID 'i-<id>' does not exist
Ive been trying to setup an aws lambda function for a while now but seem to just keep running into this error. I've followed the basic tutorial and setup everything exactly as it is in the guide for the user I have. But no matter what I keep getting the Unknown component: credential_provider error when trying to do anything via the CLI. Has anyone else run into this or know of a more indepth/better tutorial for setting this up????
The examples show the call being made with a --profile parameter. In most cases you will just want to remove that. If you need to use a profile, then create one in your ~/.aws/config file and make sure the name you give it matches up with the name being used.
I found that I got this error when I told aws-cli to use a profile that didn't exist. (This can be through the --profile option or the AWS_DEFAULT_PROFILE environment variable.)
Check your .aws/config and .aws/credentials files.
Run aws config first, then execute aws lambda create-function ... without the option --profile.
I had the same issue then I realized the issue was because I only had a default profile in my ~/.aws/credentials. Open up the file and see what the profile name is on the first line. Then when you run the create-function you can do --profile <profile name goes here>
While running S3 commands using CLI I received the same error
Unknown component: credential_provider.
The command I ran was :
s3 sync s3://mybucket --region eu-central-1 --profile default
This error comes when I run this command as a sudo user.
So I would suggest run it without sudo. One more thing it does not work with any other user also like for user "test" it would give error :
A client error (AccessDenied) occurred when calling the ListObjects
operation: Access Denied
or something like this for any other cli utility.
It works with default user ubuntu. Login the machine with ubuntu user or change the user to ubuntu and then try running the same lamda function.