When executing this command,I get this error:
C:\WINDOWS\system32>eksctl create cluster --name eksctl-demo --profile myAdmin2
Error: checking AWS STS access – cannot get role ARN for current session: operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: i/o timeout
myAdmin2 IAM users credientials are set up as follows:
Credentials file:
[myAdmin2]
aws_access_key_id = ******************
aws_secret_access_key = ********************
config file:
[profile myAdmin2]
region = us-east-2
output = json
myAdmin2 has access to the console:
C:\WINDOWS\system32>aws iam list-users --profile myAdmin2
{
"Users": [
{
"Path": "/",
"UserName": "myAdmin",
"UserId": "AIDAYYPFV776ELVEJ5ZVQ",
"Arn": "arn:aws:iam::602313981948:user/myAdmin",
"CreateDate": "2022-09-30T19:08:08+00:00"
},
{
"Path": "/",
"UserName": "myAdmin2",
"UserId": "AIDAYYPFV776LEDK2PCCI",
"Arn": "arn:aws:iam::602313981948:user/myAdmin2",
"CreateDate": "2022-09-30T21:39:33+00:00"
}
]
}
I had problems working with myAdmin that's why I created a new IAM user called myAdmin2.
myAdmin2 is granted AdministratorAccess permission:
As shown in this image
aws cli version installed:
C:\WINDOWS\system32>aws --version
aws-cli/2.7.35 Python/3.9.11 Windows/10 exe/AMD64 prompt/off
My Env variables:
C:\WINDOWS\system32>set
AWS_ACCESS_KEY_ID= ***********the same as I have in credentials file
AWS_CONFIG_FILE=~/.aws/config
AWS_DEFAULT_PROFILE=myAdmin2
AWS_DEFAULT_REGION=us-east-2
AWS_PROFILE=myAdmin2
AWS_SECRET_ACCESS_KEY=****************the same as I have in credentials file
AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
I think those are all the necessary things I have to mention. If someone can help, please. I can't move on with this error!!
It worked finally! everything was well configured, I just had to reboot my laptop and it resolved the issue!
Related
thanks for greate packages!
I have problem when i create development with localstack using S3 service to create presignedurl post.
I have run localstack with SERVICES=s3 DEBUG=1 S3_SKIP_SIGNATURE_VALIDATION=1 localstack start
I have settings AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_DEFAULT_REGION=us-east-1 AWS_ENDPOINT_URL=http://localhost:4566 S3_Bucket=my-bucket
I make sure have the bucket
> awslocal s3api list-buckets
{
"Buckets": [
{
"Name": "my-bucket",
"CreationDate": "2021-11-16T08:43:23+00:00"
}
],
"Owner": {
"DisplayName": "webfile",
"ID": "bcaf1ffd86f41161ca5fb16fd081034f"
}
}
I try create presigned url, and running in console with this
s3_client_sync.create_presigned_post(bucket_name=settings.S3_Bucket, object_name="application/test.png", fields={"Content-Type": "image/png"}, conditions=[["Expires", 3600]])
and have return like this
{'url': 'http://localhost:4566/kredivo-thailand',
'fields': {'Content-Type': 'image/png',
'key': 'application/test.png',
'AWSAccessKeyId': 'test',
'policy': 'eyJleHBpcmF0aW9uIjogIjIwMjEtMTEtMTZUMTE6Mzk6MjNaIiwgImNvbmRpdGlvbnMiOiBbWyJFeHBpcmVzIiwgMzYwMF0sIHsiYnVja2V0IjogImtyZWRpdm8tdGhhaWxhbmQifSwgeyJrZXkiOiAiYXBwbGljYXRpb24vdGVzdC5wbmcifV19',
'signature': 'LfFelidjG+aaTOMxHL3fRPCw/xM='}}
And i test using insomnia
and i have read log in localstack
2021-11-16T10:54:04:DEBUG:localstack.services.s3.s3_utils: Received presign S3 URL: http://localhost:4566/my-bucket/application/test.png?AWSAccessKeyId=test&Policy=eyJleHBpcmF0aW9uIjogIjIwMjEtMTEtMTZUMTE6Mzk6MjNaIiwgImNvbmRpdGlvbnMiOiBbWyJFeHBpcmVzIiwgMzYwMF0sIHsiYnVja2V0IjogImtyZWRpdm8tdGhhaWxhbmQifSwgeyJrZXkiOiAiYXBwbGljYXRpb24vdGVzdC5wbmcifV19&Signature=LfFelidjG%2BaaTOMxHL3fRPCw%2FxM%3D&Expires=3600
2021-11-16T10:54:04:WARNING:localstack.services.s3.s3_utils: Signatures do not match, but not raising an error, as S3_SKIP_SIGNATURE_VALIDATION=1
2021-11-16T10:54:04:INFO:localstack.services.s3.s3_utils: Presign signature calculation failed: <Response [403]>
what i missing, so i cannot create the presignedurl post ?
The problem is with your AWS configuration -
AWS_ACCESS_KEY_ID=test // Should be an Actual access Key for the IAM user
AWS_SECRET_ACCESS_KEY=test // Should be an Actual Secret Key for the IAM user
AWS_DEFAULT_REGION=us-east-1
AWS_ENDPOINT_URL=http://localhost:4566 // Endpoint seems wrong
S3_Bucket=my-bucket // Actual Bucket Name in AWS S3 console
For more information, try to read here and setup your environment with correct AWS credentials - Setup AWS Credentials
I'm trying to create a document that I call and specific my IAM user as the user to connect with. This document will be a shared document that has a parameter "runAsDefaultuser". It will default to a user that doesn't exist. This will force me to provide an argument like,
--parameters '{"runAsDefaultUser": ["joeschmo"]}'.
My end goal is to allow users to login in as their IAM user via CLI through SSM. I've tried using tag's in the IAM user account. That only works when using a SSM session over the Web UI in the AWS Session Manager page. Doesn't work vi SSM CLI. The SSM documents override this.
I can't set this as a parameter. It will only accept it as a hardcoded value. Same with "runAsEnabled".
I get this error when I try to set it as a parameter using the "aws ssm update-document or create-document command.
An error occurred (InvalidDocumentContent) when calling the UpdateDocument operation: DefaultUser: {{runAsDefaultUser}} is invalid
I'm using this page as a reference.
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-preferences-cli.html
Here is the example document that I am using.
{
"schemaVersion":"1.0",
"description":"Session Document Parameter Example JSON Template",
"sessionType":"Standard_Stream",
"parameters":{
"s3BucketName":{
"type":"String",
"default":""
},
"s3KeyPrefix":{
"type":"String",
"default":""
},
"s3EncryptionEnabled":{
"type":"String",
"default":"false"
},
"cloudWatchLogGroupName":{
"type":"String",
"default":""
},
"cloudWatchEncryptionEnabled":{
"type":"String",
"default":"false"
},
"runAsDefaultUser":{
"type":"String",
"default":"nobody"
}
},
"inputs":{
"s3BucketName":"{{s3BucketName}}",
"s3KeyPrefix":"{{s3KeyPrefix}}",
"s3EncryptionEnabled":"{{s3EncryptionEnabled}}",
"cloudWatchLogGroupName":"{{cloudWatchLogGroupName}}",
"cloudWatchEncryptionEnabled":"{{cloudWatchEncryptionEnabled}}",
"kmsKeyId":"",
"runAsEnabled": true
"runAsDefaultUser":"{{runAsDefaultUser}}",
"shellProfile": {
"windows": "",
"linux": "bash"
}
}
}
The command that I want to use:
aws ssm start-session --target i-ThisIsObviouslyMadeUp \
--document-name Custom-SessionManagerRunShell \
--parameters '{"runAsDefaultUser": ["joeschmo"]}'
When create an EMR cluster, got this error
The user has the ec2: DescribeSubnets permission in a policy as below. What would be root cause?
{
“Sid”: “AllowOperateClusters”,
“Effect”: “Allow”,
“Action”: [
“elasticmapreduce:RunJobFlow”,
“elasticmapreduce:DescribeCluster”,
“elasticmapreduce:ListClusters”,
“elasticmapreduce:ListBootstrapActions”,
“elasticmapreduce:ListSteps”,
“elasticmapreduce:ListInstanceGroups”,
“elasticmapreduce:OpenEditorInConsole”,
“elasticmapreduce:ListEditors”,
“ec2:DescribeAccountAttributes”,
“ec2:DescribeVpcs”,
“ec2:DescribeAvailabilityZones”,
“ec2:DescribeSubnets”
],
“Resource”: “*”
}
It works after granting the below permissions.
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
I'm trying to use the cli to retrieve an embedded quicksight dashboard url.
However, I keep getting the error QuickSightUserNotFoundException.
I was following this guide to retrieve the url link.
The steps:
aws sts assume-role --role-arn "<ARN>" --role-session-name testsession
which returns
{
"Credentials": {
"AccessKeyId": "<KEY>",
"SecretAccessKey": "<KEY>",
"SessionToken": "<TOKEN>",
"Expiration": "2019-07-04T04:54:21Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "<ID>:testsession",
"Arn": "<ARN>/testsession"
}
}
Then I execute
aws quicksight get-dashboard-embed-url --aws-account-id <ID> --dashboard-id <ID> --identity-type IAM
which returns the error
An error occurred (QuickSightUserNotFoundException) when calling the GetDashboardEmbedUrl operation: Could not find user information in QuickSight
Assuming now that the user is not part of QuickSight, I execute the command below to add the user
aws quicksight register-user --aws-account-id <ID> --namespace default --identity-type IAM --iam-arn "<ARN>" --user-role READER --session-name "testsession" --email user123#example.com --region us-east-1
which returns
{
"Status": 201,
"User": {
"Arn": "<ARN>/testsession",
"UserName": "<NAME>/testsession",
"Email": "user123#example.com",
"Role": "READER",
"Active": false,
"PrincipalId": "<ID>"
},
"RequestId": "<ID>"
}
Now trying the get url from before again I still get the same error...
Did you create a Policy for the QuickSight user and attach it to the same?
You can check which user is allowed on QuickSight by running the following command:
aws quicksight list-users --aws-account-id <account-id> --namespace default --region <region-name>
This will list all the users who are allowed to use and access your QuickSight instance.
Also, check this latest blog about embedding the QuickSight Analytics:
https://aws.amazon.com/blogs/big-data/embed-multi-tenant-analytics-in-applications-with-amazon-quicksight/
I wanted to generate temporary credentials in AWS CLI, I know the below command should be used.
$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/role-name --role-session-name "RoleSession1" --profile IAM-user-name > assume-role-output.txt
I also have with me access key and secret key with me.
I also ran aws sts get-caller-identity and got:
{
"Account": "12345",
"UserId": "AIXXXXXXXNUNHY",
"Arn": "arn:aws:iam::12345:user/dcp/ua.166666654"
}
But I am not understanding what are the values I should substitute in the above command to get temporary credentials.
Your call to assume-role will return information similar to:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAxx:RoleSession1",
"Arn": "arn:aws:sts::123456789012:assumed-role/role/role-name"
},
"Credentials": {
"SecretAccessKey": "xxx",
"SessionToken": "xxx",
"Expiration": "2018-11-13T07:50:29Z",
"AccessKeyId": "ASIAxxx"
}
}
Then, run:
aws configure --profile RoleSession1
and enter the details provided by assume-role (Access Key, Secret Key, Token).
This will store new credentials in the .aws/credentials file under a [RoleSession1] heading.
To use these credentials, specify the profile that you just defined:
aws s3 ls --profile RoleSession1