Attempting to update AWS secret isn't saving in AWS - amazon-web-services

I’m on Mac Monterrey. Using the AWS CLI, I want to update a secret's value, so I did this
aws secretsmanager update-secret --secret-id 'development/database' --description '{"adapter": "mysql2", "encoding": "utf8", "host": "host.docker.internal"}'
And I get back
{
"ARN": "arn:aws:secretsmanager:us-east-1:1234678901234:secret:development/database-4walfE",
"Name": "development/database"
}
However, when I go to see the value of my secret, it is unchanged
$ aws secretsmanager get-secret-value --secret-id 'development/database'
{
"ARN": "arn:aws:secretsmanager:us-east-1:1234678901234:secret:development/database-4abcdE",
"Name": "development/database",
"VersionId": "378861d2-c5f0-48a4-a965-13877321da62",
"SecretString": "{\"adapter\": \"mysql2\", \"encoding\": \"utf8\", \"host\": \"127.0.0.1\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2022-04-11T12:00:43.029000-05:00"
}
What gives? What am I missing?

If you're updating the value of the secret, you should use --secret-string
aws secretsmanager update-secret --secret-id 'development/database' --secret-string '{"adapter": "mysql2", "encoding": "utf8", "host": "host.docker.internal"}'

Related

How to parse aws cli output using jq

aws elbv2 describe-target-group-attributes \
--target-group-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
provides
{
"Attributes": [
{
"Value": "false",
"Key": "stickiness.enabled"
},
{
"Value": "300",
"Key": "deregistration_delay.timeout_seconds"
},
{
"Value": "lb_cookie",
"Key": "stickiness.type"
},
{
"Value": "86400",
"Key": "stickiness.lb_cookie.duration_seconds"
},
{
"Value": "0",
"Key": "slow_start.duration_seconds"
}
]
}
I would like to fetch deregistration_delay.timeout_seconds from the output
I tried which works for this case when deregistration_delay.timeout_seconds appears on the second position.
aws elbv2 describe-target-group-attributes \
--target-group-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
| jq -r '.Attributes[1].Value'
but for some target groups the deregistration_delay.timeout_seconds is placed at a different number.
How can I use jq to fetch deregistration_delay.timeout_seconds
You can actually use JMESPATH in the AWS CLI without needing to use jq:
aws elbv2 describe-target-group-attributes \
--target-group-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \
--query "Attributes[?Key=='deregistration_delay.timeout_seconds']|[0].Value" \
--output text
JMESPATH was created by James Saryerwinnie, one of the authors of the AWS CLI. The tutorial is well worth reading.

combine multiple aws cli calls to get tag values

I have a script that fetches list of instances having tag x having abc value. The count of ec2 instances returned are in hundreds, now for each instance I need to fetch 2 tag values. Not all instances will have both the tags, it could be 1 or both or none. For now I am issuing 2 calls to get the value of each tag (this is a bash shell)
market=`aws ec2 describe-tags --filters "Name=resource-id,Values=$id" "Name=key,Values=market" --query Tags[].Value --region $aws_region --output text`
service=`aws ec2 describe-tags --filters "Name=resource-id,Values=$id" "Name=key,Values=service" --query Tags[].Value --region $aws_region --output text`
Is there any way to fetch the values of both tags in a single call?
I have 4 instances like this:
i-020f43a6253e1dd25 tags:market=1
i-0a5c4b42fe3e75c15 tags:service=1
i-027ca3de0fe11f1d3 tags:market=4,service=4
i-0e77b17601f9b2fd2 tags:none
Server side filtering using --filters returns 4 matching records
% aws ec2 describe-tags --filters "Name=key,Values=market,service"
{
"Tags": [
{
"Key": "market",
"ResourceId": "i-020f43a6253e1dd25",
"ResourceType": "instance",
"Value": "1"
},
{
"Key": "market",
"ResourceId": "i-027ca3de0fe11f1d3",
"ResourceType": "instance",
"Value": "4"
},
{
"Key": "service",
"ResourceId": "i-027ca3de0fe11f1d3",
"ResourceType": "instance",
"Value": "4"
},
{
"Key": "service",
"ResourceId": "i-0a5c4b42fe3e75c15",
"ResourceType": "instance",
"Value": "1"
}
]
}

Retrieve only one parameter value from aws ssm get-parameter command?

How can I print only the value of Value attribute from the below output of the following command
aws ssm get-parameter --name "/test/ip/cidr" --profile test
{
"Parameter": {
"Name": "/test/ip/cidr",
"Type": "String",
"Value": "172.18.0.0/20",
"Version": 1,
"LastModifiedDate": 1585251360.78,
"ARN": "arn:aws:ssm:us-east-1:123233:parameter/test/ip/cidr",
"DataType": "text"
}
}
Tried running the below command but prints like [{"Value": "172.18.0.0/20"}] but just want to see only 172.18.0.0/20
aws ssm get-parameters --names "/test/ip/cidr" --query "Parameters[*].{Value:Value}" --profile test
[
{
"Value": "172.18.0.0/20"
}
]
You can add --output text and modify your --query:
aws ssm get-parameter --name "/test/ip/cidr" --profile test \
--query "Parameter.Value" --output text

pipe output from aws cli as input to another aws cli command

Hi I would like to pipe an instance output to start/stop ec2 instances. Here is the beginning of the code:
aws ec2 describe-instances \
--query "Reservations[*].Instances[*].{Instance:InstanceId,Subnet:SubnetId}" \
--filters "Name=tag-value,Values=<INSTANCE NAME TAG>" \
--output text | \
How do I pipe this output to AWS ec2 start-instances command in Windows?
Output format can be JSON,YAML, TEXT or Table.It depends on your requirements.
Sample command for JSON output:
$ aws iam list-users --output json
Sample output:
{
"Users": [
{
"Path": "/",
"UserName": "Admin",
"UserId": "AIDA1111111111EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/Admin",
"CreateDate": "2014-10-16T16:03:09+00:00",
"PasswordLastUsed": "2016-06-03T18:37:29+00:00"
},
{
"Path": "/backup/",
"UserName": "backup-user",
"UserId": "AIDA2222222222EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/backup/backup-user",
"CreateDate": "2019-09-17T19:30:40+00:00"
},
{
"Path": "/",
"UserName": "cli-user",
"UserId": "AIDA3333333333EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/cli-user",
"CreateDate": "2019-09-17T19:11:39+00:00"
}
]
}
Now if you want to use this output for input of another command, one easy way is to read the json file, extract the value and use that as input to other command.
Please read https://www.business.com/articles/using-powershell-with-json-data/ for some details.
I found a PowerShell solution which suits my needs better:
$InstanceId = aws ec2 describe-instances --query "Reservations[*].Instances[*].{Instance:InstanceId}" --filters "Name=tag-value,Values=<INSTANCE NAME TAG>" --output text aws ec2 start-instances --instance-ids $InstanceId

How to check AWS secretsmanager rotation is completed successfully

Created a secret in AWS secretsmanager, enabled automatic rotation with lambda function.
when I trigger rotation for the first time from cli, It's not completed. This is the initial state of secret when updated secret in aws console manually.
# aws secretsmanager list-secret-version-ids --secret-id ******
{
"Versions": [
{
"VersionId": "9e82b9e2-d074-478e-83a5-baf4e578cb49",
"VersionStages": [
"AWSCURRENT"
],
"LastAccessedDate": 1592870400.0,
"CreatedDate": 1592889913.431
},
{
"VersionId": "e32ddaf8-7f21-40e2-adf8-f976b8f3f104",
"VersionStages": [
"AWSPREVIOUS"
],
"LastAccessedDate": 1592870400.0,
"CreatedDate": 1592887518.46
}
],
"ARN": "arn:aws:secretsmanager:us-east-1:***********:secret:***********",
"Name": "*******"
}
Now I triggered rotation from aws cli
aws secretsmanager rotate-secret --secret-id ******
# aws secretsmanager list-secret-version-ids --secret-id ********
{
"Versions": [
{
"VersionId": "704102f3-b36d-4529-b257-0457354d3c93",
"VersionStages": [
"AWSPENDING"
],
"CreatedDate": 1592890351.334
},
{
"VersionId": "e32ddaf8-7f21-40e2-adf8-f976b8f3f104",
"VersionStages": [
"AWSPREVIOUS"
],
"LastAccessedDate": 1592870400.0,
"CreatedDate": 1592887518.46
},
{
"VersionId": "9e82b9e2-d074-478e-83a5-baf4e578cb49",
"VersionStages": [
"AWSCURRENT"
],
"LastAccessedDate": 1592870400.0,
"CreatedDate": 1592889913.431
}
],
"ARN": "arn:aws:secretsmanager:us-east-1:**********:secret:********",
"Name": "********"
}
Cloudwatch log stopped at this createSecret: Successfully put secret for ARN arn:aws:secretsmanager:xxxxxxx.. looks like only createsecret function is called.
When I rotate the secret again, Gets this output in cli
An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn't complete. That rotation will be reattempted.
Unable to understand what's happening. Can someone help?
Unfortunately there is no out-of-the-box way for that, as Secrets Manger does not have build in SNS notification nor CloudWatch Events for when rotation completes.
Thus, you have to construct a solution yourself, which can be done using SDK or CLI.
For CLI you can use describe-secret and pull secret details in a loop. In the loop, you have to look into AWSPENDING and AWSCURRENT labels for the versions.
From the docs:
If instead the AWSPENDING staging label is present but is not attached to the same version as AWSCURRENT then any later invocation of RotateSecret assumes that a previous rotation request is still in progress and returns an error.
So basically, looking at your output:
{
"VersionId": "704102f3-b36d-4529-b257-0457354d3c93",
"VersionStages": [
"AWSPENDING"
],
"CreatedDate": 1592890351.334
}
you have a version with AWSPENDING label, which is not attached to the same version as AWSCURRENT. This indicates that the rotation is in progress.
The rotation completes, when a version is in one of the two states:
The AWSPENDING and AWSCURRENT staging labels are attached to the same version of the secret, or The AWSPENDING staging label is not attached to any version of the secret.
Secrets Manager will publish an event via CloudTrail - 'RotationSucceeded' when there is a successful rotation.
See this for more information on how to setup a Cloudwatch alarm off that CloudTrail event - https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.html