How to detect AWS ECR public repositories using Cloud Custodian? - amazon-web-services

I'm new to Cloud Custodian and have the few doubts specific to using it for AWS.
I ran the following policy (no filters and actions present) so that I could get all the options for using as keys in value type filters :
policies:
- name: CheckPublicECRRepo
resource: ecr
The output was a detailed list of all the AWS ECR private repositories in my account which is exactly same as running aws ecr describe-repositories --region <region>.
So,
How AWS CLI command responses relate to those from running Cloud Custodian commands? Are they both calling same APIs? If yes, which API is being called here exactly?
How can I write a Cloud Custodian policy to detect AWS ECR public repositories? I'm getting the desired output by running this AWS CLI command : aws ecr-public describe-repositories --region us-east-1.

ecr-public resource does not seem to be supported yet. So I would either submit a feature request here or I would try to code the missing feature and contribute it.

Related

Unable to deploy code onto AWS EC2 instance from AWS CodeDeploy

I am trying to implement CI/CD using AWS CodeBuild, and trying to deploy an application onto an AWS EC2 instance, but the code deployment is failing and showing the error below:
The IAM role arn:aws:iam::341502448925:role/CodeDeployServiceRole does not give you permission to perform operations in the following AWS service: AmazonEC2
I have even created service role in the IAM console but it's not working for me. Someone let me know how can I resolve this issue.
Except for creating an IAM role you should also install aws codedeploy agent on your ec2 instance:
install aws-codedeploy agent

AWS CodeDeploy for Azure Virtual Machine

this might come off as a rather far fetched query but please help me out.
Is it possible to register an Azure Virtual Machine with AWS CodeDeploy?
I've done some read up and found that Amazon provides option to install the CodeDeploy agent on On-Premises instances as seen HERE
If it is at all possible, how do we go about it?
My objective is to try and use CodeDeploy as we are already subscribed to it instead of using Azure's DevOps services.
As suggested by #silent, I tried it out and it actually works. Here are the steps:
But before we start, MIND YOU!:
Step 1: Install AWS CLI
Step 2: Configure AWS with a user that has the role of the CodeDeploy IAM user
Step 3: Run the following command
aws deploy register
--instance-name <some name for your VM>
--iam-user-arn <IAM user arn>
--tags Key=<some key for you tag>,Value=<some value>
--region <your region>
Step 4: run aws deploy install --config-file codedeploy.onpremises.yml

AWS - ECS load S3 files in entrypoint script

Hi all!
Code: (entrypoint.sh)
printenv
CREDENTIALS=$(curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq .AccessKeyId)
SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq .SecretAccessKey)
TOKEN=$(echo "$CREDENTIALS" | jq .Token)
export AWS_ACCESS_KEY_ID=$ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN=$TOKEN
aws s3 cp s3://BUCKET/file.txt /PATH/file.txt
Problem:
I'm trying to fetch AWS S3 files to ECS inspired by:
AWS Documentation
(But I'm fetching from S3 directly, not throught VPC endpoint)
I have configured bucket policy & role policy (that is passed in taskDefinition as taskRoleArn & executionRoleArn)
Locally when I'm fetching with aws cli and passing temporary credentials (that I logged in ECS with printenv command in entrypoint script) everything works fine. I can save files on my pc.
On ECS I have error:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Where can I find solution? Someone had similar problem?
Frist thing, If you are working inside AWS, It strongly recommended to use AWS ECS service role or ECS task role or EC2 role. you do need to fetch credentials from metadata.
But seems like the current role does have permission to s3 or the entrypoint not exporting properly the Environment variable.
If your container instance has already assing role then do not need to export Accesskey just call the aws s3 cp s3://BUCKET/file.txt /PATH/file.txt and it should work.
IAM Roles for Tasks
With IAM roles for Amazon ECS tasks, you can specify an IAM role that
can be used by the containers in a task. Applications must sign their
AWS API requests with AWS credentials, and this feature provides a
strategy for managing credentials for your applications to use,
similar to the way that Amazon EC2 instance profiles provide
credentials to EC2 instances. Instead of creating and distributing
your AWS credentials to the containers or using the EC2 instance’s
role, you can associate an IAM role with an ECS task definition or
RunTask API operation.
So the when you assign role to ECS task or ECS service your entrypoint will be that simple.
printenv
aws s3 cp s3://BUCKET/file.txt /PATH/file.txt
Also, your export will not work as you are expecting, the best way to pass ENV to container form task definition, export will not in this case.
I will suggest assigning role to ECS task and it should work as you are expecting.

AWS Get VPC per region limit using AWS SDK or CLi

I wanted to add validation to my script before starting the Pod build in AWS.
One of the validation step is to check the # of VPCs in the asked region and the max limit set on the account.
I didn't find any CLI or SDK API to get it.
However there are similar APIs, example to get the max elastic IP per VPC, I can query:
aws ec2 describe-account-attributes
And look for "AttributeName": "default-vpc"
There is a brand new service which is able to do what you want: AWS Service Quotas.
It is currently available in most of the regions.
You can query the VPC service limit using the GetServiceQuota action.
The quota code for the quota VPCs per Region is L-F678F1CE (ARN: arn:aws:servicequotas:<REGION>::vpc/L-F678F1CE).
The service code for the service Amazon Virtual Private Cloud (Amazon VPC) is vpc.
Documentation: https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html
GetServiceQuota-Command Documentation for the CLI: https://docs.aws.amazon.com/cli/latest/reference/service-quotas/get-service-quota.html
You can use the latest version of the aws cli as follows:
aws service-quotas get-service-quota --service-code 'vpc' --quota-code 'L-F678F1CE'
On Windows cli:
aws service-quotas get-service-quota --service-code vpc --quota-code L-F678F1CE
As long as Trusted Advisor access to the Service Limits category remains free, you can do this:
CHECK_ID=$(aws --region us-east-1 support describe-trusted-advisor-checks --language en --query 'checks[?name==Service Limits].{id:id}[0].id' --output text)
aws support describe-trusted-advisor-check-result --check-id $CHECK_ID --query 'result.sort_by(flaggedResources[?status!="ok"],&metadata[2])[].metadata' --output table --region us-east-1
CHECK_ID is currently eW7HH0l7J9

"no basic auth credentials" when trying to pull an image from a private ECR

I have the following line somewhere in the middle of my Dockerfile to retrieve an image from my private ECR.
FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401
This is the error that I get in AWS Codebuild when trying to build this:
Step 21/36 : FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401
Get https://**********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************/manifests/ff03401: no basic auth credentials
How can one provide these credentials in the most secure way, and in a way that can also be terraformed?
There are multiple ways to do it.
Using aws access and secret key. In which you set the aws credentials on the ec2 machine and run ecr login command. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1 and then docker pull should work. But this is not a recommended secure way.
What I prefer is using aws iam roles.
Assuming you want to pull this image on your ec2 machine that was brought up using terraform. Make use of iam roles.
Create an iam role manually or using terraform iam resource.
For contents of iam policy refer this.
While bringing ec2 using terraform instance resource make use of iam_instance_profile attribute, the value of this attribute should be the name of iam role you created.
This should be enough to automatically pull docker images from ECR in a secure way.
Hope this helps.