I am using an assumed role, all environment variables has been set (AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN, AWS_SECRET_ACCESS_KEY, and AWS_ACCESS_KEY_ID)
When I call aws sts get-caller-identity on my default region (ap-southeast-1) it doesn't have a problem
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-1
{
"UserId": "XXXXXYYYYYZZZZZZ:botocore-session-1234567",
"Account": "111122223333",
"Arn": "arn:aws:sts::111122223333:assumed-role/somerolename/botocore-session-2222333344"
}
But when I change it to the region that I am trying to work on (ap-southeast-3), an error happens
$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-3
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
How do I resolve this?, I have tried other regions as well, but it seems only ap-southeast-1 works
I think you are facing this issue, because ap-southeast-3 region is not enabled for your account. You can check if it is enabled by running the following command:
aws ec2 describe-regions --region-names ap-southeast-3
If your region is not enabled, you will get the following response:
{
"Regions": [
{
"Endpoint": "ec2.ap-southeast-3.amazonaws.com",
"RegionName": "ap-southeast-3",
"OptInStatus": "not-opted-in"
}
]
}
In order to enable it, you just have to follow the instructions from the AWS docs:
To enable a Region
Sign in to the AWS Management Console.
In the upper right corner of the console, choose your account name or number and then choose My Account.
In the AWS Regions section, next to the name of the Region that you want to enable, choose Enable.
In the dialog box, review the informational text and choose Enable Region.
Wait until the Region is ready to use.
Please note, enabling a region may take some time. As far as I've experienced, this time is fairly short. You should get an email as soon as the region is enabled.
Ok, so apparently I had to make Global endpoints to be valid in all regions for STS
More on that is discussed in this docs here in the "Managing global endpoint session tokens" section
Related
I am troubleshooting an issue about sending SMS (SNS service) in another region because this service is not available in my region.
So, I need to switch my AWS_DEFAULT_REGION to somewhere else.
I following command work well
bash-5.0# aws sts get-caller-identity
{
"UserId": "AROAUUXXXXXXIYUL4OIJU:botocore-session-1642736552",
"Account": "318462213682",
"Arn": "arn:aws:sts::311234567890:assumed-role/eksctl-tst-backend-eks-addon-iamserviceaccou-Role1-K6RXXXXX51XX/botocore-session-1642736552"
}
But after I switch to another region it does not work anymore
bash-5.0# export AWS_DEFAULT_REGION=ap-southeast-1
bash-5.0# aws sts get-caller-identity
Connection was closed before we received a valid response from endpoint URL: "https://sts.amazonaws.com/".
Did I miss something?
AWS documentation provides multiple approach, here.
In our environment, we have multiple AWS accounts.
Usage scenario is to switch between AWS accounts and run AWS cli commands from laptop, as part of automation.
Before running AWS cli command on a specific AWS account, we need to get temporary credentials for that account, given account id.
Getting access to(by switching over) multiple AWS accounts, helps us in automation.
Basically we would like to run some tool like ./some_aws_sdk_tool.py role_name aws_account_name, assuming a role_name to get credentials.
I want to test this with my single AWS account(personal).
1) What are the steps to configure my AWS account to create such role_name?
2)
What is the approach to get temporary credentials to a specific aws_account_name with some_aws_sdk_tool.py? to be able run AWS CLI commands for n minutes..
Do you want to do this from within your code or using the AWS CLI?
If you're using the CLI, the easiest way is to create profiles in your AWS credentials file, as described here. Each profile identifies a role ARN and the source login information that is allowed to assume that role.
Alternatively, you can run the sts assume-role command, parse the results, and set environment variables:
aws sts assume-role --role-arn 'arn:aws:iam::123456789012:role/Example' --role-session-name 'some_unique_but_relevant_string'
{
"Credentials": {
"AccessKeyId": "ASIAXXXXXXXXXXXXXXXX",
"SecretAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"SessionToken": "XXXXXXXXXXXXXXX//////////XXX...XXXXX",
"Expiration": "2020-03-05T20:57:45Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAXXXXXXXXXXXXXXXXX:some_unique_but_relevant_string",
"Arn": "arn:aws:sts::123456789012:assumed-role/Example/some_unique_but_relevant_string"
}
}
If you want to do it from within your program, you can use code like this:
sts_client = boto3.client('sts')
role_arn = "..."
session_name = "some_unique_but_relevant_value"
response = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName=session_name
)
creds = response['Credentials']
actual_client = boto3.client('SERVICE',
aws_access_key_id=creds['AccessKeyId']
aws_secret_access_key=creds['SecretAccessKey']
aws_session_token=creds['SessionToken'])
That is not possible. You can only see a secret key on the first time it gets created, AWS will never show it to you again. See more here.
Some Identity Managers like Okta allow you to assume roles on CLI so you don't have to deal with credentials directly. You just assign a role to an user and he will be able to assume the role directly after the first login.
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I'm new to AWS and I'm trying to deploy Kubernetes for some tutorial purposes using kops.
For that, I'm using a trial AWS account and I started following this practical guide to do it but I have an issue with this command :
kops create cluster --node-count=2 --node-size=t2.medium --zones=us-east-1a
which gives me the following error :
I0119 16:14:49.647701 13949 create_cluster.go:517] Inferred --cloud=aws from zone "eu-west-3a"
error populating configuration: error querying for valid AZs in "eu-west-3" - verify your AWS credentials. Error: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: a1f6e99f-76d6-4c3f-95bb-416cc2d67f2e
I wonder if it's not related to some limited access due to my trial AWS account !
Looks like AWS credentials are not properly setup, verify them with e.g.:
$ aws sts get-caller-identity
{
"Account": "<number>",
"UserId": "AI...",
"Arn": "arn:aws:iam::<number>:user/<user>"
}
The problem was that I don't have enough rights to do it since my user had only AmazonS3FullAccess.
Now I added :
AmazonEC2FullAccess
AmazonRoute53FullAccess
IAMFullAccess
AmazonVPCFullAccess
I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.
I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):
$ aws get-current-role-details
Does this functionality exist?
Use the AWS STS command get-caller-identity.
Returns details about the IAM identity whose credentials are used to call the API.
$ aws sts get-caller-identity
{
"UserId": "AIDAxxx",
"Account": "xxx",
"Arn": "arn:aws:iam::xxx:user/Tyrone321"
}
You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to #Dimitry K for the callout).
$ aws iam list-attached-role-policies --role-name Tyrone321
{
"AttachedPolicies": [
{
"PolicyName": "SomePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
},
{
"PolicyName": "AnotherPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
} ]
}
To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements.
If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy.
See the AWS IAM CLI reference for more information.
There is a more simple and elegant way to get the current role details.
$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2019-05-08T13:15:52Z",
"InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
"InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}
In InstanceProfileArn you can see your role name
Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:
Step 1. Get the current EC2 instance ID from the instance metadata.
curl -s http://169.254.169.254/latest/meta-data/instance-id
You may need the current region as well.
curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'
Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.
aws ec2 describe-instances \
--region us-east-1 \
--instance-id i-12345678 \
--query 'Reservations[0].Instances[0].IamInstanceProfile.Id'
Remember to substitute the EC2 instance ID and region as required.
Step 3. Get the IAM instance profile roles.
aws iam list-instance-profiles \
--query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"
Remember to substitute the IAM instance profile ID.
Notes:
An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.