I try to learn AWS and try to add profiles to the instance.
I created a Windows ec2 instance and two users (reader and writer), I use awscli for configure:
aws configure
After command execution I entered reader credentials.
After that two files were created in the C:\users\Administrator\.aws folder (config and credentials)
File credentials contains default profile, but I need to add two additional profiles to the server. In the final, credentials file should looks in the following way:
As I understood, I need to set Admin credentials for the command aws configure, but how can I add two other profiles?
Your credentials file looks correct. You can add as many profiles as you need. Then when invoking a cli command you need to specify which profile you are using. Ex.
aws ec2 describe-instances --profile writer
Full details at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
So to add a new profile, you could add one named "admin" that uses the access key/secret for the user with admin permission.
Related
TL;DR: Is it possible to use the AWS CLI to update the locally stored credentials file with the IAM users information in my AWS account?
I am following the instructions in this AWS Amplify tutorial which includes these steps:
Creating an IAM user
Providing the IAM user credentials to the amplify CLI
Step 2 updated my local \.aws\credentials file to include a profile for the IAM user created in step 1.
After this, of my own accord, I went back into the IAM console and created a new access key ID.
This new access key is not included in my local \.aws\credentials file, so I would like to add it. How can I do that?
I have tried copying the profile entry created by the amplify CLI tool and pasting in the aws_access_key_id and aws_secret_access_key. However, I am not sure how to update the toolkit_artifact_guid. As I am creating a new profile for the same IAM user, should I use the same toolkit_artifact_guid?
The aws configure command can be used to add a new profile to your config
Use the --profile flag to create a profile in the .aws/config file.
https://docs.aws.amazon.com/cli/latest/reference/configure/
toolkit-artifact-guid is a piece of metadata used by tooling, such as extensions for an IDE. It is not required for specifying a new IAM profile
I'm learning AWS using the AWS CLI and LocalStack.
I'm working with tutorials such as this, which describe how to create a S3 bucket and upload a file to it.
What I'd like to understand is the role of users in relation to AWS commands, and whether or not there is a relationship between a user and a profile (the latter is created when you run the aws configure CLI command).
When I run a AWS CLI command such as aws --endpoint-url=http://localhost:4572 s3 cp ./foo.json s3://my-bucket/path/to/foo.json what user am I running that command as? I have not explicitly created any users using the AWS IAM CLI or by other means. Is a profile implicitly a user? I.e. when I run aws configure, does the default profile created mean a user named default is created in AWS IAM?
Well, it's easy to check actually.
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
Is a profile implicitly a user?
No, profile is just that - credentials profile. Whether it's a user or a role, AWS CLI doesn't care as long as those credentials are valid.
when I run aws configure, does the default profile created mean a user named default is created in AWS IAM
Going from previous point, no. Nothing is done implicitly in IAM. When you run aws configure you supply credentials that already exist, not the other way around.
I am wanting to set up a recursive sync from a Linux machine (Fedora) to an AWS S3 bucket. I am logged into Linux as root and have an AWS Key and Secret associated with a specific AWS user "Lisa".
I have installed aws-cli, s3cmd, and attempted to configure both. I have verified the aws/configure and aws/credentials files both have a default user and a "Lisa" user with Access Key and Secret pairs. I receive errors stating that Access is Denied, access key and secret pair not found. I have researched this on the web and verified that there are no environment variables that could be overriding the configure & credential files. I have also granted full access permissions to the bucket created through the AWS Console to all logged in users. I have not rotated the keys, as they were first created a week ago, and I was able to log-in & set-up the AWS console using that same key pair.
What else should I be doing before rotating the keys?
It looks like you haven't configured AWS credentials correctly. Make sure that you have correct access keys in your credentials file. If you don't specify any profiles, awscli uses the default profile.
~/.aws/credentials
[default]
aws_access_key_id=AKIAIDEFAULTKEY
aws_secret_access_key=Mo9T7WNO….
[Lisa]
aws_access_key_id=AKIAILISASKEY
aws_secret_access_key=H0XevhnC….
This command uses the default profile:
aws s3 ls
This command uses Lisa profile:
aws s3 ls --profile Lisa
You can set an environment variable to override the default profile.
export AWS_DEFAULT_PROFILE=Lisa
Now this command uses the profile Lisa:
aws s3 ls
If you don't know which profile is active, you can just invoke the following command:
aws sts get-caller-identity
You seem to have several terms intermixed, so it's worth knowing the difference:
Username and password is used to login to the web-based management console. They are short, to be human-readable and easy to remember.
Access Key (starting with AKIA) and Secret Key is used for making API calls. It is also used by the AWS CLI (which makes API calls on your behalf)
Key pair consists of a public and private key, used for authenticating SSH connections. It is a very long block of text.
You mention that an Access Key is not found. This could be because the wrong type of credential is being provided.
SETUP
I created a new aws user via the aws web console, and selected both console and programmatic/cli access
I have added the AdministratorAccess policy directly to it.
I have not enabled MFA for this user
I have verified that my credentials file within the aws directory contains the proper values for aws_access_key_id and aws_secret_access_key
I have verified that my config file within the aws directory does not contain any lines that would overwrite data for the profile
I am verifying I am using the correct profile info by with aws configure list
THE ISSUE
Executing aws ec2 describe-regions returns:
An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
The error is pretty straightforward, but I'm not sure what else I can do to authorize this user. I had a coworker follow the same steps and the CLI worked as expected for him.
I researched the steps from This S.O. post but am still scratching my head.
Your AWS CLI is getting credentials from somewhere else. See Configuration Settings and Precedence:
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence
Make sure it is not getting the credentials from environment variables or from other locations. The AWS CLI looks for credentials and configuration settings in the following order:
Command Line Options – region, output format and profile can be specified as command options to override default settings.
Environment Variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
1)The AWS credentials file – ~/.aws/credentials on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\credentials on Windows.
Can contain multiple named profiles in addition to a default profile.
2)The CLI configuration file – at ~/.aws/config on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\config on Windows. Can contain a default profile, named profiles, and CLI specific configuration parameters for each.
3)Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role
Following this tutorial to setup CLI and trying to invoke AWS Lambda with the following command
aws lambda list-functions --profile xxxxx
But all I get is
The config profile (xxxxx) could not be found
I've created a user with username xxxxx on AWS IAM and I've successfully logged in AWS using this xxxxx as I can see xxxxx#accountID after I logged in.
I've also checked # C:\Users\myWindowUser\.awsthat there is below two files
config
credentials
May I know which part could have gone wrong?
The profile argument isn't used to specify a username. It is used to specify a named profile that you have created in your local credentials file. You probably haven't created any named profiles in the credentials file. If you created the credentials file via the aws configure command, then you will only have a default profile in your credentials file. If you only have a default profile then you shouldn't be trying to specify a profile parameter.