I have a working AWS Amplify application which I deployed manually. To specify this application using the CLI, I need the so-called appId. But where can I find this? In the console, I can find the name and the appArn but not the appId.
If you have access to the AWS console and can see the App ARN field, you can find the AppId:
arn:aws:amplify:eu-west-1:xxxxxxxxxx/APPID
It has this pattern: d[a-z0-9]+
Related
When using a simple AWS credentials file like this on Ubuntu Linux with credentials file: ~/.aws/credentials
[leigh.m] # let's call this account ID: 1000 for simplicity
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
AWS Toolkit in VSCode works perfectly and I can access AWS resources via VSCode.
However I need to assume roles cross-accounts (with a source 'root' profile controlling access to the other accounts via roles) which all have MFA set.
My ~/.aws/config file that facilitates this looks like:
[profile my-assumed-role-1] # let's say this has account ID: 2000
role_arn=arn:aws:iam::2000:role/AdminRole
source_profile=leigh.m
role_session_name=my-assumed-role-1-session-name
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
duration_seconds=3600
This setup works perfectly well now and I can assume the role for example via CLI I can list buckets in account 2000 by passing that profile, like: aws s3api list-buckets --profile my-assumed-role-1
However, when I try to access that named profile via AWS Toolkit in VSCode I get the error message in AWS toolkit logs:
Shared Credentials Profile leigh.m is not valid. It will not be used by the toolkit.
Failed to connect with "profile:my-assumed-role-1": Profile leigh.m is not a valid Credential Profile: Profile leigh.m is not supported by the Toolkit.
It appears to be looking for a Profile 'leigh.m', so I have tried adding to ~/.aws/config this section:
[profile leigh.m]
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
region=eu-west-1
output=json
I also tried to not use the config file and place everything in credentials file (as it appears to suggest here: https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/mfa-credentials.html)
But still the same issue. Anything I have missed?
(I did have a look to see if there were any questions already on S/O on correct setup of AWS credentials for AWS Toolkit and MFA (as my AWS credentials and config files work correctly for all other requirements), this was the only question from ~5 years ago: Visual Studio AWS toolkit with multifactor authentication? but did not answer and no questions/ answers on AWS Toolkit, MFA and assuming roles with names profiles)
This is a VSCode AWS Toolkit bug who are releasing a fix for this: https://github.com/aws/aws-toolkit-vscode/issues/2394
Summary: AWS Toolkit only works with lowercase keys, so this will not work:
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
When the fix is released it will work with caps & lowercase, of course in the short term just change credentials file to:
aws_access_key_id=some_access_key_id
aws_secret_access_key=some_secret_access_key
It will work as expected
when i type serverless deploy appear this error:
ServerlessError: The security token included in the request is invalid.
I had to specify sls deploy --aws-profile in my serverless deploy commands like this:
sls deploy --aws-profile common
Can you provide more information?
Make sure that you've got the correct credentials in ~/.aws/config and ~/.aws/credentials. You can set these up by running aws configure. More info here: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration
Also make sure that the IAM user in question has as an attached security policy that allows access to everything you need, such as CloudFormation.
Create a new user in AWS (don't use the root key).
In the SSH keys for AWS CodeCommit, generate a new Access Key.
Copy the values and run this:
serverless config credentials --overwrite --provider aws --key bar --secret foo
sls deploy
In my case it was missing the localstack entry in the serverless file.
I had everything that should be inside it, but it was all inside custom (instead of custom.localstack).
In my case, I added region to the provider. I suppose it's not read from the credentials file.
provider:
name: aws
runtime: nodejs12.x
region: cn-northwest-1
In my case, multiple credentials are stored in the ~/.aws/credentials file.
And serverless is picking the default credentials.
So, I kept the new credentials under [default] and removed the previous credentials. And that worked for me.
to run the function from AWS you need to configure AWS with access_key_id and secret_access_key
but
to might get this error if you want to run the function locally
so for that use this command
sls invoke local -f functionName
it will run the function locally not on aws
If none of these answers work, it's maybe because you need to add a provider in your serverless account and add your AWS keys.
I am trying to integrate AWS PHP SDK for codeigniter
But its showing error as follows
An uncaught Exception was encountered
Type: Aws\Exception\CredentialsException
Message: Cannot read credentials from /.aws/credentials
Filename: /var/www/html/aws/Aws/Credentials/CredentialProvider.php
And on cli getting an error as
-bash: /root/.aws/credentials: Permission denied
So after this i have allowed permission ... cli error has gone but php error Cannot read credentials from /.aws/credentials still remain.
Please help to solve this issue.
Thanks!
If your are using IAM Role to EC2 Instance then there is no need of using following
'profile'=>'default',
i just remove above line which solved error "Cannot read credentials from /.aws/credentials"
Issue using an IAM role with PHP SDK
When running code on another AWS service, you do not work with key and secret, as you would on your local machine. Take a look at the answer I gave on another question.
Basically, your EC2 instance is assigned a service role. Then you would attach one or more IAM policies to that role. The IAM policies will determine what AWS resources and actions your EC2 instance can access.
In your PHP code you would instantiate your client using the CredentialProvider::defaultProvider(). If you were working with S3 for example, it would look like this.
$s3 = new S3Client([
'region' =>'us-east-1',
'credentials' => CredentialProvider::defaultProvider()
]);
When PHP is running under a service there is no "user". Therefore PHP will not attempt to access /root/.aws/credentials. If you review the error the path is /.aws/credentails.
To solve this problem create a new directory /.aws and copy the directory /root/.aws to /.aws
Improvement:
You have installed the PHP SDK inside your website root folder which makes these files accessible externally. SDKs should be installed outside of your website folders.
In my Jenkinsfile, I am trying to push the image that I have built using the docker plugin like follows:
docker.withRegistry('https://<my-id>.dkr.ecr.us-east-1.amazonaws.com/', 'ecr:us-east-1:awscreds') {
docker.image('image').push('latest')
}
The pipeline fails every time with the message ERROR: Could not find credentials matching ecr:us-east-1:awscreds but I do have my AWS key ID and secret key in my Jenkins credentials with the ID "awscreds".
What could be a potential fix for this?
Alternatively, can I provide my credentials directly instead of mentioning the credential ID in the call?
I had the same error message. Make sure the Amazon ECR plugin is installed and up to date and that you reboot jenkins after the installation.
Is it possible to provide the credential in each request in a way like
aws sns create-topic my_topic --ACCESS-KEY XXXX --SECRET-KEY XXXX
Instead of doing aws configure before I make the call.
I know that credential management can be done by using --profile like Using multiple profiles but that requires me to save the credential, which I cannot do. I'm depending on the user to provide me the key as parameter input. Is it possible?
I believe the closest option to what you are looking for would be to set the credentials as environment variables before invoking the AWS CLI.
One option is to export the environment variables that control the credentials and then call the desired CLI. The following works for me in bash:
$ export AWS_ACCESS_KEY_ID=AKIXXXXXXXXXXXXXXXX AWS_SECRET_ACCESS_KEY=YhTYxxxxxxxxxxxxxxVCSi; aws sns create-topic my_topic
You may also want to take a look at: Configuration Settings and Precedence
There is another way. Instead of "export"ing, just run the command like:
AWS_ACCESS_KEY_ID=AAAA AWS_SECRET_ACCESS_KEY=BBB aws ec2 describe-regions
This will ensure that the credentials are set only for the command.
Your best bit would be to use IAM Role for Amazon ec2 instance. That way you don't need to worry about the credentials at all. Also they keys will be rotated periodically.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html