I'm working with aws and implementing CI/CD using their developer tools. Each of the tools requires a service role, so I decided to just update my existing service role with the correct permissions. The problem is I don't know where to find the list of values to use for each service.
Below I just guessed the right name after creating a role, but I prefer not to guess
I searched the docs and found these names and I also tried using the cli to find the ids: aws describe-services or aws help but that list doesn't match.
How do I find the values to update these policies?
Based on comments there is no official API. But there is an unofficial List of AWS Service Principals been kind of maintained by the people.
Related
I am trying to create an IoT Sitewise asset in aws using terraform however it is not listed in documentation. Is there a way for me to create this or is it not supported by the provider yet? By the way I am very new to these concepts so please do not mind me if I am asking something obvious.
You are correct that as of right now, IoT Sitewise is not supported by Terraform. IoT Sitewise was just launched last month. Terraform is updated regularly with new AWS services, so the best way to find out when it becomes supported is to keep an eye on the AWS Provider Documentation in Terraform's documentation. Search for "IoT" in the navigation pane and it will populate in the search results when they have added support.
You could use the awscc (AWS Cloud Control) provider: https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/iotsitewise_asset. Later on, when it makes it to the official aws provider, you can switch to it.
I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.
Looking at this guide:
https://aws.amazon.com/blogs/security/use-new-account-assignment-apis-for-aws-sso-to-automate-multi-account-access/
It only shows how to assign permission sets to already existing users. Also looking at the cloudformation documentation, it does not mention anything about users.
Is there a way to create aws sso users via cloudformation or cdk?
Sadly this is not yet supported. AWS docs say that in future such support should be added, at least to AWS API, which then you could use from custom resources in CloudFormation:
Future updates to AWS SSO Identity Store APIs, including additions for creation and modification of users and groups, will be documented in this reference as they are released.
If you are looking for Infrastructure as Code you can use Terraform and Boto3 to create SSO users.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html#client
I am trying to access the aws rds api to describe db snapshots. I plan on having this be parsed so that I can list all the available aws snapshots by id using groovy. However the biggest problem I am having is getting the api in the first place. I took a look at AWS's reference on this topic but I can't seem to figure out how to generate the pre-signed portion of the request with credentials. I am not sure why that part is even necessary. Why can't the user authenticate using the Access key ID and the Secret access key combination?
The reference:
https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshots.html
The section with the issue:
https://rds.us-west-2.amazonaws.com/
?Action=DescribeDBSnapshots
&IncludePublic=false
&IncludeShared=true
&MaxRecords=100
&SignatureMethod=HmacSHA256
&SignatureVersion=4
&Version=2014-09-01
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIADQKE4SARGYLE/20140421/us-west-2/rds/aws4_request
&X-Amz-Date=20140421T194732Z
&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date
&X-Amz-Signature=4aa31bdcf7b5e00dadffbd6dc8448a31871e283ffe270e77890e15487354bcca
If groovy is a hard requirement, I'd look into something like this https://grails.org/plugin/aws-sdk
If you're comfortable with Java, I'd say use the official AWS-SDK
If you're scripting this out, you could also use the official AWS cli tool and do something like
aws rds describe-db-snapshots [OPTIONS]
From there you could use a tool like jq to zero-in and parse out your specific ID's. You can find more documentation here.
The way you'd authorize with the SDK is either through environment variables (the preferred approach) or probably hardcoding your KEY and SECRET (big no no)
I think rather than trying to directly communicate with the API directly you should make use of the built in wrappers that AWS provide.
If you're accessing this with a supported programmatic language take a look at the AWS SDKs. There are currently officially supported libraries for:
C++
Go
Java
JavaScript
.NET
NodeJS
PHP
Python
Ruby
If your language of choice is not covered there may be a third party solution already. Alternatively take a look at the AWS CLI to resolve your problem.
For your specific action describe-db-snapshots you can get a list of all IDs by running the below, then parse as JSON.
aws rds describe-db-snapshots --query 'DBSnapshots[*].DBSnapshotIdentifier' --format json
How to configure the credential to use AWS service from inside the EKS. I can not use AWS SDK for this specific purpose. I have mentioned a role with required permission in the yaml file but it does not seem like it is picking up the role.
ThankYou
Any help is appreciated.
Typically you'd want to apply some level of logic to allow the pods themselves to obtain IAM credentials from STS. AWS does not currently (its re:Invent now so you never know) provide a native-way to do this. The two community solutions we've implemented are:
kube2IAM: https://github.com/jtblin/kube2iam
kIAM: https://github.com/uswitch/kiam
Both work well in production/large environments in my experience. I prefer kIAM's security model, but both get the job done.
Essentially the work the same basic way ... intercepting (for lack of a better word) communications b/t the SDK libraries in the container and STS, matching identity of the pod with an internal role dictionary, and then obtaining STS credentials for that role and handing those creds back to the container. The SDK isn't inherently aware its in a container, its just doing what it does anywhere ... walking its access tree until it sees the need to obtain creds from STS and receiving those.