I am using the aws ec2 describe-volumes with the out showing this:
{
"Volumes": [
Is there anyway to include the ownerarn in this?
The AWS CLI describe-volumes documentation shows the output that will be returned.
I'm not sure what you mean by ownerarn, but Amazon EBS volumes belong to an AWS Account that is identified by a 12-digit number. The Account ID is not returned as part of the describe-volumes call, but you can obtain it by calling aws iam get-user and extracting the Account ID from the returned Arn for the user.
Within AWS, resources are linked to AWS Accounts. They are not linked to IAM Users.
Related
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I would like to auto-tag certain AWS resources defined in a CloudFormation template with the user who uses the template to create a stack. Is it possible to access any sort of user id in the template?
I don't think this is possible.
AWS services are tied to AWS Accounts. Once IAM confirms that a particular user has permission to make an API call, resources that are generated become associated with an Account rather than a particular User. For example, it is not possible to look at an EC2 instance and determine who launched the instance.
This information is, however, available in AWS CloudTrail, but that is more of an audit log — it does not provide the user information back to the service.
So, I suspect that a stack is not provided with information about the User that launched it.
There is one way of doing it, but it isn't pretty and there is a caveat.
You can run a bash script like the below on an ec2 instance:
AWS_INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`
USER_ID=`aws sts get-caller-identity --output text --query 'Arn'`
aws ec2 create-tags --resources "${AWS_INSTANCE_ID}" --tags 'Key=CreatedBy,Value="${USER_ID}"' --region eu-west-1
That will tag the current instance with the name of the user that run the CLI on that instance.
The caveat is however that the CLI needs to be run by the user - and not a role, so your users keys will have to be copied to the server - and then removed again at the end of the script.
Not ideal, but it gives you an option.
I have a service-linked role in AWS that I need to delete. When I try to delete it in IAM it fails and has a popup with the ARNs of two resources that use this role. This brain-dead blog post shows me the steps to recreate the problem I'm having and tells me that I need to delete the resources that use the role I'm trying to delete. Duh.
I've tried searching the given ARNs in the IAM search window, but it doesn't find them.
Now that I have the ARNs, how can I delete them so I can delete this role?
There is no API that provide delete of any resource by any ARN. You need to use specific services for delete resources.
If you have ARNs - according to documentation - it will be 3rd part (by ":" character):
arn:partition:SERVICE:region:account-id... // SERVICE where your resource is present
For example - if you have that ARN:
arn:aws:ec2:us-east-1:1234567890:instance/i-12345678901234567
That indicates it's EC2 instance. You can delete it via AWS Console (UI) or by example using AWS CLI:
aws --region us-east-1 ec2 terminate-instances --instance-ids i-12345678901234567
EDIT
According to link you provided (brain-dead blog post) there are ARNs of Redshift clusters, so you can try delete them via AWS CLI using this command:
aws --region <REGION> redshift delete-cluster --cluster-identifier <CLUSTER ID>
Where REGION and CLUSTER ID you can obtain from ARNs.
If you want to delete them from UI (AWS Console) - don't forget change to proper region.
I'm on an EC2 instance that has an IAM role attached to it, and would like to be able to verify that I am indeed using this role from the AWS CLI.
I'm imagining being able to call something like this (but can't find anything like it in the CLI docs):
$ aws get-current-role-details
Does this functionality exist?
Use the AWS STS command get-caller-identity.
Returns details about the IAM identity whose credentials are used to call the API.
$ aws sts get-caller-identity
{
"UserId": "AIDAxxx",
"Account": "xxx",
"Arn": "arn:aws:iam::xxx:user/Tyrone321"
}
You can then take the role name, and query IAM for the role details using both iam list-role-policies for inline policies and iam-list-attached-role-policies for attached managed policies (thanks to #Dimitry K for the callout).
$ aws iam list-attached-role-policies --role-name Tyrone321
{
"AttachedPolicies": [
{
"PolicyName": "SomePolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
},
{
"PolicyName": "AnotherPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/xxx"
} ]
}
To get the actual IAM permissions, use aws iam get-policy to get the default policy version ID, and then aws iam get-policy-version with the version ID to retrieve the actual policy statements.
If the IAM principal is a user, the commands are aws iam list-attached-user-policies and aws iam get-user-policy.
See the AWS IAM CLI reference for more information.
There is a more simple and elegant way to get the current role details.
$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2019-05-08T13:15:52Z",
"InstanceProfileArn" : "arn:aws:iam::xxxxxxxxxxxx:instance-profile/rolename",
"InstanceProfileId" : "AIPAIFNV5UU4JJLAXXXXX"
}
In InstanceProfileArn you can see your role name
Unfortunately, there is not a simple way to get that information. You'll need to get there through the following path:
Step 1. Get the current EC2 instance ID from the instance metadata.
curl -s http://169.254.169.254/latest/meta-data/instance-id
You may need the current region as well.
curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/ | sed 's/\(.*\)[a-z]/\1/'
Step 2. Get the ID of the IAM Instance Profile attached to your EC2 instance.
aws ec2 describe-instances \
--region us-east-1 \
--instance-id i-12345678 \
--query 'Reservations[0].Instances[0].IamInstanceProfile.Id'
Remember to substitute the EC2 instance ID and region as required.
Step 3. Get the IAM instance profile roles.
aws iam list-instance-profiles \
--query "InstanceProfiles[?InstanceProfileId=='ABCDEFG'].Roles"
Remember to substitute the IAM instance profile ID.
Notes:
An IAM instance profile may have more than one IAM role associated with it. Usually it will be only one, but it could have more.
Looking for a quick way to pull my account number, I had originally thought of using aws iam get-account-authorization-details --max-items 1 but there are several issues with doing it this way. Is there a way to do this that might not cross account origins?
You can get the account number from the Secure Token Service subcommand get-caller-identity using the following:
aws sts get-caller-identity --query Account --output text
From my related answer for the AWS PowerShell CLI, your Account ID is a part of the Arn of resources that you create... and those that are automatically created for you. Some resources will also list you as an OwnerId.
The Default Security Group is automatically created for you in each region's default VPC as a reserved security group. From the documentation:
You can't delete a default security group. If you try to delete the EC2-Classic default security group, you'll get the following error: Client.InvalidGroup.Reserved: The security group 'default' is reserved. If you try to delete a VPC default security group, you'll get the following error: Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.
This makes it a reliable candidate for retrieving our account Id, as long as you are in EC2 classic or have a default VPC (*see edge cases if you don't).
Example:
aws ec2 describe-security-groups \
--group-names 'Default' \
--query 'SecurityGroups[0].OwnerId' \
--output text
This uses --query to filter the output down to the "owner ID" for the first result from this request, and then uses --output to output your account ID as plaintext:
123456781234
Edge cases:
(Thanks #kenchew) Note that if you've deleted your default VPC in a given region, this security group no longer exists and you should use one of these alternative solutions:
query STS get-caller-identity, per #Taras
use the first security group returned, per #Phillip
Further reading:
AWS EC2 Documentation: Default Security Groups
AWS CLI Documentation: aws ec2 describe-security-groups
Controlling Command Output from the AWS Command Line Interface
If you are running on a server that is running with an assumed role you can't call aws sts get-caller-identity. Also, with describe-security-groups you can't always use the --group-names filter (it doesn't work if you don't have a default VPC), so just pick the first security group. I've found this to be the most reliable regardless of what sort of authentication you use or what sort of VPC you have.
aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text
My favorite method is to use aws iam get-user [--profile <profile>] since you only need IAM self service role for this to work.