Setting up AWS credentials - amazon-web-services

I am having problems configuring my AWS credentials on Serverless using my terminal. Once I place:
serverless config credentials --provider aws --key xx --secret xxx --profile serverless-admin2
After that the system responds "setting up aws..." and doesn't do anything else. Am I doing something wrong?

The command just only creates a new entry in your ~/.aws/credentials file. Thus to check if it worked, inspect ~/.aws/credentials and see if [serverless-admin2] profile was created with your aws keys.
If not, you can add the profile yourself there.

Related

How to remove assumed IAM role from local

I have an assumed role which I assumed using aws sts assume-role CLI command.
I want to "unassume" this role and switch back to my aws credentials configured in my local system.
How do I acheive this?
I have tried doing so by going to the console and clicking the "Revoke Active Sessions" button, but that doesn't seem to be working. I tried rm -r ~/.aws/cli/cache too but in vain. Please help
There's a few things you can do:
You can unset the AWS environment variables in your terminal:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
You can reconfigure your aws configuration:
aws configure
However, you'll need to make sure there are no environment variables set for your AWS credentials. By default, the AWS CLI looks at your environment variables, then your config file, then your credentials file for credentials to use in CLI commands.

Have to delete environment variables for aws cli to work without --profile flag

ok so I am baffled by this aws cli behavior. Basically what is going on is that when I set my AWS creds related in environment variable, AWS CLI forces me to pass --profile flag each time I use the CLI.
So basically when AWS_ACCESS_KEY_ID AND AWS_SECRET_ACCESS_KEY then I cannot run commands like aws s3 ls without passing --profile flag to it even though my profile is [default]
Also, jus to note the environment variable values and the values inside my /.aws/credentials
file is exactly same. Also, I tried to set both AWS_PROFILE and AWS_DEFAULT_PROFILE to default hoping that if all values such as keys,secret and profile are set in environment variable then I do not have to pass any --profile flag explicitly. Not having to pass this flag explicitly is very important for me at this point because if I am running an application which connects with aws and picks up default credentials, there is no easy way to pass profile information to that app.
my credentials file look like following:
[default]
aws_access_key_id = AKIA****
aws_secret_access_key = VpR***
My config file looks like following:
[default]
region = us-west-1
output = json
And my environment variables do have the same values for corresponding entries. for key, secret and profile at least.
Any idea on how to solve this issue?
The AWS CLI looks for credentials using a series of providers in a particular order. (https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#config-settings-and-precedence)
Specifically:
Command line options – You can specify --region, --output, and --profile as parameters on the command line.
Environment variables – You can store values in the environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. If they are present, they are used.
CLI credentials file – This is one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/credentials on Linux or macOS, or at C:\Users\USERNAME\.aws\credentials on Windows. This file can contain the credential details for the default profile and any named profiles.
CLI configuration file – This is another file that is updated when you run the command aws configure. The file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME\.aws\config on Windows. This file contains the configuration settings for the default profile and any named profiles.
Container credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.
Instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances and Using Instance Profiles in the IAM User Guide.
Another potential option for you would be to unset any colliding variables in your env and rely on the aws credentials file to provide the appropriate access credentials from the default entry.

Aws configure is not saving configuration data in credentials and config files on windows 10

I am trying to configure AWS CONFIGURE via AWS CLI on my laptop having Windows 10 professional. This is not the first time I am configuring AWS CONFIGURE. I already have many profiles settings.
I have enough free system memory and storage and have sufficient rights to run aws configure. I am using Python 3.6
Here is the detail, how I am trying to setup AWS CONFIGURE.
When I run this command again, it asks all the values again.
Even if I run an AWS CLI command using this new profile; to create a lambda function ( aws lambda create-function xxxxxxxxx --profile lambdaprofile ).
It gives below error.
The config profile (lambdaprofile) could not be found.
Please help me.
Some times this issue happens and AWS CLI is unable to set new profile and settings in config file.
Here is a fix of this issue.
Run below command from windows console.
notepad %USERPROFILE%\.aws\credentials
You will see last line of credentials file with overlapping line.
e.g in your particular case, it would be showing like below.
region = us-east-1[lambdaprofile]
aws_access_key_id = AKIAIGCOZJBAKIAIGCOZJB
aws_secret_access_key = gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
region = use-east-1
Similar issue would be in config file, which can be checked by opening this file.
notepad %USERPROFILE%\.aws\config
To fix this issue set [lambdaprofile] to new line, preferably add another empty line before [lambdaprofile]. It should look like below.
region = us-east-1
[lambdaprofile]
aws_access_key_id = AKIAIGCOZJBAKIAIGCOZJB
aws_secret_access_key = gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
region = use-east-1
Also do the same fix in config file. After fixing it, if you will run aws configure --profile lambdaprofile it should show the previously saved values in credentials and config files.
You may also check if values are saved or not with below command.
aws configure list --profile lambdaprofile
Alternately to the fix detail mentioned above, you can also set new profile directly with AWS CONFIGURE SET
e.g in your particular case.
aws configure --profile lambdaprofile set aws_access_key_id AKIAIGCOZJBAKIAIGCOZJB
aws configure --profile lambdaprofile set aws_secret_access_key gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
aws configure --profile lambdaprofile set region use-east-1
or
aws configure set profile.lambdaprofile.aws_access_key_id AKIAIGCOZJBAKIAIGCOZJB
aws configure set profile.lambdaprofile.aws_secret_access_key gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
aws configure set profile.lambdaprofile.region use-east-1

UnrecognizedClientException error when authenticating on aws-cli

When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:
An error occurred (UnrecognizedClientException) when calling the
GetAuthorizationToken operation: The security token included in the
request is invalid.
I've already checked the timezone which seem to be okay, and the command works properly on my local machine.
These are the commands I run to set up aws-cli:
apk add --update python python-dev py-pip
pip install awscli --upgrade
export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Is there something obvious I'm missing?
You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.
Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials
Open your PowerShell as administrator and follow the commands.
$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx
It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.
In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.
Create a new account with AmazonEC2ContainerRegistryFullAccess permission.
Add this account to the .credentials file like this:
[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX
Then next use following command:
aws ecr get-login-password --profile ecr-user
What worked for me is:
on the first part of pipe add the param --profile < your-profile-name >
and after that in every ECR command you need to provide that parameter.
My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.
(Make sure you're in the right AWS region, too.)
I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.
aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"
add it into ~/.aws/credentials for profile you are using .
After a couple of hours , this is my conclusion :
If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).
profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};
Then :
# with aws cli >= 1.x
$(aws ecr get-login --no-include-email --region ${aws_region})
# with aws cli >= 2.x
registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}
Resolved issue after following below:
Go to AWS IAM Management Console
Generate credential in section "Access keys (access key ID and secret access key)"
Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials
It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.
Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".
Default region name: eu-north-1
Default output format: text
And then the login succeeded. Don't ask my why.
open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)
It might look something like the following:
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX
Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.
Try running echo $varname to see if the environment variables are set correctly:
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_DEFAULT_REGION
If they are incorrectly set, run unset varname:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
In my case, the region I wanted to use was not enabled. Addressed by enabling it at Account > AWS Regions -> enable (and wait patiently for some minutes).
An update, --profile must be added, I solve this.

AWS Lambda Serverless deploy asking for AWS provider credentials

I have configured serverless with key and secret.
When i try to run serverless deploy it says:
ServerlessError: AWS provider credentials not found. Learn how to set up AWS provider credentials in our docs here:.
Please help me what to do
This is how to setup AWS credentials on the local:
Sign in to AWS console
Go to your AWS account overview
Account menu in the upper-right (has your name on it)
sub-menu: Security Credentials
Copy <Access Key ID>
Copy <Secret Access Key>
Run on local serverless config credentials --provider aws --key <Access Key ID> --secret <Secret Access Key>
You can set up your serverless credentials by using the serverless config credentials command, with --provider aws and using --key and --secret to set your AWS Access Key ID and Secret Access Key, respectively.
See the Serverless AWS - Config Credentials documentation for Serverless specifics, and this AWS document on security credentials in case you need to figure out what your credentials are.
Also give your profile and region configuration in your yml file
provider:
name: aws
runtime: python2.7
lambdaHashingVersion: 20201221
profile: 'serverless-admin'
region: 'us-east-1'
I had the same problem. I try everything. I configure my credentials (AWS key and secret) with both aws cli and serverless cli but still got that same error when I run:
sls deploy -v
I was using CMD before then I realize something when I run the command
aws configure list
the output is
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************SOU5 shared-credentials-file
secret_key ****************Cki5 shared-credentials-file
region eu-west-1 config-file ~/.aws/config
the path of the config file is
~/.aws/config
and CMD don't know what ~/ PATH IS but Bash does know
😈
then I run the
sls deploy -v
on bash terminal and it worked 🎉🙌🙌🎉🐱‍🏍
For those who has the same problem, even when already configured the AWS credentials for serverless, by running the command serverless config credentials:
I had the same problem; even when I had set up properly my AWS credentials on serverless, when I run the serverless deploy command, I got this: ServerlessError: AWS provider credentials not found.
How did I solved it? By installing and configuring the AWS CLI Tool. Once I installed it and configured it with my AWS credentials, and then run again the serverless deploy command, it just works fine.
I guess the serverless command, behind the scenes, uses the AWS CLI to access AWS and provision the AWS resources.
I hope this could be helpful for someone.