TL;DR: Is it possible to use the AWS CLI to update the locally stored credentials file with the IAM users information in my AWS account?
I am following the instructions in this AWS Amplify tutorial which includes these steps:
Creating an IAM user
Providing the IAM user credentials to the amplify CLI
Step 2 updated my local \.aws\credentials file to include a profile for the IAM user created in step 1.
After this, of my own accord, I went back into the IAM console and created a new access key ID.
This new access key is not included in my local \.aws\credentials file, so I would like to add it. How can I do that?
I have tried copying the profile entry created by the amplify CLI tool and pasting in the aws_access_key_id and aws_secret_access_key. However, I am not sure how to update the toolkit_artifact_guid. As I am creating a new profile for the same IAM user, should I use the same toolkit_artifact_guid?
The aws configure command can be used to add a new profile to your config
Use the --profile flag to create a profile in the .aws/config file.
https://docs.aws.amazon.com/cli/latest/reference/configure/
toolkit-artifact-guid is a piece of metadata used by tooling, such as extensions for an IDE. It is not required for specifying a new IAM profile
Related
I try to learn AWS and try to add profiles to the instance.
I created a Windows ec2 instance and two users (reader and writer), I use awscli for configure:
aws configure
After command execution I entered reader credentials.
After that two files were created in the C:\users\Administrator\.aws folder (config and credentials)
File credentials contains default profile, but I need to add two additional profiles to the server. In the final, credentials file should looks in the following way:
As I understood, I need to set Admin credentials for the command aws configure, but how can I add two other profiles?
Your credentials file looks correct. You can add as many profiles as you need. Then when invoking a cli command you need to specify which profile you are using. Ex.
aws ec2 describe-instances --profile writer
Full details at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
So to add a new profile, you could add one named "admin" that uses the access key/secret for the user with admin permission.
I'm learning AWS using the AWS CLI and LocalStack.
I'm working with tutorials such as this, which describe how to create a S3 bucket and upload a file to it.
What I'd like to understand is the role of users in relation to AWS commands, and whether or not there is a relationship between a user and a profile (the latter is created when you run the aws configure CLI command).
When I run a AWS CLI command such as aws --endpoint-url=http://localhost:4572 s3 cp ./foo.json s3://my-bucket/path/to/foo.json what user am I running that command as? I have not explicitly created any users using the AWS IAM CLI or by other means. Is a profile implicitly a user? I.e. when I run aws configure, does the default profile created mean a user named default is created in AWS IAM?
Well, it's easy to check actually.
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
Is a profile implicitly a user?
No, profile is just that - credentials profile. Whether it's a user or a role, AWS CLI doesn't care as long as those credentials are valid.
when I run aws configure, does the default profile created mean a user named default is created in AWS IAM
Going from previous point, no. Nothing is done implicitly in IAM. When you run aws configure you supply credentials that already exist, not the other way around.
On my client's AWS account, security credentials are generated everytime we login to their AWS sandbox account. This credentials file is automatically generated and downloaded via a Chrome plugin(SAML to AWS STS Key Conversion).
We then have to place the generated content to the ./aws/credentials file inside an EC2 instance in the same AWS account. This is little inconvenient as we have to update the generated credentials and session_token into the credentials file inside the EC2 instance every time we launch a Terraform script.
Is there any way we can attach any role so that we can just use the EC2 instance without entering the credentials into the credentials file.
Please suggest.
Work out what a reasonable, minimal set of permissions the Terraform script needs to create its AWS resources, then create an IAM role with those permissions, then add that IAM role to the instance (or launch a new instance with the role). Don't have a ~/.aws/credentials file on the instance or it will take precedence over the IAM role-based credentials.
SETUP
I created a new aws user via the aws web console, and selected both console and programmatic/cli access
I have added the AdministratorAccess policy directly to it.
I have not enabled MFA for this user
I have verified that my credentials file within the aws directory contains the proper values for aws_access_key_id and aws_secret_access_key
I have verified that my config file within the aws directory does not contain any lines that would overwrite data for the profile
I am verifying I am using the correct profile info by with aws configure list
THE ISSUE
Executing aws ec2 describe-regions returns:
An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
The error is pretty straightforward, but I'm not sure what else I can do to authorize this user. I had a coworker follow the same steps and the CLI worked as expected for him.
I researched the steps from This S.O. post but am still scratching my head.
Your AWS CLI is getting credentials from somewhere else. See Configuration Settings and Precedence:
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence
Make sure it is not getting the credentials from environment variables or from other locations. The AWS CLI looks for credentials and configuration settings in the following order:
Command Line Options – region, output format and profile can be specified as command options to override default settings.
Environment Variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
1)The AWS credentials file – ~/.aws/credentials on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\credentials on Windows.
Can contain multiple named profiles in addition to a default profile.
2)The CLI configuration file – at ~/.aws/config on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\config on Windows. Can contain a default profile, named profiles, and CLI specific configuration parameters for each.
3)Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role
Following this tutorial to setup CLI and trying to invoke AWS Lambda with the following command
aws lambda list-functions --profile xxxxx
But all I get is
The config profile (xxxxx) could not be found
I've created a user with username xxxxx on AWS IAM and I've successfully logged in AWS using this xxxxx as I can see xxxxx#accountID after I logged in.
I've also checked # C:\Users\myWindowUser\.awsthat there is below two files
config
credentials
May I know which part could have gone wrong?
The profile argument isn't used to specify a username. It is used to specify a named profile that you have created in your local credentials file. You probably haven't created any named profiles in the credentials file. If you created the credentials file via the aws configure command, then you will only have a default profile in your credentials file. If you only have a default profile then you shouldn't be trying to specify a profile parameter.