I am trying to access the aws rds api to describe db snapshots. I plan on having this be parsed so that I can list all the available aws snapshots by id using groovy. However the biggest problem I am having is getting the api in the first place. I took a look at AWS's reference on this topic but I can't seem to figure out how to generate the pre-signed portion of the request with credentials. I am not sure why that part is even necessary. Why can't the user authenticate using the Access key ID and the Secret access key combination?
The reference:
https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshots.html
The section with the issue:
https://rds.us-west-2.amazonaws.com/
?Action=DescribeDBSnapshots
&IncludePublic=false
&IncludeShared=true
&MaxRecords=100
&SignatureMethod=HmacSHA256
&SignatureVersion=4
&Version=2014-09-01
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIADQKE4SARGYLE/20140421/us-west-2/rds/aws4_request
&X-Amz-Date=20140421T194732Z
&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date
&X-Amz-Signature=4aa31bdcf7b5e00dadffbd6dc8448a31871e283ffe270e77890e15487354bcca
If groovy is a hard requirement, I'd look into something like this https://grails.org/plugin/aws-sdk
If you're comfortable with Java, I'd say use the official AWS-SDK
If you're scripting this out, you could also use the official AWS cli tool and do something like
aws rds describe-db-snapshots [OPTIONS]
From there you could use a tool like jq to zero-in and parse out your specific ID's. You can find more documentation here.
The way you'd authorize with the SDK is either through environment variables (the preferred approach) or probably hardcoding your KEY and SECRET (big no no)
I think rather than trying to directly communicate with the API directly you should make use of the built in wrappers that AWS provide.
If you're accessing this with a supported programmatic language take a look at the AWS SDKs. There are currently officially supported libraries for:
C++
Go
Java
JavaScript
.NET
NodeJS
PHP
Python
Ruby
If your language of choice is not covered there may be a third party solution already. Alternatively take a look at the AWS CLI to resolve your problem.
For your specific action describe-db-snapshots you can get a list of all IDs by running the below, then parse as JSON.
aws rds describe-db-snapshots --query 'DBSnapshots[*].DBSnapshotIdentifier' --format json
Related
Is there an API/way to programmatically query AWS documentation for a specific service? For instance, I want to know the encryption algorithm used by a service for protecting data at rest. Can I write a script that will automatically query AWS documentation for that service and give me this information?
There is no API for AWS Documentation.
However, the AWS CLI is open-source and it has data files that detail all API calls and their parameters.
It would not, however, contain the encryption algorithms. That is internal to Amazon S3 and is not shared publicly.
I have as php library I wrote to help with working along side Amazon Web Services. It was built to either look for the default $HOME/.aws/credentials (or be pointed to a similar format file) or to look for the key and secret in the environment before proceeding.
We are now going to be running it on an EC2 and I was shown how you can use roles in conjunction with the EC2 to get and keep much better control on what the server code can and can't do. But I need to modify my code to be able to know when it has proper permissions before proceeding and I don't see anywhere in the docs on assigning an EC2 instance a given role how you know in the SDK that it has the permissions of that role.
Is there some way once I instantiate the SDK to ask something akin to 'hasRole' or 'getRoleArn' or something like that?
SDKs are mapped directly to API calls. So if you know what cli command to call, it makes it much easier to google. So you want the aws sts get-caller-identity most likely.
Doing a google for "PHP sts sdk aws" is then the search you would do. And then you would wind up on this page.
So that way is using the SDK. There are a couple of other ways as well. As you are using ec2 you can use instance meta-data as well.
On another note I do think you should be careful though with leaking the AWS role into your application code. It probably makes more sense to use user identity context, such as with Cogito, and then use different groups with different permission sets. The role on the actual ec2 instance shouldn't be changing (unless you do a re-deploy), so there is no need for your code to check something that won't change during the normal running of the application. You could simply use an environment variable to convey whatever configuration you want to your application.
aws sts get-caller-identity --query 'Arn'
arn:aws:iam::1232412321:role/YourRole
I am looking for creating aws Cloud HSM using Java sdk.
Does anyone already done? looking for some example.
I can create by using AWS CLI but I want to do it through Java sdk.
Thank you.
AWS CLI is a wrapper around AWS API and the call you are likely looking for is CreateHSM Here is the corresponding Java SDK method
In most cases, if you already know how to do something via CLI - just follow the link to API Reference from the CLI command documentation page and then to SDK of you choice (Java). They all are built on top of the same REST API, so given the example for one it's just a syntax difference on how to work with another.
So it says on the github documentation here that
AWS Vault is a tool to securely store and access AWS credentials in a
development environment.
AWS Vault stores IAM credentials in your operating system's secure
keystore and then generates temporary credentials from those to expose
to your shell and applications. It's designed to be complementary to
the AWS CLI tools, and is aware of your
But what does this actually mean? As a developer does this mean to create a kind of lock to prevent anyone from using my code without the aws-vault profile? When should I use this technology? I want to know a bit more about it before I use it.
It actually doesn't have anything related to development.
While working with Amazon managed services we can take advantage of IAM roles but that doesn't work when you're doing it from our local environment or from some other Cloud VM like accessing a S3 bucket. It comes handy when you're doing a lot of work with AWS CLI or even writing terraform for your environment. It is just for a precaution so we don't expose or IAM credentials to external world (you will receive an abuse notification from Amazon whenever your keys are compromised). There are many other ways to make sure your keys don't get compromised like before pushing your code to a version control use git-secrets to make sure you don't push any sensitive information.
I've recently been looking into AWS KMS for storing database passwords and the like. However I've also seen that secure strings in Parameter store can be used for this. In both instances I believe I would need to use the AWS CLI to access these services.
However in a production environment where there might be multiple servers, how are we supposed to go about getting the AWS CLI installed and authenticated on our instances. It feels like the CLI credentials should also be stored in Parameter store creating a bit of a catch 22. As far as I'm aware these should form part of an AMI and I don't want them in source control either.
What's the best approach here?