AWS PowerShell error Insufficient privileges to perform this action - amazon-web-services

I am new to using AWS PowerShell and I am having issues with executing commands in PowerShell. Specifically, I am having issues running the below command. When I log into an AWS EC2 and execute the same command in CLI using the same account credentials it runs without failure. The error I receive states "Insufficient privileges to perform this action." I even went as far as using the admin account and I still receive the same error. I do not believe this matters, but I am running PowerShell on my local PC. Any guidance would be appreciated.
Command that generates the error
aws backup list-recovery-points-by-backup-vault --backup-vault-name Default --max-results 10000
PowerShell script I created for this purpose
Set-AWSCredential `
-AccessKey XXXXXXXXX `
-SecretKey XXXXXXXXX/XXXXXXX`
-StoreAs "MyProfile"
aws backup list-recovery-points-by-backup-vault --backup-vault-name Default --max-results 10000

Your Set-AWSCredential command is creating a profile named "MyProfile", But your aws command is not specifying which profile to use (aws backup --profile MyProfile ...) so its using one called "default"/ignoring the credentials hence you get an accessed denied.
It shouldnt work on Ec2... unless it has a role attached that already grants these same permissions or better (which gets assigned to the "default" profile as the instance starts)

The error was misleading and I was able to get this working to obtain my ultimate goal to delete recovery points by using the below script. The command I was running was not the correct command to be running for this operation.
Set-AWSCredential `
-AccessKey XXXXXX `
-SecretKey XXXXXXX `
-StoreAs "<ProfileName>"
$backups = Get-BAKRecoveryPointsByBackupVaultList -BackupVaultName Default
foreach ($backup in $backups)
{
Remove-BAKRecoveryPoint -BackupVaultName Default -RecoveryPointArn $backup.RecoveryPointArn -Confirm -Force
}

Related

Powershell script works on one AWS EC2 instance, but not another. Both use same IAM role

I have a simple Powershell script to upload a file to S3. I have 2 EC2 instances that use the same IAM profile. The instances and S3 bucket all live in the same AWS account.
I RDP into one instance, open Powershell prompt as admin, and the script works. RDP to the other instance, open Powershell prompt as admin, and the script fails with: Write-S3Object : Access Denied
To check networking/routing, both instances can open a browser and surf the web. I assume the credentials used to run are assumed from the role assigned to the instances?
If it matters, this is the ps1 script (access point obfuscated):
$ArtifactFile = "c:\temp\junk1.txt"
$S3BucketAP = "arn:aws:s3:us-east-1:1234567890:accesspoint/my-s3-ap"
$Key = "Junk/junk1.txt"
Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile
And here is the error message:
Write-S3Object : Access Denied
At C:\temp\test1.ps1:4 char:1
Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile
+ CategoryInfo : NotSpecified: (:) [Write-S3Object], AmazonS3Exception
+ FullyQualifiedErrorId :
Amazon.S3.AmazonS3Exception,Amazon.PowerShell.Cmdlets.S3.WriteS3ObjectCmdlet
Where else can I look to debug?
On reddit someone suggested I look at environment vars, which got me thinking to check for any profiles. When I dumped the credentials it showed "NetSDKCredentialsFile"
Get-AWSCredential -ListProfileDetail
ProfileName StoreTypeName ProfileLocation
----------- ------------- ---------------
For_Move NetSDKCredentialsFile
default NetSDKCredentialsFile
I found the file here and deleted it: %userprofile%\AppData\Local\AWSToolkit\RegisteredAccounts.json
Everything works as expected now. Must have got installed by accident.

Unable to download CodeDeploy agent from Windows Server with IAM Role attached

I am trying to download codedeploy following AWS docs:
Install the CodeDeploy agent for Windows Server
To do it, i need to run following command which basically downloads the file on temporary folder for my region us-east-1:
powershell.exe -Command Read-S3Object -BucketName aws-codedeploy-us-east-1 -Key latest/codedeploy-agent.msi -File c:\temp\codedeploy-agent.msi
On that instance I attached an IAM Role which has AmazonS3FullAccess policy. I'm getting this error when I execute the command:
Read-S3Object : No credentials specified or obtained from persisted/shell defaults.
I'm aware I could fix this adding personal credentials but since this is not considered a good practice I would like to download the client without tackling it this way.
Just in case someone has a similar problem.
This was caused because I previously migrated a custom windows AMI to a different AWS region.
The instance profile metadata server was pointing to old region server. You need to change that to point to the new region:
Import-Module (Join-Path $env:ProgramData 'Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1')
Add-Routes

Unable to authenticate my AWS credentials for ECR

I have installed the latest versions of the aws-cli-2 and docker, as well as ran "aws configure" and entered my access key and secret key. I have also verified the aws.config is correct and showing the right region and output format. My credentials in AWS are admin. I keep getting the following error:
'''Unable to locate credentials. You can configure credentials by running "aws configure".
Error: Cannot perform an interactive login from a non TTY device'''
Even though I have already ran 'aws configure.' I am running the commands prefixed with 'sudo' as well. Any thoughts?! Thank you for your time!
The aws configure command was being run as the local user, whereas the ecr command was being run as sudo.
If you run commands as sudo it will not have access to your local users config, it will instead default to the root users.
Instead ensure all commands are run as the same user.
If you want to use the aws credentials file from the default location you can also specify the location via the AWS_CONFIG_FILE environment variable.

How to self terminate EC2 from powershell?

I need powershell code to terminate an instance without hardcoding the instance ID.
I tried
aws ec2 terminate-instances --instance-ids 'curl http://169.254.169.254/latest/meta-data/instance-id'
But the instance doesn't terminate. Any ideas?
As mentioned in the comments, I suggest working with AWS Powershell Module.
The following code terminate an instance based on ID and Region.
Install-Module AWSPowerShell
Import-Module AWSPowerShell
#Set AWS Credential
Set-AWSCredential -AccessKey "AccessKey" -SecretKey "SecretKey"
#Remove EC2 Insatnace
Remove-EC2Instance -InstanceId "InstanceId" -Region "Region" -Force
How to create new AccessKey and SecretKey - Managing Access Keys for Your AWS Account.
AWSPowerShell Module installation.
From the docs:
Terminates a stopped or running Amazon EC2 instance, prompting for
confirmation before proceeding.
Note that terminated instances will remain visible after termination
(for approximately one hour). The Terminate operation is idempotent;
if you terminate an instance more than once, each call will succeed.
AWS Tools for PowerShell - Remove-EC2Instance Documtnetion.
In my case, I was able to set this attribute at instance launch (using some python code in the lambda that launches the instance) InstanceInitiatedShutdownBehavior='terminate'
then in powershell simply
shutdown /s /t 0
If InstanceInitiatedShutdownBehavior='terminate' is not set, then I believe the default is to stop (as opposed to terminate)

AWS CLI Unknown component: credential_provider

Ive been trying to setup an aws lambda function for a while now but seem to just keep running into this error. I've followed the basic tutorial and setup everything exactly as it is in the guide for the user I have. But no matter what I keep getting the Unknown component: credential_provider error when trying to do anything via the CLI. Has anyone else run into this or know of a more indepth/better tutorial for setting this up????
The examples show the call being made with a --profile parameter. In most cases you will just want to remove that. If you need to use a profile, then create one in your ~/.aws/config file and make sure the name you give it matches up with the name being used.
I found that I got this error when I told aws-cli to use a profile that didn't exist. (This can be through the --profile option or the AWS_DEFAULT_PROFILE environment variable.)
Check your .aws/config and .aws/credentials files.
Run aws config first, then execute aws lambda create-function ... without the option --profile.
I had the same issue then I realized the issue was because I only had a default profile in my ~/.aws/credentials. Open up the file and see what the profile name is on the first line. Then when you run the create-function you can do --profile <profile name goes here>
While running S3 commands using CLI I received the same error
Unknown component: credential_provider.
The command I ran was :
s3 sync s3://mybucket --region eu-central-1 --profile default
This error comes when I run this command as a sudo user.
So I would suggest run it without sudo. One more thing it does not work with any other user also like for user "test" it would give error :
A client error (AccessDenied) occurred when calling the ListObjects
operation: Access Denied
or something like this for any other cli utility.
It works with default user ubuntu. Login the machine with ubuntu user or change the user to ubuntu and then try running the same lamda function.