Hello i am planning to run the cloudFormation stack that is preconfigured by aws here.
It prompts me to fill out
NeptuneBulkloadIAMRoleArn
NeptuneClusterEndpoint
NeptuneLambdaIAMRoleArn
But i don't know what to fill in there, can you help me out?
The parameters you described above are used for the following:
NeptuneBulkloadIAMRoleArn - This is an IAM role setup to run the loader command. Instructions for setting this up found here.
NeptuneClusterEndpoint - This is the endpoint of your Neptune database, it will be accessible either from the console or the CLI.
NeptuneLambdaIAMRoleArn - This allows you to pass in your own role the Lambda should use, if not specified the CloudFormation stack should make one for you.
Related
I am new to AWS. I am trying to import an OVA to a AMI and use it for an EC2 instance as described here:
One of the commands it asks you to run is
aws ec2 describe-import-image-tasks --import-task-ids import-ami-1234567890abcdef0
When I do this I get
An error occurred (UnauthorizedOperation) when calling the DescribeImportImageTasks operation: You are not authorized to perform this operation.
I believe this means I need to add the appropriate Role (with a policy to be able to describe-import-image-tasks) to my cli user.
In the IAM console, I see this search feature to filter policies for a role which I will assign to my user. However it doesn't seem to have any results for describe-import-image-tasks
Is there an easy way to determine which policies are needed to run an AWS Cli command?
There is not an easy way. The CLI commands usually (but not always) map to a single IAM action that you need permission to perform. In your case, it appears you need the ec2:DescribeImportImageTasks permission, as listed here.
I can deploy an EB environment via CloudFormation with AWS::ElasticBeanstalk::Environment and AWS::ElasticBeanstalk::ApplicationVersion in the same template
That's great but if the beanstalk app deployment fails CloudFormation doesn't fail- the stack/environment is usually created successfully. So CloudFormation deploys successfully, the Beanstalk app version deploy fails, Beanstalk rolls back to the previous version, and returns to a healthy state and the only way I know it failed is to view the console or doing something wonky like try to check the current app version after the deployment.
The nested stack AWS::ElasticBeanstalk::Environment creates however does seem to fail if the app version deployment fails, but I can find no way of linking the two which is very annoying.
I need to programmatically identify the nested stack AWS::ElasticBeanstalk::Environment creates so after CloudFormation finishes and can check the status of that nested stack to see if the Beanstalk deploy was actually successful
Edit
At least they are tagged with the environment name. I really don't love this but it seems to work, curious about better options though:
aws cloudformation describe-stacks --query 'Stacks[?Tags[?Key == `elasticbeanstalk:environment-name` && Value == `myenvname`]].{StackName: StackName}' --output text
Its technically not a nested stack, but a fully independent stack from AWS::ElasticBeanstalk::Environment.
Nevertheless, one way to get the stack name, would be through custom resource in CFN.
In the CFN you would have a lambda which would use describe-environments using your environment, get the EB stack name, and return it to your stack for further processing.
One of the outcomes of the query is EnvironmentId. For example
"EnvironmentId": "e-ctpmqpqwjm"
The stack that EB produces has name in the format:
awseb-<EnvironmentId>-stack
Sadly, I can't find any reference for this. This is based on my own observations. Thus, if you would choose to explore this option, you would have to verify if the naming convention is same for you.
i am running into a situation where i am trying to run a terraform (v0.11.7) script within jenkins within kubernetes (k8s) within an ec2-instance.
the k8s worker is running on an ec2-instance with a particular aws instance-profile
the terraform script is configured via various environment variables, credentials
and config files to be able to assume a specific role for it's purposes
the setup works fine on my macbook, but sadly, in jenkins/k8s/ec2, the ec2 instance-profile is prevailing and the terraform script is failing because it requires it's specific assume-role to complete it's operations.
it's actually failing on the terraform plan step with TF_LOG output showing that the role is derived from the instance-profile.
wondering if anyone has run into this situation and has any related guidance?
looks like the special-sauce for my particular use case is Terraform's aws provider skip_metadata_api_check flag, which apparently inhibits Terraform's behavior around assuming the role of the ec2 instance-profile, and allows it to fallback to it's normal mechanisms for assume-role in my specific setup.
my specific setup involved use of the provider's profile arg in conjunction with the named profile feature involving aws shared credentials and config files.
another option for assume-role in Terraform is the provider's assume_role arg, but i preferred the more abstracted profile option.
i have also found that use of the AWS_PROFILE environment variable in conjunction with the less well documented AWS_SDK_LOAD_CONFIG environment variable of the AWS Go SDK (used by Terraform) will also works as an alternative, and allows omitting the profile argument altogether which may be even more appealing to some
I want to use CloudFormation. package and deploy functions but how do I go about determining what IAM permissions are required to run these?
In general, how do I determine what permissions are required?
Based on the fact that you are using this for Lambda, I'm guessing that this is related to your other question CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application.
In the answer to that question I referenced an Example CloudFormation Template. If you look at the CloudFormationServicePolicy from that example, you will likely find everything you need.
For the answer to this specific question though, there are two parts
To package you'll need:
A Deployment Artifact bucket (ArtifactBucket)
s3:PutObject permissions for the user to the ArtifactBucket
To deploy is much harder to answer. In the above referenced CloudFormationServicePolicy you can find a full set of permissions we use with CloudFormation to deploy a function. At the very least, you'll need:
iam:PassRole (assuming you're passing an existing role)
lambda:CreateFunction
lambda:UpdateFunctionCode
lambda:UpdateFunctionConfiguration
lambda:AddPermission
lambda:GetEventSourceMapping
lambda:CreateEventSourceMapping
lambda:DeleteEventSourceMapping
If you're doing your deploy through the console, you'll likely also need:
iam:GetRole
iam:ListRole
lambda:GetFunction
lambda:GetFunctionConfiguration
I am trying to create a lambda function in a particular region using aws-cli. I am not sure how to create it. Looking at this doc and couldn't find any parameter related to region. http://docs.aws.amazon.com/cli/latest/reference/lambda/create-function.html
Thank you.
The region is a common option to all AWS CLI commands. If you want to explicitly include the region in your command, simply include --region us-east-1, for example, to run your command in the us-east-1 region.
If this parameter is not specified explicitly, it will be implicitly derived from your configuration. This could be environment variables, your CLI's config file, or even inherited from an IAM instance profile.
A safe command to verify this is aws lambda list-functions. This is a read-only command that lists your functions; it will only list functions in the region that was implicitly supplied via your configuation. You can explicitly supply a region to this function and observe that the results will change if you have functions in one region but not the other.
Further Reading
AWS Documentation - Configuring the AWS Command Line Interface
AWS Documentation - Configuration and Credential Files
AWS Documentation - AWS CLI Options