I have multiple roles in AWS and have to switch between them multiple times a day.
Can you please suggest a good solution without doing the entire authentication cycle?
You can store multiple roles in the ~/.aws/credentials file. These can be activated via the AWS CLI by using --profile.
You can also put roles in specific profiles and the AWS CLI will assume them from a base set of credentials.
See:
Configuration and Credential File Settings - AWS Command Line Interface
Using an IAM Role in the AWS CLI - AWS Command Line Interface
Related
I have SSO configured for my AWS organizational accounts. Have created two accounts(one is dev and the other is prod). How do i restrict AWS CLI Access for my prod accounts SSO users. Tried looking up in their documentation, but couldn't find any.
Can someone help me?
The AWS Command-Line Interface (CLI) can be configured to connect via SSO and assume an IAM Role. It can then be used to make API calls according to the permissions in the chosen IAM Role.
It is not possible to 'restrict' the AWS CLI. Instead, you would restrict the permissions in the IAM Role that is being used.
See: Configuring the AWS CLI to use AWS Single Sign-On - AWS Command Line Interface
I have an AWS Batch Job which is a .NET CORE app running as a container which downloads from an SFTP server a CSV parses it and inserts data into AWS RDS.
When the CSV is corrupt the job is failing and is supposed to send a SNS notification, instead I see the following error in CloudWatch logs.
"Message": "User: arn:aws:sts::654001826221:assumed-role/fileimportworker-batch/5f77c736e4e64c2d82df278800ec4f25 is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:accountIdHere:Test-SNS-Batch",
My IAM role attached to the batch Job role has SNS:Published allowed, S3 allowed, also provides read access to 2 secrets in Secret Manager. S3 and SecretManager access work, the task is able to download the file from SFTP and put it to S3 and also to read the RDS password from secret manager.
AWS Batch Job may use credentials from a container instead of your environment variables. You have to look at credential precedence.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence
The AWS CLI uses credentials and configuration settings located in
multiple places, such as the system or user environment variables,
local AWS configuration files, or explicitly declared on the command
line as a parameter. Certain locations take precedence over others.
The AWS CLI credentials and configuration settings take precedence in
the following order:
Command line options – Overrides settings in any other location. You
can specify --region, --output, and --profile as parameters on the
command line.
Environment variables – You can store values in your system's
environment variables.
CLI credentials file – The credentials and config file are updated
when you run the command aws configure. The credentials file is
located at ~/.aws/credentials on Linux or macOS, or at
C:\Users\USERNAME.aws\credentials on Windows. This file can contain
the credential details for the default profile and any named profiles.
CLI configuration file – The credentials and config file are updated
when you run the command aws configure. The config file is located at
~/.aws/config on Linux or macOS, or at C:\Users\USERNAME.aws\config
on Windows. This file contains the configuration settings for the
default profile and any named profiles.
Container credentials – You can associate an IAM role with each of
your Amazon Elastic Container Service (Amazon ECS) task definitions.
Temporary credentials for that role are then available to that task's
containers. For more information, see IAM Roles for Tasks in the
Amazon Elastic Container Service Developer Guide.
Instance profile credentials – You can associate an IAM role with each
of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary
credentials for that role are then available to code running in the
instance. The credentials are delivered through the Amazon EC2
metadata service. For more information, see IAM Roles for Amazon EC2
in the Amazon EC2 User Guide for Linux Instances and Using Instance
Profiles in the IAM User Guide.
P.S. To intergate AWS Batch with SNS without coding, you can use the Eventbridge rule to listen to event patterns from AWS Batch. You just select the target of the rule to publish the message on the SNS topic you want.
https://docs.aws.amazon.com/batch/latest/userguide/batch_sns_tutorial.html
I'm learning AWS using the AWS CLI and LocalStack.
I'm working with tutorials such as this, which describe how to create a S3 bucket and upload a file to it.
What I'd like to understand is the role of users in relation to AWS commands, and whether or not there is a relationship between a user and a profile (the latter is created when you run the aws configure CLI command).
When I run a AWS CLI command such as aws --endpoint-url=http://localhost:4572 s3 cp ./foo.json s3://my-bucket/path/to/foo.json what user am I running that command as? I have not explicitly created any users using the AWS IAM CLI or by other means. Is a profile implicitly a user? I.e. when I run aws configure, does the default profile created mean a user named default is created in AWS IAM?
Well, it's easy to check actually.
https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html
Is a profile implicitly a user?
No, profile is just that - credentials profile. Whether it's a user or a role, AWS CLI doesn't care as long as those credentials are valid.
when I run aws configure, does the default profile created mean a user named default is created in AWS IAM
Going from previous point, no. Nothing is done implicitly in IAM. When you run aws configure you supply credentials that already exist, not the other way around.
I want a run a python boto3 scrip from my local machine using Pycharm. I am having config file setup in my machine that contains different roles based on the accounts. Say for example I want to execute the scrip using dev-power user that is included in the config file. But I am getting the below error:
"botocore.exceptions.NoCredentialsError: Unable to locate credentials"
Could you please let me know the process by which I can do this from local IDE?
You cannot use IAM Role to access AWS services from your development environment. An IAM Role can only be attached to an IAM User or an AWS service and cannot be used for programmatic access.
For programmatic access to different AWS services you will need to create an IAM User which will have access to required services or has a role attached to it with specific policies.
Reference :
AWS IAM Roles
AWS IAM Users
IAM User provides "access-key" and "secrete-key" which can be configured on your machine to access the services from your development environment.
Reference :
AWS Access Credentials
Setting up your AWS credentials
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser