Is there a way to get the Amazon service name which a resource id belongs with boto3?
I would expect something like:
service = client.get_service_name("i-0ff8943bb6c0db21c")
print(service)
OUTPUT:
EC2
or
service = client.get_service_name("subnet-007c14e3ae140c9d9")
print(service)
OUTPUT:
VPC
I dont find a way to get that.
Thanks.
No, there is no API call to translate a Resource ID into a Service Name.
Related
In Terraform I enable services like so:
resource "google_project_service" "apigateway" {
service = "apigateway.googleapis.com"
}
Afterwards I ensure that I am referencing the service account of apigateway (service-123#gcp-sa-apigateway.iam.gserviceaccount.com) only after the resource was created.
Now it does happen sometimes that when using the email of sa, I get an error that the service account is not present:
Error 400: Service account service-123#gcp-sa-apigateway.iam.gserviceaccount.com does not exist.
I double checked in API Explorer that the API is enabled!
This in turn does happen for apigateway the same way as for others (e.g. cloudfunctions).
So I am wondering how do I ensure that the service account is created?
Naively I assumed creating google_project_services should do the trick but that seems not be true in every case. Documentation around Google service account is pretty sparse it seems :(
As John Hanley remarks, you can create this dependency in terraform with depends_on.
As you can see on the following comment, the service account will be created but the key will be assigned until the first sentence is done.
resource "google_service_account" "service_account" {
account_id = "terraform-test"
display_name = "Service Account"
}
resource "google_service_account_key" "mykey" {
service_account_id = google_service_account.service_account.id
public_key_type = "TYPE_X509_PEM_FILE"
depends_on = [google_service_account.service_account]
}
Also, if the service account is already created on the GCP platform only is executed the key statement.
It is important noticed that the account that you are using for this configuration needs to have the required IAM permission to create an account.
Found out about google_project_service_identity.
So since I saw this problem with cloudfunctions you could create a google_project_service_identity.cloudfunctions and hope for a detailed error message.
Sadly this is not available for all, e.g. apigateway.
For apigateway specifically, Google Support confirmed that undocumented behavior is the SA gets created lazily when creating first resource.
I know this is possible through the AWS CLI and Console as I have done it like this but I would now need to do it in Terraform. I would like to execute the equivalent of the CLI command as aws servicediscovery register-instance.
Pointing to any documentation or examples that can be shared would be most beneficial and appreciated.
This is now possible using the aws_service_discovery_instance resource as of version v3.57.0 of the AWS provider.
resource "aws_service_discovery_instance" "example" {
instance_id = "mydb"
service_id = aws_service_discovery_service.example.id
attributes = {
AWS_INSTANCE_CNAME = aws_db_instance.example.address
}
}
Adding instances to the discovery service is not yet supported:
Add an aws_service_discovery_instance resource
But pull requests has already been preprared for that, so hopefully soon:
resource/aws_service_discovery_instance: new implementation
I have been trying to setup AWS Quicksight SSO with Keycloak version 10.0.2. I have been following these three blogs and articles
https://docs.aws.amazon.com/quicksight/latest/user/external-identity-providers-setting-up-saml.html
https://scandiweb.com/blog/sign-in-to-amazon-aws-using-saml-protocol-and-keycloak-as-identity-provider#:~:text=Amazon%20AWS%20Service%20Provider%20setup&text=2)%20Go%20to%20%E2%80%9CIAM%E2%80%9D,%E2%80%9D%20and%20then%20%E2%80%9CCreate%E2%80%9D.
and this
https://www.wolfe.id.au/2017/11/05/aws-user-federation-with-keycloak/
I am stuck at the step of creating AWS roles and mappers in Keycloak client settings:
kcadm.sh create clients/6c684579-51a1-4bdf-a694-d641199874d8/roles -r wolfeidau -s 'name=arn:aws:iam::981394234017:role/wolfeidau-admin,arn:aws:iam::981394234017:saml-provider/docker-keycloak'
null [Character ':' not allowed.]
How do I create a way to create AWS roles and mapper in Keycloak Client settings?
Following this blog, I've faced same issue.
But I've found another one workaround that looks much better for me.
Solution is to create "Hardcoded attribute" instead of "Role list" param along with a role creation. So, I use below params:
Protocol = saml
Name = Session Role
Mapper Type = Hardcoded attribute
Friendly Name = Session Role
SAML Attribute Name = https://aws.amazon.com/SAML/Attributes/Role
SAML Attribute NameFormat = Basic
Attribute value = arn:aws:I am::<aws account number>:role/<role-for-sso>,arn:aws:I am::<aws account number>:saml-provider/<saml-provider-name>
Looks like a recent Keycloak change. I have existing roles with a colon in the name, but the latest version won't let me create a new role with the colon in the name.
Work around I applied:
Create the role name without a colon. I chose the format aws-accountNumber-RoleName.
Add a Role Name Mapper in your AWS client. Keycloak will accept a colon in the "New Role Name" field.
I want to configure my SQS Terraform Script to use an aws provided SSE Key.
I know that you can do this with the follwing code:
resource "aws_sqs_queue" "terraform_queue" {
name = "terraform-example-queue"
kms_master_key_id = "alias/aws/sqs"
kms_data_key_reuse_period_seconds = 300
}
But with this example I need to first create my own KMS Key. In the aws console it is possible to use a default one without creating one by myself. How do I do this in Terraform, what do I have to type in kms_master_key_id?
The default key for any service is given by the alias alias/aws/$service. So when you refer to alias/aws/sqs you're using the default AWS managed KMS key for that service in that region.
This is briefly covered in the AWS user guide:
The alias name cannot begin with aws/. The aws/ prefix is reserved by Amazon Web Services to represent AWS managed CMKs in your account.
Is it possible to get AWS instance info, local to the instance, without using credentials? I know the command line tool can do it, but it needs credentials. There is also the metadata commands, but those don't seem to return Tags, which is what I need.
I thought there was a way to curl an IP and get back json, but I can't find it.
It is not possible to retrieve tags directly from within the EC2 instance via the local metadata service as the metadata service does not know the tags. You have (at least) two options:
launch the instance with an IAM role (or somehow provide other credentials to the instance) that includes permission to call ec2:DescribeTags and then retrieve the tags dynamically - you'll need the instance ID for this and you can get that from the metadata service
if the tags are known at launch time and are not going to change after launch, you could simply pass them into the EC2 instance as part of the userdata (e.g. as environment variables or written to a text file at launch).
Unfortunately, you'll need credentials to retrieve tags. I do this by creating an IAM user that only has the ec2:Describe* role; it can then enumerate the instances in your account and retrieve their tags, with ec2-describe-tags or similar.
You can use the metadata API to retrieve the current instance ID, then pass that to ec2-describe tags to retrieve the tags for the current instance:
ec2-describe-tags -O YOUR_IAM_KEY -W YOUR_IAM_SECRET --filter="resource-id=`curl -s http://169.254.169.254/latest/meta-data/instance-id`"
Yes you can get the EC2 instance tags without credentials. You do this using the EC2 Roles / Profiles for the EC2 instance. I know that this has already been mentioned but I'd like to expand on this a little. Technically you're not actually doing anything without credentials. Credentials are always involved unless you're just making queries to the metadata.
What Boto and other similar frameworks do is they query the ec2 instance metadata to get the credentials for the role. Just replace the last part s3access with the name of the profile / role.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Returns
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2012-04-27T22:39:16Z"
}
This response includes the access credentials required to make the API request. When the credentials expire the framework will request a new set of credentials using the same method and repeat this process as many times as necessary.
I highly recommend using a framework because making the requests directly to the REST API requires that you perform the authentication yourself. If that's the direction you decide to go here are some more resources to help you out.
Signature Version 2
Describe Tags API