I want to create an EC2 instance with Postman but, I couldn't find anything on the internet? Is there a way of doing this? or should I use aws-cli instead?
Everything in AWS is an API that can be hit directly or via CLI or SDK. All those do is make the same calls you'd have to make. The advantage to using the CLI or SDK is that they manage the auth for you, which is no trivial matter. The following document gives you a place to start looking at all the options for using AWS APIs.
Making API Requests
Related
I have a simple shell script which issues several commands using awscli and displays information to the screen. It depends on having correct settings in ~/.aws/config and ~/.aws/credentials. I want to distribute it to about 10 users who have IAM accounts with limited privileges. However I don't want to use the shell - I want something cross-platform, easy to use for the users and easy for me to update. So I decided that I want to create a simple web application in JS instead, using the AWS SDK.
It seems that this use case is specifically supported by AWS, the first bullet point under "Common Use Cases" in What Is the AWS SDK for JavaScript? is "Build a custom console to AWS services in which you access and combine features across Regions and services to best meet your organizational or project needs" which exactly describes what I want to do.
The problem is that I can't find the relevant documentation on how to perform the user authentication. All the examples that I was able to find talk about some "Amazon Cognito" service and discuss much more complicated use cases, such as authenticating pools of external users through an external authentication provider and mapping them to IAM roles, which sounds too complicated for what I want to do. Is there a way to just authenticate the users that I have with their IAM user/password, and authorize them to access the AWS services based on their existing IAM permissions? Or is using Cognito, creating additional roles, etc. mandatory?
While writing this question I found out another question about AWS Amplify and now I'm even more confused. Is AWS Amplify what I would want to use?
You can write a web app using the AWS SDK for JavaScript that invokes various AWS Services. You do NOT need to use AWS Amplify to create a web app.
A Web application that uses the AWS SDK for JavaScript uses creds like any other AWS app. Here is an AWS tutorial that shows how to use the AWS SDK for JavaScript to write a basic web app that invokes the AWS SQS service. It will hopefully point you in the right direction.
Creating an example messaging application
This topic covers Prerequisites and other information, such as creating the required AWS resources, you need to know to write a web app using the AWS SDK for JavaScript.
Also - the link you referenced was the JavaScript V2 DEV Guide. Its better to use the AWS JavaScript V3 DEV Guide.
I've been having trouble with a deployment with a serverless-component, so I've been trying to debug it. Stepping through the code, I actually thought I'd be able to step into the component itself and see what was going on.
But to my surprise, I couldn't actually debug it, because the component doesn't actually exist on my computer. Apparently the serverless cli is sending a request to a server, and the request seems to include everything serverless needs to build and deploy the actual service— which includes my AWS credentials...
Is this a well-known thing? Is there a way to force serverless to build and deploy locally? This really caught me be surprise, and to be honest I'm not very happy about it.
I haven't used their platform, (I thought the CLI only executed from your local seems very risky), but you can make this more secure by the following:
First setup an iam role which can only do the deploy actions for your app. Then make a profile which assumes this role when you work on your serverless app and use the cli.
Secondly you can also avoid long-term cli credentials (iam users) by using the AWS SSO functionality which generates cli credentials for an hour, and with the AWS cli, you can login from the cli I believe. What this will mean is that your CLI credentials will live for at maximum 1 hour.
If the requests are always coming from the same IP you can also put that in an IAM policy but I wouldn't imagine there is any guarantee that their IP will always be the same.
I have as php library I wrote to help with working along side Amazon Web Services. It was built to either look for the default $HOME/.aws/credentials (or be pointed to a similar format file) or to look for the key and secret in the environment before proceeding.
We are now going to be running it on an EC2 and I was shown how you can use roles in conjunction with the EC2 to get and keep much better control on what the server code can and can't do. But I need to modify my code to be able to know when it has proper permissions before proceeding and I don't see anywhere in the docs on assigning an EC2 instance a given role how you know in the SDK that it has the permissions of that role.
Is there some way once I instantiate the SDK to ask something akin to 'hasRole' or 'getRoleArn' or something like that?
SDKs are mapped directly to API calls. So if you know what cli command to call, it makes it much easier to google. So you want the aws sts get-caller-identity most likely.
Doing a google for "PHP sts sdk aws" is then the search you would do. And then you would wind up on this page.
So that way is using the SDK. There are a couple of other ways as well. As you are using ec2 you can use instance meta-data as well.
On another note I do think you should be careful though with leaking the AWS role into your application code. It probably makes more sense to use user identity context, such as with Cogito, and then use different groups with different permission sets. The role on the actual ec2 instance shouldn't be changing (unless you do a re-deploy), so there is no need for your code to check something that won't change during the normal running of the application. You could simply use an environment variable to convey whatever configuration you want to your application.
aws sts get-caller-identity --query 'Arn'
arn:aws:iam::1232412321:role/YourRole
I am looking for creating aws Cloud HSM using Java sdk.
Does anyone already done? looking for some example.
I can create by using AWS CLI but I want to do it through Java sdk.
Thank you.
AWS CLI is a wrapper around AWS API and the call you are likely looking for is CreateHSM Here is the corresponding Java SDK method
In most cases, if you already know how to do something via CLI - just follow the link to API Reference from the CLI command documentation page and then to SDK of you choice (Java). They all are built on top of the same REST API, so given the example for one it's just a syntax difference on how to work with another.
I am trying to access the aws rds api to describe db snapshots. I plan on having this be parsed so that I can list all the available aws snapshots by id using groovy. However the biggest problem I am having is getting the api in the first place. I took a look at AWS's reference on this topic but I can't seem to figure out how to generate the pre-signed portion of the request with credentials. I am not sure why that part is even necessary. Why can't the user authenticate using the Access key ID and the Secret access key combination?
The reference:
https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBSnapshots.html
The section with the issue:
https://rds.us-west-2.amazonaws.com/
?Action=DescribeDBSnapshots
&IncludePublic=false
&IncludeShared=true
&MaxRecords=100
&SignatureMethod=HmacSHA256
&SignatureVersion=4
&Version=2014-09-01
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIADQKE4SARGYLE/20140421/us-west-2/rds/aws4_request
&X-Amz-Date=20140421T194732Z
&X-Amz-SignedHeaders=content-type;host;user-agent;x-amz-content-sha256;x-amz-date
&X-Amz-Signature=4aa31bdcf7b5e00dadffbd6dc8448a31871e283ffe270e77890e15487354bcca
If groovy is a hard requirement, I'd look into something like this https://grails.org/plugin/aws-sdk
If you're comfortable with Java, I'd say use the official AWS-SDK
If you're scripting this out, you could also use the official AWS cli tool and do something like
aws rds describe-db-snapshots [OPTIONS]
From there you could use a tool like jq to zero-in and parse out your specific ID's. You can find more documentation here.
The way you'd authorize with the SDK is either through environment variables (the preferred approach) or probably hardcoding your KEY and SECRET (big no no)
I think rather than trying to directly communicate with the API directly you should make use of the built in wrappers that AWS provide.
If you're accessing this with a supported programmatic language take a look at the AWS SDKs. There are currently officially supported libraries for:
C++
Go
Java
JavaScript
.NET
NodeJS
PHP
Python
Ruby
If your language of choice is not covered there may be a third party solution already. Alternatively take a look at the AWS CLI to resolve your problem.
For your specific action describe-db-snapshots you can get a list of all IDs by running the below, then parse as JSON.
aws rds describe-db-snapshots --query 'DBSnapshots[*].DBSnapshotIdentifier' --format json