Creating an EC2 security group through the console allows you to set a "group name" and it automatically provides a "group id".
However the "name" is always blank, unless the security group was generated automatically by elastic beanstalk or another resource.
Is there any way to set this name in the console, otherwise how is it done in the CLI?
You can either edit the name directly in the console or attach a Name tag to your security group.
Using AWS CLI:
aws ec2 create-tags --resources <sg_id> --tags Key=Name,Value=Test-Sg
Related
For a AWS EC2 Instance, Is it possible to unassign or remove a security group from a instance using the cmd line. It is easy to do via the UI, but I can't seem to do it easily via the API. I am restricted to using AWS cli version 1 for now. https://docs.aws.amazon.com/cli/latest/reference/ec2/index.html
I have looked at using the modify instance attribute but it seems like a really round about way to unassign a security group from a instance. I have to reassign all other groups except for the security group I do not want assigned
aws ec2 modify-instance-attribute --instance-id [Instance ID] --groups [groups]
Deleting the security group, will not work as it is assigned to a instance.
aws ec2 delete-security-group --group-id [grou id]
I get the correct error
<br>
An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation
Is there a easier way to remove or unassign a security group from a instance other than using the modify-instance-attribute using the cmd line?
The AWS CLI command to attach a security group to running EC2 instance is as below.
aws ec2 modify-instance-attribute --instance-id i-12345 --groups sg-12345 sg-67890
But the above command will remove the currently attached security groups and attach the new one.
I have a use case where there are 100+ servers and I have to attach a new security group to all those servers without detaching the current security groups.
How can I achieve this using the AWS CLI?
The --groups does a complete replacement based on the arguments passed & there's no way to bypass this behaviour so you'll need to implement the logic of getting the existing security groups (SGs), appending the new SG on & then passing that as an input to --groups.
Confirmed by aws ec2 modify-instance-attribute documentation:
--groups (list)
[EC2-VPC] Replaces the security groups of the instance with the specified security groups. You must specify at least one security group, even if it’s just the default security group for the VPC. You must specify the security group ID, not the security group name.
(string)
This command should store all of the security groups for an instance with ID i-12345 in $securitygroups:
securitygroups=$(aws ec2 describe-instances --instance-ids i-12345 --query "Reservations[].Instances[].SecurityGroups[].GroupId[]" --output text)
The output of echo $securitygroups will look something similar to this:
sg-074bb9206bd7edaf2 sg-07cd92995b937cbd2 sg-05414d9cef32901be
Given that your new security group ID is sg-67890, execute the below command to append the new SG ID onto the list of security groups that we want to set (the space is important & needed):
securitygroups+=" sg-67890"
The output of echo $securitygroups should now have the new SG ID appended:
sg-074bb9206bd7edaf2 sg-07cd92995b937cbd2 sg-05414d9cef32901be sg-67890
Finally, pass $securitygroups to the --groups option of aws ec2 modify-instance-attribute.
This variable will contain the existing assigned SG IDs as well as the new SG ID to be assigned so it'll be an assigning the new SG without unassigning any current SGs:
aws ec2 modify-instance-attribute --instance-id i-067a3aae02b8239e6 --groups $securitygroups
Put this in a loop for however many instances you have, problem solved.
When logged in to the AWS EC2 Management Console, the list of instances has, as its first column, "Name" (followed by "Instance ID", etc).
For instances created through AWS CLI (using aws ec2 run-instances), the name field is empty. How can I set the name programmatically?
Also, is there any implication for giving it a name (e.g. does it have to be unique, and is the name used by something?) I would like to have it as a useful info, for managing my instances from the console.
By convention, the name that's displayed in the instance list is a resource tag with the Key Name and the name of your choice as its value.
You can do this via the AWS CLI using the --tag-specifications option as documented here:
aws ec2 run-instances [other options] --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MyInstanceName}]'
Alternatively, you can also add tags, including the Name tag to existing resources using aws ec2 create-tag.
is it possible to use the aws cli to change an AMI name?
I can successfully add a "Name" tag (using aws ec2 create-tags) but not change the "AMI Name" that shows on the web UI.
This is an imported AMI so the AMI Name is something like
import-ami-XXXXX.
I've tried:
aws ec2 modify-image-attribute --image-id AMI_ID --attribute Name --value VALUE
but I'm getting back a:
An error occurred (InvalidParameterCombination) when calling the ModifyImageAttribute operation: No attributes specified.
any suggestion?
It is not possible to change the name of an AMI image. Once the name is set, it cannot be changed.
You have 2 possible resolutions:
Create the AMI image again, using a different name. However, in your case, the name may be automatically generated and this may not be an option.
Copy the AMI within the same region, giving the copy a more desirable name.
I see two name like fields in the EC2 console for AMIs. One called "Name" and another one called "AMI Name". The latter is immutable, as the previous answer suggests.
BUT, I was able to set the "Name" field by using create-tags as shown below:
aws ec2 create-tags --resources AMI_ID --tags Key=Name,Value=bbb
Looking for a quick way to pull my account number, I had originally thought of using aws iam get-account-authorization-details --max-items 1 but there are several issues with doing it this way. Is there a way to do this that might not cross account origins?
You can get the account number from the Secure Token Service subcommand get-caller-identity using the following:
aws sts get-caller-identity --query Account --output text
From my related answer for the AWS PowerShell CLI, your Account ID is a part of the Arn of resources that you create... and those that are automatically created for you. Some resources will also list you as an OwnerId.
The Default Security Group is automatically created for you in each region's default VPC as a reserved security group. From the documentation:
You can't delete a default security group. If you try to delete the EC2-Classic default security group, you'll get the following error: Client.InvalidGroup.Reserved: The security group 'default' is reserved. If you try to delete a VPC default security group, you'll get the following error: Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.
This makes it a reliable candidate for retrieving our account Id, as long as you are in EC2 classic or have a default VPC (*see edge cases if you don't).
Example:
aws ec2 describe-security-groups \
--group-names 'Default' \
--query 'SecurityGroups[0].OwnerId' \
--output text
This uses --query to filter the output down to the "owner ID" for the first result from this request, and then uses --output to output your account ID as plaintext:
123456781234
Edge cases:
(Thanks #kenchew) Note that if you've deleted your default VPC in a given region, this security group no longer exists and you should use one of these alternative solutions:
query STS get-caller-identity, per #Taras
use the first security group returned, per #Phillip
Further reading:
AWS EC2 Documentation: Default Security Groups
AWS CLI Documentation: aws ec2 describe-security-groups
Controlling Command Output from the AWS Command Line Interface
If you are running on a server that is running with an assumed role you can't call aws sts get-caller-identity. Also, with describe-security-groups you can't always use the --group-names filter (it doesn't work if you don't have a default VPC), so just pick the first security group. I've found this to be the most reliable regardless of what sort of authentication you use or what sort of VPC you have.
aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text
My favorite method is to use aws iam get-user [--profile <profile>] since you only need IAM self service role for this to work.