How do I get the arn of ec2 instance in AWS.
I am trying to use resource tag api to add the tags to an EC2 instance.
Resource tag api requires arn for all the resources.
How do I fetch that ?
You can "build" it yourself:
arn:aws:ec2:<REGION>:<ACCOUNT_ID>:instance/<instance-id>.
For this purpose, I think you can even use * as <REGION> and <ACCOUNT_ID>, and it will work.
To retrieve the <instance_id> you can use the Console or the CLI, or from within the instance itself with ec2metadata --instance-id
Related
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I have an EC2 instance and I want to know which cloud formation stack it belongs to using AWS CLI.
To do this using boto in python, refer How to determine what CloudFormation stack an AWS resource belongs to?
aws cloudformation describe-stack-resources --physical-resource-id i-xxxxxxxxxx
Replace i-xxxxxxxxxx by your instance-id or any other physical resource id in general.
--physical-resource-id (string):
The name or unique identifier that corresponds to a physical instance ID of a resource supported by AWS CloudFormation.
For example, for an Amazon Elastic Compute Cloud (EC2) instance, PhysicalResourceId corresponds to the InstanceId . You can pass the EC2 InstanceId to DescribeStackResources to find which stack the instance belongs to and what other resources are part of the stack.
Required: Conditional. If you do not specify PhysicalResourceId , you must specify StackName .
Default: There is no default value.
Reference: http://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeStackResources.html
I have a service-linked role in AWS that I need to delete. When I try to delete it in IAM it fails and has a popup with the ARNs of two resources that use this role. This brain-dead blog post shows me the steps to recreate the problem I'm having and tells me that I need to delete the resources that use the role I'm trying to delete. Duh.
I've tried searching the given ARNs in the IAM search window, but it doesn't find them.
Now that I have the ARNs, how can I delete them so I can delete this role?
There is no API that provide delete of any resource by any ARN. You need to use specific services for delete resources.
If you have ARNs - according to documentation - it will be 3rd part (by ":" character):
arn:partition:SERVICE:region:account-id... // SERVICE where your resource is present
For example - if you have that ARN:
arn:aws:ec2:us-east-1:1234567890:instance/i-12345678901234567
That indicates it's EC2 instance. You can delete it via AWS Console (UI) or by example using AWS CLI:
aws --region us-east-1 ec2 terminate-instances --instance-ids i-12345678901234567
EDIT
According to link you provided (brain-dead blog post) there are ARNs of Redshift clusters, so you can try delete them via AWS CLI using this command:
aws --region <REGION> redshift delete-cluster --cluster-identifier <CLUSTER ID>
Where REGION and CLUSTER ID you can obtain from ARNs.
If you want to delete them from UI (AWS Console) - don't forget change to proper region.
I am trying to attach an IAM role to multiple EC2 instances based on tags. Is there a module already available which I can use. I have been searching for a bit but couldn't find anything specific.
Attaching an IAM role to existing EC2 instances is a relatively new feature (announced in Feb 2017). There is no support for that in Ansible currently. If you AWS CLI 1.11.46 or higher installed, then you can use shell module to invoke the AWS CLI and achieve desired result.
See: New! Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI
I submitted a PR last year to add 2 AWS modules : boto3 and boto3_wait.
These 2 modules allow you to interact with AWS API using boto3.
For instance, you could attach a role to an existing EC2 instance by calling associate_iam_instance_profile method on EC2 service :
- name: Attach role MyRole
boto3:
service: ec2
region: us-east-1
operation: associate_iam_instance_profile
parameters:
IamInstanceProfile:
Name: MyRole
InstanceId: i-xxxxxxxxxx
Feel free to give the PR a thumbs-up if you like it! ;)
In addition to this, you can use AWS dynamic inventory to target instances by tag.
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile