Can anyone of you please help me in identifying the issue with the CLI commands /JMESPATH queries in the Section - "What's Not Working? below
P.S. JSON output given below is valid and you can use the output to test the JMESPATH query part of it out on JMESPATH.org
What Works?
1) aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[]
2) aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[].FromPort
3) aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[].IpProtocol
What's Not Working?
1) aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[?IpProtocol=='tcp'].IpProtocol
2) aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[?FromPort=='22'].FromPort
JSON OUTPUT
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-06d7c8d3300000000",
"UserId": "400000000000"
}
]
}
],
"OwnerId": "400000000000",
"GroupId": "sg-06d7c000000000000",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0d26c7ba200000000"
},
{
"Description": "BastionSG",
"GroupName": "BastionSG",
"IpPermissions": [
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": []
}
],
"OwnerId": "400000000000",
"GroupId": "sg-0a26abc0a00000000",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0d26c7ba200000000"
}
]
}
Expected/Actual Results
aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[?IpProtocol=='tcp'].IpProtocol
Result
Expected - tcp, Actual - Returns no result
aws ec2 describe-security-groups --query SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[?FromPort=='22'].FromPort
Result
Expected - 22, Actual - Returns no result
Here are the ones I tried and got expected data back. Let me know if this works for you.
aws ec2 describe-security-groups --query 'SecurityGroups[?GroupId==`sg-xxxxxx`].[IpPermissions[?IpProtocol==`tcp`] | [0].IpProtocol]' --output text
//tcp
aws ec2 describe-security-groups --query 'SecurityGroups[?GroupId==`sg-xxxxxx`].[IpPermissions[?FromPort==`22`] | [0].FromPort]' --output text
//22
Note -
It is better surround your query within single quotes so CLI can properly parse the entire query.
You can fill conditions with backquote(`).
SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[] | [?IpProtocol=='tcp'].IpProtocol | [0]
SecurityGroups[?GroupId=='sg-0a26abc0a00000000'].IpPermissions[] | [?FromPort==`22`].FromPort | [0]
Or, quoted/adjusted for bash:
'SecurityGroups[?GroupId==`"sg-0a26abc0a00000000"`].IpPermissions[] | [?IpProtocol==`"tcp"`].IpProtocol | [0]'
'SecurityGroups[?GroupId==`"sg-0a26abc0a00000000`"].IpPermissions[] | [?FromPort==`22`].FromPort | [0]'
You'll notice the [] at the end of IpPermissions, which flattens the list. If you don't do this (or do SecurityGroups[?GroupId=='sg-0a26abc0a00000000'][]), the filter is applying to the top-level of the list, where IpPermissions doesn't exist.
Why this is true is not clear to me. It does seem wrong, because without the earlier filter the later filter applies to the sublist.
Related
When listing route tables, I want to show the subnet id of all those who has more than one route, which I couldn't get it right.
$ aws ec2 describe-route-tables --region us-west-2 --query 'RouteTables[*]'
[
{
"Associations": [
{
"Main": false,
"RouteTableAssociationId": "rtbassoc-0c6d59285cc28b997",
"RouteTableId": "rtb-0d56ac20552c39cb4",
"SubnetId": "subnet-029daed7c320c9cc0",
"AssociationState": {
"State": "associated"
}
}
],
"PropagatingVgws": [],
"RouteTableId": "rtb-0d56ac20552c39cb4",
"Routes": [
{
"DestinationCidrBlock": "10.96.110.0/23",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
},
{
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": "igw-02fae1eda618a542d",
"Origin": "CreateRoute",
"State": "active"
}
],
I try something below but it fails.
$ aws ec2 describe-route-tables --region us-west-2 --query 'RouteTables[?Routes[].Size>1].Associations[*].SubnetId'
Bad value for --query RouteTables[?Routes[].Size > 1].Associations[*].SubnetId: invalid token: Parse error at column 29, token "1" (NUMBER), for expression:
"RouteTables[?Routes[].Size > 1].Associations[*].SubnetId"
^
I think the following should do what you are after:
RouteTables[?length(Routes[*]) > `1`].Associations[*].SubnetId
I've a lambda in VPC to access Amazon DocDB, but failed to access any resource in VPC. I've read the official guide for days still didn't fix this issue.
I checked all vpc configurations according to Official Guide but got no luck.
VPC is assigned when creating lambda.
Could anyone give me some help on the lambda configurations ? :)
def access_mongodb(event, context):
url = event.get('url')
if url:
db = event.get('db')
coll = event.get('collection')
query = event.get('query')
limit = int(event.get('limit'))
try:
with Mongo(url=url, db=db) as conn:
logger.info('Lambda Start query with Mongo')
for row in conn[coll].find(query).limit(limit):
logger.info(f'got row => {json.dumps(row, default=str)}')
except Exception as e:
logger.error(f'Got exception {e}')
else:
logger.info('Lambda End with out Mongo')
Errors:
Got exception No servers found yet, Timeout: 2.0s, Topology Description: <TopologyDescription id: 62b5186720247fb7d69a0765, topology_type: Single, servers: [<ServerDescription ('docdb-test.xxxx-southeast-1.docdb.amazonaws.com', 27017) server_type: Unknown, rtt: None>]>
Configurations:
aws lambda get-function-configuration --function-name hello_py3
{
"FunctionName": "hello_py3",
"FunctionArn": "arn:aws:lambda:ap-southeast-1:592017647781:function:hello_py3",
"Runtime": "python3.9",
"Role": "arn:aws:iam::592017647781:role/service-role/hello_py3-role-xh39m23g",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 5701329,
"Description": "",
"Timeout": 10,
"MemorySize": 128,
"LastModified": "2022-06-24T01:26:48.000+0000",
"CodeSha256": "VLwda8fP2DM62/y4Ouy9/U3KpzvfSRWoH7ocCwl1G6g=",
"Version": "$LATEST",
"VpcConfig": {
"SubnetIds": [
"subnet-08dacd9b6970624aa",
"subnet-09f80e8227735f6cf",
"subnet-028392620db2f9753"
],
"SecurityGroupIds": [
"sg-0002ee69773ca6f9d"
],
"VpcId": "vpc-0eee2636f691ad96b"
},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "55af10eb-f777-4ba9-aea5-05a010ce7637",
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
}
}
aws iam list-attached-role-policies --role-name hello_py3-role-xh39m23g
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503"
},
{
"PolicyName": "AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce"
}
]
}
aws ec2 describe-vpcs --vpc-ids vpc-0eee2636f691ad96b
{
"Vpcs": [
{
"CidrBlock": "172.31.0.0/16",
"DhcpOptionsId": "dopt-0b9edd5b6deafa0db",
"State": "available",
"VpcId": "vpc-0eee2636f691ad96b",
"OwnerId": "592017647781",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0200675b36f061104",
"CidrBlock": "172.31.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": true
}
]
}
aws ec2 describe-security-groups --group-ids sg-0002ee69773ca6f9d
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"FromPort": 80,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 80,
"UserIdGroupPairs": []
},
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-0047473f289f0ffd3",
"UserId": "592017647781"
},
{
"GroupId": "sg-031e0901b061eb92d",
"UserId": "592017647781"
},
{
"GroupId": "sg-03f39f48c7887e46b",
"UserId": "592017647781"
},
{
"GroupId": "sg-07d8dbe45e3e81e44",
"UserId": "592017647781"
}
]
}
],
"OwnerId": "592017647781",
"GroupId": "sg-0002ee69773ca6f9d",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0eee2636f691ad96b"
}
]
}
UPDATE:
I finally figure it out by applying ReachabilityAnalyzer, and it was proved to be my fault on confusing configuration items. This is a very helpful tool, guys have same issue can try to use this tool to help themselves out.
Thanks John for help.
You appear to be using a single Security Group for both the AWS Lambda function and the DocDB database. I think your Security Group is missing Outbound permissions, which be restricting traffic from the Lambda function.
The typical security setup would be:
A security group on the AWS Lambda function (Lambda-SG) that permits all Outbound access
A security group on the DocDB (DB-SG) that permits Inbound access from Lambda-SG on port 27017
Could you please check the connection from the lambda subnet to documentdb subnet and there sg & nacl just to confirm that lambda can connect to the documentdb using port 27017.
Thanks,
Chinmoy Layek
I'm looking for a way to understand if we are making use of a specific VPC
The easy way is to review resources 1-by-1 like:
EC2 Machines
RDS
Client-VPN-Endpoint
Other resources - What else do I need to check?
And check manually.
is there another way to determine what is relying on a specific VPC before I'll delete it?
You can do it in two ways: AWS CLI or AWS console.
AWS CLI
You can use AWS CLI to list all ENIs associated with the VPC and prettify the output using the --query parameter to get a resource list with the desired fields (AZ, instance-id, etc.).
`aws ec2 describe-network-interfaces --filters Name=vpc-id,Values=<vpc-id> --query 'NetworkInterfaces[*].[AvailabilityZone, OwnerId, Attachment.InstanceId, PrivateIpAddresses[*].Association.PublicIp]'
`aws ec2 describe-network-interfaces --filters Name=vpc-id,Values=<vpc-id> --query 'NetworkInterfaces[*].[RequesterId,Description]'
A sample of the raw output (only one instance on the VPC):
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-54-196-57-169.compute-1.amazonaws.com",
"PublicIp": "54.196.57.169"
},
"Attachment": {
"AttachTime": "2020-08-24T10:59:16+00:00",
"AttachmentId": "eni-attach-047e562690aabbffd",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"InstanceId": "i-0fe495a6c17bd0f82",
"InstanceOwnerId": "570398916848",
"Status": "attached"
},
"AvailabilityZone": "us-east-1d",
"Description": "",
"Groups": [
{
"GroupName": "launch-wizard-1",
"GroupId": "sg-0aa7d8257bb487e1b"
}
],
"InterfaceType": "interface",
"Ipv6Addresses": [],
"MacAddress": "0e:58:38:33:9a:31",
"NetworkInterfaceId": "eni-0b20855178d276783",
"OwnerId": "570398916848",
"PrivateDnsName": "ip-172-31-34-30.ec2.internal",
"PrivateIpAddress": "172.31.34.30",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-54-196-57-169.compute-1.amazonaws.com",
"PublicIp": "54.196.57.169"
},
"Primary": true,
"PrivateDnsName": "ip-172-31-34-30.ec2.internal",
"PrivateIpAddress": "172.31.34.30"
}
],
"RequesterManaged": false,
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-e2bc5fbd",
"TagSet": [],
"VpcId": "vpc-6ad2e110"
}
]
And now filtered:
For the first --query
[
"us-east-1d",
"57039816848",
"i-0fe495a6c17bd0f82",
[
"44.196.57.169"
]
]
And for the second --query (another VPC):
[
"amazon-elasticache",
"ElastiCache alon-001"
],
[
"amazon-elasticache",
"ElastiCache alon-002"
],
[
"975289786086",
"arn:aws:ecs:us-east-2:57039916848:attachment/22a90802-fae7-4afb-9a7e-43e6f4be8ca4"
],
[
"074689309192",
"Interface for NAT Gateway nat-069344579d8bda20"
],
[
"amazon-elb",
"ELB app/EC2Co-EcsEl-YX74WCWEGOK/0b6d7bc60b540b1"
],
[
"amazon-elb",
"ELB app/EC2Co-EcsEl-YX74WCWGGOK/0b6bd7c60b540b1"
],
[
"amazon-elasticache",
"ElastiCache alon-003"
]
AWS Console
You can do the same using the AWS console.
Under EC2->Network Interfaces, search for the desired vpc-id in the search bar.
Trying to set up a vanilla AWS RDS Aurora Serverless instance.
For now, I just want to connect to it directly from my PC as a sanity check, but I'm unable to do so. Every time I connect via $ mysql, it hands for a few minutes. Then I get:
$ mysql -h <MY-DATABASE>.cluster-deadbeef.us-west-1.rds.amazonaws.com -P 3306 -u admin -p
ERROR 2003 (HY000): Can't connect to MySQL server on '<MY-DATABASE>.cluster-deadbeef.us-west-1.rds.amazonaws.com' (60)
(nc also just times out)
Looks like there's a network connectivity I've made somewhere, but I'm not sure where.
Here's the entire setup (think I've included everything relevant?):
Database Instance:
$ aws rds describe-db-clusters --output json | jq '.DBClusters[0] | {AvailabilityZones, DBSubnetGroup, VpcSecurityGroups}'
{
"AvailabilityZones": [
"us-west-1c",
"us-west-1b"
],
"DBSubnetGroup": "default-vpc-0165fd69fae5d2569",
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-051e6ad0fe8837a56",
"Status": "active"
}
]
}
VPC:
$ aws ec2 describe-vpcs --output json | jq '.Vpcs[0] | {VpcId, CidrBlock, CidrBlockAssociationSet}'
{
"VpcId": "vpc-0165fd69fae5d2569",
"CidrBlock": "10.0.0.0/16",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0fe35851049a94f32",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
]
}
VPC Subnets:
$ aws ec2 describe-subnets --output json | jq '.Subnets[] | {AvailabilityZone,AvailabilityZoneId,CidrBlock,VpcId}'
{
"AvailabilityZone": "us-west-1c",
"AvailabilityZoneId": "usw1-az1",
"CidrBlock": "10.0.1.0/24",
"VpcId": "vpc-0165fd69fae5d2569"
}
{
"AvailabilityZone": "us-west-1b",
"AvailabilityZoneId": "usw1-az3",
"CidrBlock": "10.0.0.0/24",
"VpcId": "vpc-0165fd69fae5d2569"
}
Security Group:
Yes this is totally wide open for now, still can't connect :(
$ aws ec2 describe-security-groups --output json | jq '.SecurityGroups[]'
{
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [
{
"CidrIpv6": "::/0"
}
],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-051e6ad0fe8837a56",
}
]
},
{
"FromPort": 3306,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [
{
"CidrIpv6": "::/0"
}
],
"PrefixListIds": [],
"ToPort": 3306,
"UserIdGroupPairs": []
}
],
"GroupId": "sg-051e6ad0fe8837a56",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0165fd69fae5d2569"
}
Route Table:
$ aws ec2 describe-route-tables --output json | jq '.RouteTables[]'
{
"Associations": [
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-0aebc4a882b0cd2a5",
"RouteTableId": "rtb-0ce6ee26652736941",
"AssociationState": {
"State": "associated"
}
},
{
"Main": false,
"RouteTableAssociationId": "rtbassoc-047d54469da606a50",
"RouteTableId": "rtb-0ce6ee26652736941",
"SubnetId": "subnet-0744475e288c0424c",
"AssociationState": {
"State": "associated"
}
},
{
"Main": false,
"RouteTableAssociationId": "rtbassoc-08c5ea54642014c95",
"RouteTableId": "rtb-0ce6ee26652736941",
"SubnetId": "subnet-0b9c99ff38b860725",
"AssociationState": {
"State": "associated"
}
}
],
"RouteTableId": "rtb-0ce6ee26652736941",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
},
{
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": "igw-0f8ad7dfe1eaa0c67",
"Origin": "CreateRoute",
"State": "active"
}
],
"VpcId": "vpc-0165fd69fae5d2569",
}
What am I missing?
thanks!!
For now, I just want to connect to it directly from my PC
You can not access serverless-DB from your local system, it is only accessible with-in AWS network.
You can configure ssh-tunnel through your EC2 instance to access serverless DB or use VPN that is running in the same VPC.
Because Aurora Serverless DB clusters do not have publically accessible endpoints, your MyClusterName can only be accessed from within the same VPC.
configure-connect-serverless-mysql-database-aurora
I need to find the load balancer that a given EC2 instance is attached to using the AWS CLI. I have a working solution that uses jq, however I would like to avoid installing jq as a dependency and write the query in JMESPath if possible. I am stuck on the query format of the JMESPath expression.
I found this question: Filter LoadBalancer By VPC ID, which is exactly what I'm trying to do except filter by instance ID, instead of VPC ID . I think the problem is that the instance ids are in an array.
Working solution with jq:
aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.Instances[].InstanceId == "i-12345678") | .LoadBalancerName
What I'm trying with JMESPath:
aws elb describe-load-balancers --query "LoadBalancerDescriptions[?Instances[].InstanceId=='i-12345678'] | [].LoadBalancerName"
I feel like I am very close but missing something fundamental.
Example JSON ouput of the describe-load-balancers command from AWS documentation:
{
"LoadBalancerDescriptions": [
{
"Subnets": [
"subnet-15aaab61"
],
"CanonicalHostedZoneNameID": "Z3DZXE0EXAMPLE",
"CanonicalHostedZoneName": "my-load-balancer-1234567890.us-west-2.elb.amazonaws.com",
"ListenerDescriptions": [
{
"Listener": {
"InstancePort": 80,
"LoadBalancerPort": 80,
"Protocol": "HTTP",
"InstanceProtocol": "HTTP"
},
"PolicyNames": []
},
{
"Listener": {
"InstancePort": 443,
"SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-cert",
"LoadBalancerPort": 443,
"Protocol": "HTTPS",
"InstanceProtocol": "HTTPS"
},
"PolicyNames": [
"ELBSecurityPolicy-2015-03"
]
}
],
"HealthCheck": {
"HealthyThreshold": 2,
"Interval": 30,
"Target": "HTTP:80/png",
"Timeout": 3,
"UnhealthyThreshold": 2
},
"VPCId": "vpc-a01106c2",
"BackendServerDescriptions": [
{
"InstancePort": 80,
"PolicyNames": [
"my-ProxyProtocol-policy"
]
}
],
"Instances": [
{
"InstanceId": "i-207d9717"
},
{
"InstanceId": "i-afefb49b"
}
],
"DNSName": "my-load-balancer-1234567890.us-west-2.elb.amazonaws.com",
"SecurityGroups": [
"sg-a61988c3"
],
"Policies": {
"LBCookieStickinessPolicies": [
{
"PolicyName": "my-duration-cookie-policy",
"CookieExpirationPeriod": 60
}
],
"AppCookieStickinessPolicies": [],
"OtherPolicies": [
"my-PublicKey-policy",
"my-authentication-policy",
"my-SSLNegotiation-policy",
"my-ProxyProtocol-policy",
"ELBSecurityPolicy-2015-03"
]
},
"LoadBalancerName": "my-load-balancer",
"CreatedTime": "2015-03-19T03:24:02.650Z",
"AvailabilityZones": [
"us-west-2a"
],
"Scheme": "internet-facing",
"SourceSecurityGroup": {
"OwnerAlias": "123456789012",
"GroupName": "my-elb-sg"
}
}
]
}
aws elb describe-load-balancers --query LoadBalancerDescriptions[?Instances[0].InstanceId==`i-55555555`].LoadBalancerName
Since Instances is an array, you should make use of the contains function to search for your instance id.
aws elb describe-load-balancers --query LoadBalancerDescriptions[?contains(Instances[*].InstanceId,`i-12345678`)].LoadBalancerName
Use LoadBalancerDescriptions[?Instances[*].InstanceId==`i-55555555`] to iterate through the instances.
LoadBalancerDescriptions[?Instances[0].InstanceId==`i-55555555`] will only use the first element in the array.