Using Temporary Security Credentials with the AWS CLI - amazon-web-services

I wanted to generate temporary credentials in AWS CLI, I know the below command should be used.
$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/role-name --role-session-name "RoleSession1" --profile IAM-user-name > assume-role-output.txt
I also have with me access key and secret key with me.
I also ran aws sts get-caller-identity and got:
{
"Account": "12345",
"UserId": "AIXXXXXXXNUNHY",
"Arn": "arn:aws:iam::12345:user/dcp/ua.166666654"
}
But I am not understanding what are the values I should substitute in the above command to get temporary credentials.

Your call to assume-role will return information similar to:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAxx:RoleSession1",
"Arn": "arn:aws:sts::123456789012:assumed-role/role/role-name"
},
"Credentials": {
"SecretAccessKey": "xxx",
"SessionToken": "xxx",
"Expiration": "2018-11-13T07:50:29Z",
"AccessKeyId": "ASIAxxx"
}
}
Then, run:
aws configure --profile RoleSession1
and enter the details provided by assume-role (Access Key, Secret Key, Token).
This will store new credentials in the .aws/credentials file under a [RoleSession1] heading.
To use these credentials, specify the profile that you just defined:
aws s3 ls --profile RoleSession1

Related

"eksctl create cluster" command is not working

When executing this command,I get this error:
C:\WINDOWS\system32>eksctl create cluster --name eksctl-demo --profile myAdmin2
Error: checking AWS STS access – cannot get role ARN for current session: operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: i/o timeout
myAdmin2 IAM users credientials are set up as follows:
Credentials file:
[myAdmin2]
aws_access_key_id = ******************
aws_secret_access_key = ********************
config file:
[profile myAdmin2]
region = us-east-2
output = json
myAdmin2 has access to the console:
C:\WINDOWS\system32>aws iam list-users --profile myAdmin2
{
"Users": [
{
"Path": "/",
"UserName": "myAdmin",
"UserId": "AIDAYYPFV776ELVEJ5ZVQ",
"Arn": "arn:aws:iam::602313981948:user/myAdmin",
"CreateDate": "2022-09-30T19:08:08+00:00"
},
{
"Path": "/",
"UserName": "myAdmin2",
"UserId": "AIDAYYPFV776LEDK2PCCI",
"Arn": "arn:aws:iam::602313981948:user/myAdmin2",
"CreateDate": "2022-09-30T21:39:33+00:00"
}
]
}
I had problems working with myAdmin that's why I created a new IAM user called myAdmin2.
myAdmin2 is granted AdministratorAccess permission:
As shown in this image
aws cli version installed:
C:\WINDOWS\system32>aws --version
aws-cli/2.7.35 Python/3.9.11 Windows/10 exe/AMD64 prompt/off
My Env variables:
C:\WINDOWS\system32>set
AWS_ACCESS_KEY_ID= ***********the same as I have in credentials file
AWS_CONFIG_FILE=~/.aws/config
AWS_DEFAULT_PROFILE=myAdmin2
AWS_DEFAULT_REGION=us-east-2
AWS_PROFILE=myAdmin2
AWS_SECRET_ACCESS_KEY=****************the same as I have in credentials file
AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
I think those are all the necessary things I have to mention. If someone can help, please. I can't move on with this error!!
It worked finally! everything was well configured, I just had to reboot my laptop and it resolved the issue!

AWS cognito: Invalid login token error with cognito-identity pools

I am trying to understand the authentication flow for aws cognito-userpools and cognito-identitypools. I am hitting an error when trying to invoke aws cognito-identity get-id command as below:
I was able to successfully authenticate with the cognito-idp
> aws cognito-idp initiate-auth --client-id 8ik2s2uk8d9ekh7k3s1hstlgt --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=testuser#xxx.com,PASSWORD=Pxxx1 --profile dev1
{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "eyJraWQi..OiJSUzI1NiJ9.eyJvcmln...MOssACEgAsP-..A",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJj...IuxVj4Vv3EykM1ItEZkpSA",
"IdToken": "e..QCw"
}
}
After that trying to generate a Cognito ID, see an error.
aws cognito-identity get-id --identity-pool-id us-west-2:7exxx27-fxx4-4xxb-bc7c-1107c054e6de --login IdToken=eyJ.....Q3g4TDQ9IiwiYWxnIjoiUlMy
An error occurred (NotAuthorizedException) when calling the GetId operation: Invalid login token. Issuer doesn't match providerName
My end goal is to get the temporary credentials invoking the aws cognito-identity get-credentials-for-identity. However hitting another error with that.
> aws cognito-identity get-credentials-for-identity --identity-id "us-west-2:7ee6b627-f894-4b3b-bc7c-1107c054e6de" --profile dev1 --region us-west-2.
An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-west-2:7ee6b627-f894-4b3b-bc7c-1107c054e6de' not found.
Not sure how to progress here, any help would be appreciated.
Ok, I realized what I was doing wrong. Am able to get the complete auth flow working.
Initiate Authentication (cognito-idp)
~> aws cognito-idp initiate-auth \
--client-id 8ik2sxxxxh7k3s1hstlgt \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters USERNAME=bxxxur#wxxxxxx.com,PASSWORD=Pxxx1 --profile dev1
{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "whYhsUITzQQ3eBXAwI6VX7Gi7Dmv2eP3T1w",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "RwrB-FIu6ZaQkv3AP_htR9QhD.hHZoXervix8HcvMnyi8oVw",
"IdToken": "Ngf2ZbCZZ-FJwY-7ptPGpKMdA7NjjYVX8hM7DA"
}
}
Get cognito pool ID
%~> aws cognito-identity get-id \
--identity-pool-id us-west-2:7ee6b627-f894-4b3b-bc7c-1107c054e6de \
--login cognito-idp.us-west-2.amazonaws.com/us-west-
2_BLcbQ9DHK=eyJraWQiOiJlMF.....Z20mCsfhv4RHy0GSdJxLvZkZ-
w10Gloz8cApb71QrvxY2vPvqq0klDvWzeA
{
"IdentityId": "us-west-2:bbc7f768-1a17-4c02-8f48-56d2e84c3947"
}
Get credentials for identity
~> aws cognito-identity get-credentials-for-identity \
--identity-id us-west-2:bbc7f768-1a17-4c02-8f48-56d2e84c3947 \
--login cognito-idp.us-west-2.amazonaws.com/us-west-
2_BLcbQ9DHK=eyJraWQ......sj5bOd3hu824g --profile dev1
{
"IdentityId": "us-west-2:bbc7f768-1a17-4c02-8f48-56d2e84c3947",
"Credentials": {
"AccessKeyId": "AS....O57QPE",
"SecretKey": "f....CJsfDV5Y2jW",
"SessionToken":"IQWvwc.......BDXm+5khWB5m/NWYUbf7leZ/Sk2f2y4Le",
"Expiration": 1641857034.0
}
}

I wan't to create presigned url post, but always failed

thanks for greate packages!
I have problem when i create development with localstack using S3 service to create presignedurl post.
I have run localstack with SERVICES=s3 DEBUG=1 S3_SKIP_SIGNATURE_VALIDATION=1 localstack start
I have settings AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_DEFAULT_REGION=us-east-1 AWS_ENDPOINT_URL=http://localhost:4566 S3_Bucket=my-bucket
I make sure have the bucket
> awslocal s3api list-buckets
{
"Buckets": [
{
"Name": "my-bucket",
"CreationDate": "2021-11-16T08:43:23+00:00"
}
],
"Owner": {
"DisplayName": "webfile",
"ID": "bcaf1ffd86f41161ca5fb16fd081034f"
}
}
I try create presigned url, and running in console with this
s3_client_sync.create_presigned_post(bucket_name=settings.S3_Bucket, object_name="application/test.png", fields={"Content-Type": "image/png"}, conditions=[["Expires", 3600]])
and have return like this
{'url': 'http://localhost:4566/kredivo-thailand',
'fields': {'Content-Type': 'image/png',
'key': 'application/test.png',
'AWSAccessKeyId': 'test',
'policy': 'eyJleHBpcmF0aW9uIjogIjIwMjEtMTEtMTZUMTE6Mzk6MjNaIiwgImNvbmRpdGlvbnMiOiBbWyJFeHBpcmVzIiwgMzYwMF0sIHsiYnVja2V0IjogImtyZWRpdm8tdGhhaWxhbmQifSwgeyJrZXkiOiAiYXBwbGljYXRpb24vdGVzdC5wbmcifV19',
'signature': 'LfFelidjG+aaTOMxHL3fRPCw/xM='}}
And i test using insomnia
and i have read log in localstack
2021-11-16T10:54:04:DEBUG:localstack.services.s3.s3_utils: Received presign S3 URL: http://localhost:4566/my-bucket/application/test.png?AWSAccessKeyId=test&Policy=eyJleHBpcmF0aW9uIjogIjIwMjEtMTEtMTZUMTE6Mzk6MjNaIiwgImNvbmRpdGlvbnMiOiBbWyJFeHBpcmVzIiwgMzYwMF0sIHsiYnVja2V0IjogImtyZWRpdm8tdGhhaWxhbmQifSwgeyJrZXkiOiAiYXBwbGljYXRpb24vdGVzdC5wbmcifV19&Signature=LfFelidjG%2BaaTOMxHL3fRPCw%2FxM%3D&Expires=3600
2021-11-16T10:54:04:WARNING:localstack.services.s3.s3_utils: Signatures do not match, but not raising an error, as S3_SKIP_SIGNATURE_VALIDATION=1
2021-11-16T10:54:04:INFO:localstack.services.s3.s3_utils: Presign signature calculation failed: <Response [403]>
what i missing, so i cannot create the presignedurl post ?
The problem is with your AWS configuration -
AWS_ACCESS_KEY_ID=test // Should be an Actual access Key for the IAM user
AWS_SECRET_ACCESS_KEY=test // Should be an Actual Secret Key for the IAM user
AWS_DEFAULT_REGION=us-east-1
AWS_ENDPOINT_URL=http://localhost:4566 // Endpoint seems wrong
S3_Bucket=my-bucket // Actual Bucket Name in AWS S3 console
For more information, try to read here and setup your environment with correct AWS credentials - Setup AWS Credentials

aws get an embedded dashboard url

I'm trying to use the cli to retrieve an embedded quicksight dashboard url.
However, I keep getting the error QuickSightUserNotFoundException.
I was following this guide to retrieve the url link.
The steps:
aws sts assume-role --role-arn "<ARN>" --role-session-name testsession
which returns
{
"Credentials": {
"AccessKeyId": "<KEY>",
"SecretAccessKey": "<KEY>",
"SessionToken": "<TOKEN>",
"Expiration": "2019-07-04T04:54:21Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "<ID>:testsession",
"Arn": "<ARN>/testsession"
}
}
Then I execute
aws quicksight get-dashboard-embed-url --aws-account-id <ID> --dashboard-id <ID> --identity-type IAM
which returns the error
An error occurred (QuickSightUserNotFoundException) when calling the GetDashboardEmbedUrl operation: Could not find user information in QuickSight
Assuming now that the user is not part of QuickSight, I execute the command below to add the user
aws quicksight register-user --aws-account-id <ID> --namespace default --identity-type IAM --iam-arn "<ARN>" --user-role READER --session-name "testsession" --email user123#example.com --region us-east-1
which returns
{
"Status": 201,
"User": {
"Arn": "<ARN>/testsession",
"UserName": "<NAME>/testsession",
"Email": "user123#example.com",
"Role": "READER",
"Active": false,
"PrincipalId": "<ID>"
},
"RequestId": "<ID>"
}
Now trying the get url from before again I still get the same error...
Did you create a Policy for the QuickSight user and attach it to the same?
You can check which user is allowed on QuickSight by running the following command:
aws quicksight list-users --aws-account-id <account-id> --namespace default --region <region-name>
This will list all the users who are allowed to use and access your QuickSight instance.
Also, check this latest blog about embedding the QuickSight Analytics:
https://aws.amazon.com/blogs/big-data/embed-multi-tenant-analytics-in-applications-with-amazon-quicksight/

How to generate access token for an AWS Cognito user?

I' using Cognito user pool for securing my API gateway . Now I would like to make requests to my API using postman but I need to pass in Authorization token as the API is secured. Is there any AWS CLI command or REST API to generate auth tokens(by passing username/password)? I have searched documentation but couldn't find any examples. Thanks for your help.
You can do this using the following CLI commands:
Register a user
aws cognito-idp sign-up --region {your-aws-region} --client-id {your-client-id} --username admin#example.com --password password123
Confirm user registration
aws cognito-idp admin-confirm-sign-up --region {your-aws-region} --user-pool-id {your-user-pool-id} --username admin#example.com
Authenticate (get tokens)
aws cognito-idp admin-initiate-auth --region {your-aws-region} --cli-input-json file://auth.json
Where auth.json is:
{
"UserPoolId": "{your-user-pool-id}",
"ClientId": "{your-client-id}",
"AuthFlow": "ADMIN_NO_SRP_AUTH",
"AuthParameters": {
"USERNAME": "admin#example.com",
"PASSWORD": "password123"
}
}
You should get a response like this if everything is set up correctly:
{
"AuthenticationResult": {
"ExpiresIn": 3600,
"IdToken": "{your-idtoken}",
"RefreshToken": "{your-refresh-token}",
"TokenType": "Bearer",
"AccessToken": "{your-access-token}"
},
"ChallengeParameters": {}
}
Use the following command to generate the auth tokens, fill in the xxxx appropriately based on your cognito configuration,
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id xxxx --auth-parameters USERNAME=xx#xx.com,PASSWORD=xxxx
Note: You can use any one username or password under applicable cognito user pool.
The client can be found under general settings--> app client
The AccessKeyId and SecretAccessKey is not required as it already defined while setting up the aws cli. If not done use the following link to set that up first
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
There is an AWS CLI command to generate Auth Tokens. You can use InitiateAuth CLI Command for this.
Note: Make sure you have done the UserPool configuration matching the expected tokens.