I have lambda function for auto Ami backup is possible to execute lambda across the region for take automatic backup of all my EC2 working on account.
One lambda function execution for all ec2 across region
var aws = require('aws-sdk');
aws.config.region = 'us-east-1','ap-south-1','eu-central-1';
var ec2 = new aws.EC2();
var now = new Date();
date = now.toISOString().substring(0, 10)
hours = now.getHours()
minutes = now.getMinutes()
exports.handler = function(event, context) {
var instanceparams = {
Filters: [{
Name: 'tag:Backup',
Values: [
'yes'
]
}]
}
ec2.describeInstances(instanceparams, function(err, data) {
if (err) console.log(err, err.stack);
else {
for (var i in data.Reservations) {
for (var j in data.Reservations[i].Instances) {
instanceid = data.Reservations[i].Instances[j].InstanceId;
nametag = data.Reservations[i].Instances[j].Tags
for (var k in data.Reservations[i].Instances[j].Tags) {
if (data.Reservations[i].Instances[j].Tags[k].Key == 'Name') {
name = data.Reservations[i].Instances[j].Tags[k].Value;
}
}
console.log("Creating AMIs of the Instance: ", name);
var imageparams = {
InstanceId: instanceid,
Name: name + "_" + date + "_" + hours + "-" + minutes,
NoReboot: true
}
ec2.createImage(imageparams, function(err, data) {
if (err) console.log(err, err.stack);
else {
image = data.ImageId;
console.log(image);
var tagparams = {
Resources: [image],
Tags: [{
Key: 'DeleteOn',
Value: 'yes'
}]
};
ec2.createTags(tagparams, function(err, data) {
if (err) console.log(err, err.stack);
else console.log("Tags added to the created AMIs");
});
}
});
}
}
}
});
}
where aws.config.region is for region config..it's working for current(in which lambda deploy) region
This line:
var ec2 = new aws.EC2();
connects to the Amazon EC2 service in the region where the Lambda function is running.
You can modify it to connect to another region:
var ec2 = new AWS.EC2({apiVersion: '2006-03-01', region: 'us-west-2'});
Thus, your program could loop through a list of regions (from ec2.describeRegions), creating a new EC2 client for the given region, then running the code you already have.
See: Setting the AWS Region - AWS SDK for JavaScript
In your Lambda Role, you need to add a policy which gives the Lambda function necessary permissions to access the EC2 on different accounts, typically you can add ARN's of EC2 instances you wan't access to or you can specify "*" which gives permissions to all instances.
Also on other accounts where EC2 instances are running you need to add IAM policy which gives access to your Lambda Role, note that you need to provide Lambda role ARN,
In this way your Lambda role will have policy to access EC2 and cross account EC2 will have policy which grant's access to Lambda role.
Without this in place you might need to do heavy lifting of configuring IP's of each EC2 in each account.
Yes and you also need to point EC2 object to a region where the instance is running,
Any code (including a Lambda function) can create a client that connects to a different region.
Related
Hi have requirement where credential needs to be stored in SSM Param store and will be read by Lambda function which sits inside an VPC, and all the subnets inside my VPC is public subnet.
So when I am calling SSM Param store using below code I am getting timed out error.
const AWS = require('aws-sdk');
AWS.config.update({
region: 'us-east-1'
})
const parameterStore = new AWS.SSM();
exports.handler = async (event, context, callback) => {
console.log('calling param store');
const param = await getParam('/my/param/name')
console.log('param : ',param);
//Send API Response
return {
statusCode: '200',
body: JSON.stringify('able to connect to param store'),
headers: {
'Content-Type': 'application/json',
},
};
};
const getParam = param => {
return new Promise((res, rej) => {
parameterStore.getParameter({
Name: param
}, (err, data) => {
if (err) {
return rej(err)
}
return res(data)
})
})
}
So I created vpc endpoint for Secrets Manager which has with Private DNS name enabled.
Still I am getting timed out error for above code.
Do I need change Lambda code to specify Private DNS Endpoint in Lambda function
Below Image contains outbound rule for subnet NACL
Below Image contains outbound rule for Security Group
I managed to fix this issue. The root cause of this problem was all the subnets were public subnet. Since VPC endpoints are accessed privately without internet hence the subnets associated with Lambda function should be private subnet.
Here are the below steps I have take to fix this issue
Created a NAT Gateway in side VPC and assigned one elastic IP to it
Created new route table and pointed all the traffics to NAT gateway created in steps 1
Attached new route table to couple of subnets (which made them private)
then attached only private subnets to Lambda function
Other than this IAM role associated with Lambda function should have below 2 policy to access SSM Param store
AmazonSSMReadOnlyAccess
AWSLambdaVPCAccessExecutionRole
Trying to upload pictures to S3 from lambda. I get a return code of 200 when uploading the picture from my phone but the image is never uploaded to the bucket? Is it something to do with a bucket policy? The lambda function :
const AWS = require('aws-sdk');
AWS.config.update({
region: 'us-west-2'
})
const s3 = new AWS.S3();
exports.handler = async (event, context, callback) => {
AWS.config.update({region: 'us-west-2'});
// var buf = Buffer.from(event.picture.imageBinary.replace(/^data:image\/\w+;base64,/, ""),'base64')
let encodedImage =JSON.parse(event.picture);
let decodedImage = Buffer.from(encodedImage, 'base64');
var filePath = "avatars/" + event.userid + ".jpg"
var params = {
Body: decodedImage,
Bucket: 'testpictures-1',
Key: filePath,
ContentEncoding: 'base64',
ContentType: 'image/jpeg'
};
s3.putObject(params, function(err, data) {
if (err){ console.log(err, err.stack);} // an error occurred
else {console.log(data);} // successful response
});
};
Because you are trying to invoke the Amazon S3 Service from a Lambda function, you must ensure that the IAM role associated with the Lambda function has the correct S3 policies. If the IAM role does not have the policies related to an AWS Service , then you cannot successfully invoke the AWS Service from a Lambda function. Here is an AWS tutorial (implemented in Java) that discusses this point.
https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/javav2/usecases/creating_scheduled_events
I would like to create a new api key from lambda. I have usage plan with my Gateway API, created with CF like:
MyApi:
Type: AWS::Serverless::Api
Properties:
Auth:
UsagePlan:
UsagePlanName: MyUsagePlan
CreateUsagePlan: PER_API
...
...
Using this as a reference https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html
I guess the process in the lambda should be like this:
- createApiKey
- getUsagePlan
- createUsagePlanKey
In the lambda, I have MyApi id and I'm trying to fetch the api:
var apiGateway = new AWS.APIGateway({region: region});
const restApi = await new Promise((resolve, reject) => {
apiGateway.getRestApi({restApiId: MYAPI_ID}, function(err, data) {
if (err) {
console.log('getRestApi err', err, err.stack);
reject(err);
} else {
console.log('getRestApi', data);
resolve(data);
}
});
});
But this gets timed out by my lambda.
If I try to input values manually, it gets timed out as well:
const keyParams = {
keyId: 'xxxxxxxx',
keyType: 'API_KEY',
usagePlanId: 'yyyyyyyy'
};
const apiKey = await new Promise((resolve, reject) => {
apiGateway.createUsagePlanKey(keyParams, function (err, data) {
if (err) {
console.log('createUsagePlanKey err', err, err.stack);
reject(err);
} else {
console.log('createUsagePlanKey', data);
resolve(data);
}
});
});
Why do every function call to api get timed out and nothing gets printed in console.log? Is my approach ok or how should I create the new api key for a user?
Edited: Timeout for lambdas is 10 seconds and they run in VPC
It sounds like you probably haven't configured your VPC to allow your Lambda function to access resources (like the AWS API) that exist outside the VPC. First, is it really necessary to run the function inside a VPC? If not then removing it from the VPC should fix the issue.
If it is necessary to run the function in a VPC, then you will need to place your Lambda function inside a private subnet with a route to a NAT Gateway, or configure a VPC endpoint for the AWS services it needs to access.
The code below works when I have added the AWS IAM role "AdministratorAccess" - But it is risky and a bit of overkill... But how do I know and find only the necessary role(s)...It is very confusing and hard to know by when I look at all the possible roles in the console?
try {
// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');
// Set the region
AWS.config.update({region: 'us-east-2'});
var instanceParams = {
ImageId: 'ami-xxxxxxxxxxxx',
InstanceType: 't2.micro',
KeyName: 'xxxxxxxxxx',
SecurityGroups: ['xxxxxxxxxxxxxxx'],
MinCount: 1,
MaxCount: 1
};
// Create a promise on an EC2 service object
var instancePromise = new AWS.EC2({apiVersion: '2016-11-15'}).runInstances(instanceParams).promise();
// Handle promise's fulfilled/rejected states
instancePromise.then(
function (data) {
console.log(data);
var instanceId = data.Instances[0].InstanceId;
console.log("Created instance", instanceId);
// Add tags to the instance
var tagParams = {
Resources: [instanceId], Tags: [
{
Key: 'Name',
Value: 'SDK Sample'
}
]
};
// Create a promise on an EC2 service object
var tagPromise = new AWS.EC2({apiVersion: '2016-11-15'}).createTags(tagParams).promise();
// Handle promise's fulfilled/rejected states
tagPromise.then(
function (data) {
console.log("Instance tagged");
}).catch(
function (err) {
console.error(err, err.stack);
});
}).catch(
function (err) {
console.error(err, err.stack);
});
}
catch(e){
wl.info('Error: ' + e);
}
Firstly you can see the api's you are calling via the sdk as a hint to what permissions you need i.e ec2:RunInstance and ec2:CreateTags.
You first create a policy then select the service then attach permissions (RunInstances and CreateTags)
You then create a Role with that policy attached.
Then you can attach the role to your Lambda
I am attempting to create an EC2 instance and then add it to my Auto Scaling group. I am having a lot of issues trying to authenticate. I am looking for a simple way to authenticate a request using my access key to simply start an instance. What I have tried so far:
//Authenticate AWS:
var myCredentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId:'us-west-2:IdentityPoolID'
});
var myConfig = new AWS.Config({
credentials: myCredentials, region: 'us-west-2'
});
AWS.config = myConfig
var minInst = 1;
var maxInst = 3;
var ec2 = new AWS.EC2();
//Set up parameters for EC2 Instances:
var params = {
ImageId: 'ami-6e1a0117',
MaxCount: minInst,
MinCount: maxInst,
InstanceInitiatedShutdownBehavior: 'terminate',
InstanceType: 't2.micro',
Monitoring: {
Enabled: false
},
NetworkInterfaces: [{
AssociatePublicIpAddress: true,
DeleteOnTermination: true,
}],
Placement: {
AvailabilityZone: 'us-west-2',
},
SecurityGroupIds: [
'sg-b0307ccd',
],
SecurityGroups: [
'CAB432Assignment2SG',
],
};
ec2.runInstances(params, function(err, data) {
if (err){
console.log(err, err.stack); //An error occurred
}
else{
console.log(data); //Successful Response
}
});
I know this code is wrong. I just don't know to fix it. The error I get is:
CredentialsError: Missing credentials in config
Any help would be greatly appreciated.
Delete this section of code entirely:
//Authenticate AWS:
var myCredentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId:'us-west-2:IdentityPoolID'
});
var myConfig = new AWS.Config({
credentials: myCredentials, region: 'us-west-2'
});
AWS.config = myConfig
Change this:
var ec2 = new AWS.EC2();
To this:
var ec2 = new AWS.EC2({region: 'us-west-2'});
Then go read this page in the Setting Credentials in Node.js documentation. In particular, you need to do one of the following:
Add an IAM role to your EC2 instance, if this is running on EC2.
Add an IAM execution role to your Lambda function if this is running on Lambda.
Create either a ~/.aws/credentials file with your keys. This can be done with the aws configure command if you have the AWS CLI installed.
Set the keys as environment variables.