I'm using CloudWatch dashboard to monitor EC2 instances. Name tag for EC2 instance is shown besides the instance id in the charts when I login as root user
However when I login as a user with only list and read permissions for CloudWatch and EC2 then charts's legends are appeared without EC2 instance name tag. It's very frustrating to switch back and forth between EC2 management console and CloudWatch dashboard mapping instance id and EC name tag
I suspect that I need to add more permissions to the user, but cannot figure out what permissions are needed exactly
ec2:describeInstances
ec2:describeTags
ec2:describeVolumes
See: Permissions Required to Use the CloudWatch Console
Or just attach AWS Managed Policy: CloudWatchReadOnlyAccess – Grants read-only access to CloudWatch.
Related
I'm deploying a service to amazon ecs through docker. I need to assign an IAM role to the cluster that allows it to communicate with secrets manager, as that's where some of the important configuration comes from. However, when trying to select the iam role, I get this error message:
Error message
So I tried following the amazon documentation and going to the account settings tab signed in as the root account, only to find that the settings were already enabled by default. So now I'm sort of stuck as to what to do at this point. Is there something I'm missing here?
resources already enabled
From your screenshot what I understand is that the IAM role you are using to deploy the container does not have "ecsInstanceRole" in your IAM roles. You could use the following steps to create it.
Open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS service role type, and then choose Elastic Container Service.
Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
Important
The AmazonEC2ContainerServiceforEC2Role managed policy should be attached to the container instance IAM role, otherwise you will receive an error using the AWS Management Console to create clusters.
For Role name, type ecsInstanceRole and optionally you can enter a description.
Review your role information and then choose Create role to finish.
or you can follow the below document:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
I've created a node.js application which connects to DynamoDB. Everything is working fine locally Now I'm trying to setup on AWS servers.
First I've created DynamoDB tables from AWS DynamoDB console. It is working fine.
I've created a new role from IAM management console > Roles to access DynamoDB. And attached that role to EC2 instance.
But when I fire any aws dynamodb cli command, it gave me error to mention the region.
So I went to IAM management console > Users, and created an access key to my admin type user.
Now I'm login to EC2 CLI using ec2-user and aws configure with previously generated access key.
AWS Access Key ID [None]: ACCESS KEY
AWS Secret Access Key [None]: SECRET
Default region name [None]: us-east-1
Default output format [None]: json
But when I use following command aws dynamodb list-tables. It gives no output, no error.
As I commented, The main issue was outbound rules for attached security group. Here are the necessary things to do
Set a security group outbound rule to HTTPS
Setup Credentials
Create Access Key from IAM management console > Users.
SSH to EC2 instance.
Configure the credentials to EC2 instance using aws configure command or directly modify ~/.aws/credentials file.
Attach Role
Create Role from IAM management console > Roles. Select the role which is necessary to perform operation on AWS service. Eg AmazonDynamoDBFullAccess
Open VPC console and select the EC2 instance.
Attach the role from Actions menu
It is good, though optional, to create VPC endpoint. If you face UnauthorizedOperation error while creating endpoint, assign AmazonEC2FullAccess permission to the user from IAM console. Remove it later if you don't need it.
To use the AWS service from your application, find the relevant endpoint from this list.
It sounds like you are having problems connecting to DynamoDB because of the way you have configured your VPC.
There are some options but if you would prefer to keep your VPC isolated from the internet then you could enable VPC endpoints for DynamoDB. That way you can access DynamoDB from within your VPC without those connections going over the public internet.
There is a step-by-step guide for how to do that here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Essentially, it involves the following steps:
you have to get the VPC id for the VPC where your EC2 instance is located
create a VPC endpoint for DynamoDB, specifying the VPC id and the regional dynamodb service name:
aws ec2 create-vpc-endpoint --service-name com.amazonaws.<region>.dynamodb --vpc-id <yourvpcid>
I am deploying an EC2 instance using CloudFormation and I need to publish information about the created instance to an HTTP endpoint. I plan on doing this using SNS. However, I do not want the instance to have permanent access to publish to the endpoint or be able to use the AWS CLI.
Is there a way to deploy the instance with permission to publish to a specified SNS topic and then rescind permission immediately afterwards?
Use IAM (IAM and Amazon SNS Policies Together) to create a SNS Role which has just enough privileges to publish a specified SNS topic.
Launch the instance and specify the your role as instance's IAM profile
After publishing, remove the SNS privileges from the role using the IAM dashboard or from the instance (make sure the role has privileges to rescind the permission)
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.
I want to "associate an instance profile" with my environment (to speed up upload performance for my website) but can't find useful instructions on how anywhere in the AWS documentation (or here on SO).
How do I "associate an instance profile" with an environment on AWS?
Not clear what you are trying to accomplish, but if you are look to just 'associate an instance profile', here you go:
http://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html
An instance profile is a container for an IAM role. Instance profiles
are used to pass role information to an Amazon EC2 instance when the
instance starts. When you use the Amazon EC2 console to launch an
instance with an IAM role, you can select a role to associate with the
instance. In the console, the list that's displayed is actually a list
of instance profile names.
If you use the AWS Management Console to create a role, the console
creates an instance profile automatically and gives it the same name
as the role it corresponds to. However, if you use the CLI, API, the
AWS SDK, or a third-party tool to create roles and instance profiles,
you create the roles and instance profiles as separate actions, and
you might give them different names. In that case, you need to know
the names of your instance profiles as well as the names of roles they
contain so that you can choose the correct instance profile when you
launch an Amazon EC2 instance.
If you are seeing this error when trying to set up a Elastic Beanstalk environment, it could be that the IAM user does not have sufficient permissions. You should add the IAM Policy named IAMFullAccess for that user.
You can check one option that works here for AWS Beanstalk. This is using AWS Console.
Create IAM Role for "EC2" as AWS Service and attach
"AWSElasticBeanstalkFullAccess" policy to it.
Create an AWS Beanstalk environment with tier/platform/application of choice. (I did with Web Tier choosing Docker platform using python:3-onbuild).
Hit "Configure More Options" > "Modify" Security.
Choose "IAM instance profile" which was created in Step 1. (Keep Service role
"aws-elasticbeanstalk-service-role" as this is needed! It has some key policies!)
"Save" and "Create Environment".
Similarly, it should work for AWS CLI and AWS SDK as well. Key here is the instance profile role you choose for EC2 (or say instance IAM role/instance profile) during Beanstalk Environment creation.
You can create customer managed policy extending or reusing AWSElasticBeanstalkFullAccess policy based on need. Refer AWSElasticBeanstalkFullAccess to understand it better. Also, check out some more AWS Managed policies starting with AWSElasticBeanStalk*.
Somehow default aws-elasticbeanstalk-ec2-role policy is not working/taking effect as desired for me.
For what it's worth, the AWS console now displays an alert (see image) that has a link to help you associate the instance profile with your environment. Therefore, if you see this message in the CLI, you probably need to log into the Management Console, navigate to Elastic Beanstalk, and choose your environment. You will then see the message and be able to use the link to resolve the issue.
Note 1: You may need to redeploy your app after associating the profile. I did.
Note 2: It really does make deployments faster.
Orome,
As E.J Brennan pointed out in his post, you must have a role created first, and attach the necessary IAM policies to that role, then you create the instance profile:
aws iam create-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME
Then add the role you created in the beginning to the instance profile:
aws iam add-role-to-instance-profile --instance-profile-name YOUR_INSTANCE_PROFILE_NAME --role-name YOUR_ROLE
Then attach the instance profile to your instance:
aws ec2 associate-iam-instance-profile --instance-id YOUR_INSTANCE_ID --iam-instance-profile Name="YOUR_INSTANCE_PROFILE_NAME"
Is this what you are looking for?
As E.J Brennan also pointed out, the AWS management console does the instance profile for you behind the scenes.