How do I enable the AWS CLI on an EC2 instance? After I create the EC2 instance, I can SSH into the machine, but when I try to do something like aws s3 ls, it prompts me to do aws configure first, which I then have to enter my keys. I want to be able to automate this so that I can grab additional artifacts from S3 buckets to install. Note that I am using the AWS CLI on my computer to create the EC2 instance, but I need to use the AWS CLI on the EC2 instance itself.
My AWS command to create a simple EC2 instance looks like the following (this is done on my computer).
aws ec2 run-instances \
--image-id ami-14c5486b \
--count 1 \
--instance-type t2.micro \
--key-name testkey \
--subnet-id subnet-xxxxxxxx \
--security-group-ids sg-xxxxxxxx \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=test}]'
--user-data file://install-software.sh
The install-software.sh looks something like the following (this is submitted to the EC2 instance).
#!/bin/bash
aws s3 cp s3://mybucket/some-archive.tar.gz some-archive.tar.gz
tar xf some-archive.tar.gz
sudo some-archive/bin/install.sh
You need to use an instance profile when launching your EC2 instance – if it has an instance profile attached then the AWS CLI will automatically use the permissions set in it to grant access to resources, rather than relying on your providing credentials.
You need to assign an instance role to your instance. Give it rights to get objects from your bucket. Then the aws cli will get the credentials from instance metadata automatically so you won't need to configure aws first.
Related
I want to launch an EC2 machine using aws cli. I want several things to take place before I connect, including setting my configuration.
I successfully launch the machine using:
aws ec2 run-instances --image-id ami-062f7200baf2fa504 --count 1 \
--instance-type t2.micro --key-name MyFirstKey --security-group-ids \
launch-wizard-3 --user-data file://aws_setup_script.txt
my aws_setup_script.txt is
sudo yum update -y
aws configure set aws_access_key_id AAAAABBBBBCCCCCDDDDD
aws configure set aws_secret_access_key AAAAABBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHH
aws configure set default.region us-east-1
sudo yum update -y successfully runs, but the aws configure steps do not.
It is insecure passing secrets in user-data.
Your script is failing because it isn't running as ec2-user so it doesn't have aws in the path. Even if it worked, it wouldn't be configuring the CLI tool for the ec2-user account so it isn't going to work the way you want.
Most importantly, there is a much better way to accomplish this. You should be assigning an IAM instance profile to the instance. When you run the aws cli tool on an instance with an IAM role assigned it will automatically use those credentials.
As per best practice, It's always better to use the IAM instance role attached to your Ec2 instead of setting the AWS credentials within Ec2.
Create an IAM instance role (refer AWS Doc) with the required permission want to give to Ec2.
Use --iam-instance-profile in aws cli command to attache the Ec2 with specific Iam role.
aws ec2 run-instances --image-id ami-062f7200baf2fa504 --count 1 \
--instance-type t2.micro --key-name MyFirstKey --security-group-ids \
launch-wizard-3 --iam-instance-profile
I am trying to get the RDS endpoint to use in user data with cli but unable to figure it out.
I need to get the RDS endpoint to inject into a php file but when I try the following I get:
Unable to locate credentials. You can configure credentials by running "aws configure".
I am building the ec2 and vpc using CLI and need to be able to get RDS endpoint as part of the Userdata.
I tried the following on the EC2 instance itself and I get the above error.
aws rds --region ca-central-1 describe-db-instances --query "DBInstances[*].Endpoint.Address"
Even if I am able to resolve that, I need to be able to get the endpoint to pass as part of the userdata. Is that even possible?
The Unable to locate credentials error says that the AWS Command-Line Interface (CLI) does not have any credentials to call the AWS APIs.
You should assign a role to the EC2 instance with sufficient permission to call describe-db-instances on RDS. See: IAM Roles for Amazon EC2
Then, your User Data can include something like:
#!
RDS=`aws rds --region ca-central-1 describe-db-instances --query "DBInstances[*].Endpoint.Address"`
echo >file $RDS
Or pass it as a parameter:
php $RDS
I have it working with this -
mac=curl -s http://169.254.169.254/latest/meta-data/mac
VPC_ID=curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac/vpc-id
aws rds describe-db-instances --region us-east-2 | jq -r --arg VPC_ID "VPC_ID" '.DBInstances[] |select (.DBSubnetGroup.VpcId=="'$VPC_ID'") | .Endpoint.Address'
If you want to add a tag to an instance when launching, you have to perform two steps:
Launch an instance (run-instances)
Add a tag to the newly created instance (create-tags)
Is there a way to add a tag (or set a name) when launching an instance using a single CLI command?
This request had been pending for a long time and AWS finally supported this in March 2017.
See: Amazon EC2 and Amazon EBS add support for tagging resources upon creation and additional resource-level permissions
Make sure your AWS CLI version is at least 1.11.106
$ aws --version
aws-cli/1.11.109 Python/2.6.9 Linux/4.1.17-22.30.amzn1.x86_64 botocore/1.5.72
CLI to tag the instance when launching:
The following example applies a tag with a key of webserver and
value of production to the instance.
aws ec2 run-instances --image-id ami-abc12345 --count 1 --instance-type t2.micro
--key-name MyKeyPair --subnet-id subnet-6e7f829e
--tag-specifications 'ResourceType=instance,Tags=[{Key=webserver,Value=production}]'
CLI to tag the instance and the volume:
The command also applies a tag with a key of cost-center and a value
of cc123 to any EBS volume that's created (in this case, the root
volume).
aws ec2 run-instances --image-id ami-abc12345 --count 1 --instance-type t2.micro
--key-name MyKeyPair --subnet-id subnet-6e7f829e
--tag-specifications 'ResourceType=instance,Tags=[{Key=webserver,Value=production}]' 'ResourceType=volume,Tags=[{Key=cost-center,Value=cc123}]'
Basically, what I am looking for is the CLI version of http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html
Previously I have saved my instance as EBS AMI, and want to launch it using command line preferably, or APIs, instead of using Web Interface.
Thank you.
Here is an example of launching a new Amazon EC2 instance via the AWS Command-Line Interface (CLI) with a specified Amazon Machine Image (AMI):
aws ec2 run-instances --image-id ami-abcd1234 --security-group-id sg-abcd1234 --instance-type t1.micro
See: AWS CLI run-instances documentation
I know role can be assigned to instance from the console but I can't find anything about how to do it through AWS CLI tool.
Use the --iam-instance-profile switch. For example:
$ aws ec2 run-instances --image-id ami-11aa22bb --iam-instance-profile Name="s3access-profile" --key-name my-key-pair --security-groups my-security-group --subnet-id subnet-1a2b3c4d
See Launching an Instance with an IAM Role Using the AWS CLI.