I have a service-linked role in AWS that I need to delete. When I try to delete it in IAM it fails and has a popup with the ARNs of two resources that use this role. This brain-dead blog post shows me the steps to recreate the problem I'm having and tells me that I need to delete the resources that use the role I'm trying to delete. Duh.
I've tried searching the given ARNs in the IAM search window, but it doesn't find them.
Now that I have the ARNs, how can I delete them so I can delete this role?
There is no API that provide delete of any resource by any ARN. You need to use specific services for delete resources.
If you have ARNs - according to documentation - it will be 3rd part (by ":" character):
arn:partition:SERVICE:region:account-id... // SERVICE where your resource is present
For example - if you have that ARN:
arn:aws:ec2:us-east-1:1234567890:instance/i-12345678901234567
That indicates it's EC2 instance. You can delete it via AWS Console (UI) or by example using AWS CLI:
aws --region us-east-1 ec2 terminate-instances --instance-ids i-12345678901234567
EDIT
According to link you provided (brain-dead blog post) there are ARNs of Redshift clusters, so you can try delete them via AWS CLI using this command:
aws --region <REGION> redshift delete-cluster --cluster-identifier <CLUSTER ID>
Where REGION and CLUSTER ID you can obtain from ARNs.
If you want to delete them from UI (AWS Console) - don't forget change to proper region.
Related
I am new to AWS and I am following this link. I couldn't find the difference between ECS_SERVICE_ROLE_ARN and ECS_TASK_ROLE_ARN. Also I wanted to know how I could find them. I used this command
aws sts get-caller-identity
But this gives common field "arn". But I don't know which one is this.
The service role Arn is the Arn of the role that is interacting with the ECS service. The task role Arn is the role under which the individual task is executing.
To find the service role Arn, you should be able to look in IAM Roles for the ECS service role.
To find a task role Arn for a given task, you should be able to use:
aws ecs describe-tasks
You could find the ExecutionRoleArn and TaskRoleArn in the json file 'cloudformation-core-output.json', which is generated at the "Step 1 Deploy CloudFormation Templates" after you executed a link:
aws cloudformation describe-stacks --stack-name MythicalMysfitsCoreStack > ~/environment/cloudformation-core-output.json
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
is there a way to find out what all resources are using an IAM role. Because I want to modify that and wanted to check what all could affect my modification.
Not quite.
Services can "assume" a role. This happens when the activity is run (eg when an AWS Lambda function is invoked, or when an Amazon EC2 instance is launched). Thus, there is no permanent 'link' between roles and services. Therefore, it is not possible to say "list me everything that is using this IAM Role".
However, you could list services and see which roles they are configured to use. For example, you could describe EC2 instances and check what IAM Role they are configured to use. However, you would need to do this for all services that you know are potentially using the roles.
You can find where an IAM role is used from based on the past usage.
I can think of few ways.
method 1 - Access Advisor
click the "Access Advisor" tab section that appears when you click an IAM role
check last accessed time of each services
method 2 - Cloudtrail
the cli command will tell you which services/user assumed the role and also the action they performed.
aws cloudtrail lookup-events --max-results 20 --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::012345678901:role/lambdaRole --output json --query "Events[*].[CloudTrailEvent]"
I have multi-account AWS environment (set up using AWS Landing Zone) and I need to copy a specific security group to all the accounts. I do have a CFT written, but it's too much of a repetitive task to do this one by one.
The security group is in the central (shared-services) account, which has access to all the other accounts. It's better if there's a way to integrate this to Account Vending Machine (AVM) in order to avoid future tasks of exporting the SG to newly spawned accounts.
You should use CloudFormation Stacksets. StackSets is a feature of cloudformation in which you have a master account in which you create/update/remove the stackset, and you have children accounts. In the stackset, you configure your children aws accounts you want to deploy the CF template and the region as well.
From your comment, your master account is going to be the shared-services and the rest of your accounts, the children ones. You will need to deploy a couple of IAM roles to allow cross-account access, but after that, you will be able to deploy all your templates in up to 500 aws accounts automatically and update them as well.
More information here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
You can export Security Group and other configuration with CloudFormation using CloudFormer, which creates a template from the existing account configuration. Check the steps in this guide https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-cloudformer.html It will upload the template on S3 and you can reuse it or some of its parts.
Since you are using AWS Landing Zone, you can add the security group to the aws_baseline templates, either as a new template or added to one of the existing files. When submitted, AWS Landing Zone uses Step Functions and AWS Stack Sets to deploy your SG to all existing and future accounts. If you choose to create the security group in a new file, you must add a reference to it in the manifest.yaml file (compare with how the other templates are referenced).
I was able to do this via the Account Vending Machine. But AGL's Stacksets should be a good alternative too.
To copy AWS Security Gp from one account of any region to other AWS account to any region is required lots of scripting(coding) in aws cli or boto3.
But one thing i done which is feasible to my usecase(Whitelist 14 IPs for HTTPS) is write a bash script
Here prior i create a blank SG on other AWS account(or u may use aws cli to create that too),
`
Region1=
SGFromCopy=
profilefromcopy=
Region2=
SGToCopy=
profiletocopy=
for IP in $(aws ec2 describe-security-groups --region $Region1 --group-id=$SGFromCopy --profile $profilefromcopy --query SecurityGroups[].IpPermissions[].IpRanges[].CidrIp --output text) ;
do
aws ec2 authorize-security-group-ingress --group-id=$SGToCopy --ip-permissions IpProtocol=TCP,FromPort=443,ToPort=443,IpRanges=[{CidrIp=$IP}] --profile $profiletocopy --region $Region2;
done ;
`
U may modify script if u have csv formated of SG and then just had iterated in while loop
BONUS
To get desire output you have to alter output in file or some where else
> aws ec2 describe-security-groups --region $Region1 --group-id $SGFromCopy --profile $profilefromcopy --query SecurityGroups[].IpPermissions[] --output text
I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.
What I have so far is:
accountA has a roleA
roleA has policy that allows sts:AssumeRole for a role in accountB :arn:aws:iam::11122233444:role/AllowPullS3
accountB has role(AllowPullS3) with
policy allow:s3 listBucket + get,put,delete
trust relationship for accountA :Action:"sts:AssumeRole"
If I create an EC2 instance manually with the IAM:roleA and then use the CLI to get the assume-role credentials, I can then pull the files from the other account's S3 bucket as expected.
But what do I need to put where in my accountA CF template that will allow the EC2 instance to assume roleB and pull the file from the accountB S3 bucket as part of the formation?
I have tried following a lot of tutorials such as this cfn-iam:init tutorial but still can not fully grasp what goes where.
Thanks for your advice.
Art
It is not possible to tell CloudFormation to assume another role.
However, if you have a CLI script/command that works on the Amazon EC2 instance, then just pass that script as User Data. The script will run when your instance starts. User Data can be passed in your CloudFormation template, where the EC2 instance is defined.
See: Running Commands on Your Linux Instance at Launch