When using STS to assume a role, in the AWS SDKs (Java, for example), we have shaved valuable seconds off the operation by selecting the 'local' STS endpoint for the region our code is executing in (e.g. https://sts.eu-west-2.amazonaws.com).
Is it possible to do the same from the CLI (aws sts assume-role ...? There doesn't seem to be an option to override the default endpoint in the documentation.
Take a look at: Activating and Deactivating AWS STS in an AWS Region and enable the region endpoint you want to connect to.
--region (string)
is common for all AWS CLI commands. Once you enable additional endpoints, you can use --region (string) to override the default endpoint.
Related
I ran AWS configure inside an AWS instance and the AWS CLI is ignoring it and instead using my ARN role which doesn't have the proper permissions to do what I need. I'm running a pod in kubernetes and I don't want to give access to all my pods, so i'm storing credentials, and attempting to run terraform. How do I get AWS to ignore my ARN role and just use the credentials I set with aws configure ?
Need to access cross account EC2 describe/start instance API via AWS CLI without configuring access/secret keys in "aws configure".
Assuming that you have default credentials stored for an account (Let's call it dev) but you want to run EC2 describe/start instance API on an instance which is in another account(Let's call it prod) via this account without configuring your prod credentials.
To achieve this you will use an IAM role, which has the EC2:describeInstance access needed in your Prod account. An authenticated user in your Dev account will assume a privileged IAM role in the Prod account with an API call to STS:AssumeRole. This API call will return temporary security credentials that the Dev user’s AWS CLI will automatically use to access resources in the Prod account.
You can set the credentials temporary via environment variables. If you pack this is an bash script, they only last for the execution.
#!/bin/bash
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_DEFAULT_REGION=eu-central-1
aws ec2 <your command>
If you are in a cli of an ec2, best way to do this is to use the IAM role attached to the instance which has permissions ec2:StartInstances and ec2:DescribeInstances for the target ec2.
I am trying to connect to AWS neptune DB after enabling IAM DB authorisation and it is not able to connect and failing with below error.
{"code":"AccessDeniedException","requestId":"68bbc87a-cbf6-31d3-5829-91f32062239f","detailedMessage":"Missing Authentication Token"}
However Its working fine with disabling IAM DB authorisation.
I have created a policy (using link https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth-policy.html) to connect to neptune DB and attached the policy to IAM role which is being added to the ec2 instance. I can able to telnet to neptune DB endpoint with 8182 port.
Can someone please help.
When IAM authentication is enabled, requests to the HTTP endpoint must be signed using SigV4. You can use a tool like awscurl to do this.
Here is an example from the Amazon Neptune documentation that I have modified slightly to have it point to the /status endpoint.
Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables correctly (and
also AWS_SECURITY_TOKEN if you are using temporary credential). You can also pass these as parameters to awscurl. Then use a command such as (change the region to be your region).
awscurl -X GET --service neptune-db --region us-west-2 "$SYSTEM_ENDPOINT/status"
You can get temporary credentials using sts via the AWS CLI tools as follows:
aws sts get-session-token
If you are running on an EC2 instance you can get the tokens from the metadata service so long as the EC2 instance has a role attached that has access to Neptune. More details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I need to get a list of the IAM policies attached to an AWS IoT Thing's certificate, in way that is script/automation-friendly. I have searched through the documentation website and the man pages, but didn't find a command that seemed to achieve this (e.g.: aws iot describe-certificate does not include this in it output).
Is there a way to achieve this with the AWS CLI?
You can get thing's certificate and policy attached to that certificate by running the following two commands of AWS CLI:
aws iot list-thing-principals --thing-name [Name of your IoT Thing]. This command will return the Certificate ARN attached to your thing.
aws iot list-principal-policies --principal [Certificate ARN]. This command will return the policies attached to the certificate.
I assume you actually mean IoT policies. Use the list-principal-policies api call to list the IoT policies attached to a certificate.