We are in a strange stage at the moment. Our DevOps guy left the organization. Now when we disable his keys in IAM. We saw this kinda error in production. "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied when trying to upload an object on your bucket: XXXXX-prd-asset-images/." If i check Devops Guy IAM , i can see last used as S3 service. Guys i can understand its a half information but any help would be appreciated.
Can we look at prod instances if AWS keys stored there?
Can we check any policy?
Can we check bucket information?
That Devops guy had his AWS Keys being used for AWS CLI.
You need to create a generic account in AWS IAM which is not used by any developer and system administrator to avoid this situation in future.
Now do one thing create a generic account which has same IAM policies as that of your Devops guy account. SSH to the server. Go to this file ~/.aws/config there you will find AWS Key and AWS Secret replace that with the new key and secret of the account generated above.
Or you can run following and paste the Key and Access key when prompted and also the proper region for your EC2 instance.
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Related
I was working on a E-commerce project ( for study ) and wanted to sync my webfiles from S3 to EC2.
I used this command in the Linux SSH session:
#6. download the FleetCart zip from s3 to the html directory on the ec2 instance
sudo aws s3 sync s3://deg-s3bucketwebfiles /var/www/html
Entering the command, I get the following error message:
-- > fatal error: Unable to locate credentials
Not sure, what is wrong ? I checked that there's a directory /var/www/html but somehow the files cannot be sync across to EC2.
Appreciate any guide.
Thanks
Unable to locate credentials means that the aws command is unable to locate any credentials on the EC2 instance. The credentials are used to identify you to AWS so it knows that you are entitled to access the deg-s3bucketwebfiles bucket.
Option 1: Use an IAM Role
Since you are using an Amazon EC2 instance, the correct way to provide credentials to the instance is to associate an IAM Role to the instance. The role would need permission to access S3.
Option 2: Use credentials from an IAM User
Alternatively, you can use credentials associated with your IAM User. Go to the IAM Console, select your IAM User and go to the Security Credentials tab. You will find a Create access key button.
It will provide an Access Key and a Secret Key. The Access Key starts with AKIA, while the Secret Key is a long jumble of characters.
Once you have these credentials, run this command on the EC2 instance:
aws configure
Provide the credentials when prompted.
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
I seem to have problems running a command to verify that my credentials are configured correctly and that I can connect to AWS as stated here:https://docs.aws.amazon.com/cli/latest/userguide/tutorial-ec2-ubuntu.html:
When running:
$ aws ec2 describe-regions --output table
I get the following output:
An error occurred (AuthFailure) when calling the DescribeRegions
operation: AWS was not able to validate the provided access
credentials
What am I missing?
After installing the AWS CLI (on a fedora machine), I ran
$ aws configure
for AWS Access Key ID and AWS Secret Access Key:
I went to AWS website and created an IAM user.
For that user, I have gone to the security credentials tab and
I have created a new Access key, which is key value pair of Access key ID,Secret access key.
I have used those values for AWS Access Key ID and AWS Secret Access Key but I keep getting the above error message.
What am I missing? Thanks in advance.
You need to pass the profile parameter. This link from AWS has more details
i have created an aws account, launched ec2 instance and created buckets in s3. Also i have installed python, boto3 and aws cli. But i'm stuck on connecting python with aws step.
The first and foremost thing that you need to check is whether your EC2 instance has permissions to access the S3 bucket. This can be done in 2 ways:
Store the credentials in the EC2 instance (insecure)
Assign IAM roles to the EC2 instance that has S3 read and write permissions (secure)
In order to assign a role to your instance, follow this guide.
Once your permissions are set up, you can either use the AWS CLI or BOTO3 to access S3 from your EC2 instance.
1: If you are asking how to establish a connection for running your AWS-python codes then you must follow these steps on terminal:
aws configure (this ill ask you credentials which you will find in the .CSV file that is created initially)
Provide the credentials and try to run the code
For ex:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
2: If your question is how you will use the boto3 API calls to run AWS functions then this might help you:If you are using boto3 SDK then you can make use of low-level clients and higher-level.
ec2 = boto3.resource('ec2')
client = boto3.client('ec2')
You can follo this link for more detailed info : http://boto3.readthedocs.io/en/latest/reference/services/ec2.html
I've been trying to add my aws account to ask-cli so that i can directly deploy my lambda function.
whenever i try to clone or deploy it says,
No AWS credential setup for profile: [default].
Lambda clone skipped. CLI lambda functionalities can be enabled
by running `ask init` again to add 'aws_profile' to ASK cli_config
even after following 'ask init' it has no effect.
I've added amazon developer account to ask-cli but unable to link with aws.
any help would be appreciated.
thanks in advance.
if you have installed aws-cli then plz run aws-configure and provide your id and secret key.
$ aws configure --profile user2
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text
otherwise create folder in home named .aws and add credential file in it.
In that you can specify following format
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Well, this question has been already answered. But I want to add something.
If somehow, you did not setup the AWS credentials while setting up ASK profile, you can run below command to setup AWS credentials and link to an ASK profile.
ask init --aws-setup
Then, you will be prompted to enter your profile name, your access key, and your secret access key. Profile name will be default if you have not created multiple ASK profiles. After providing the credentials, you will not get the error mentioned in the question.