I am following this tutorial for connecting Raspberry Pi to AWS IoT using Node.js SDK and I have done all the other steps but I am lost in the authentication and certificate step:
pi#raspberrypi:~ $ aws iot describe-endpoint
You must specify a region. You can also configure your region by running "aws configure".
pi#raspberrypi:~ $ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:
pi#raspberrypi:~ $ ls
2016-02-24-204612_1920x1080_scrot.png Desktop get-pip.py node_modules python_games sources WiringPi
aws device.cfg ibm Pictures python-iot-raspberry-pi Templates
aws-iot-device-sdk-js Documents iot_1.0-1_armhf.deb projects root Videos
certs Downloads Music Public root.pem wiringPi
pi#raspberrypi:~ $ cd certs/
pi#raspberrypi:~/certs $ ls
1cf77402f9-certificate.pem.crt 1cf77402f9-private.pem.key 1cf77402f9-public.pem.key
When I browse to https://A34SXNTM6AT7XH.iot.us-west-2.amazonaws.com/things/MyNewThing/shadow or https://A34SXNTM6AT7XH.iot.us-west-2.amazonaws.com I see Missing Authentication Token message:
I am not sure how to get the last step working so I could see stuff in the URLs when I browse to them. Can someone help me figure which steps I am missing or is missing from the tutorial?
This fixed the problem:
Browse to
https://console.aws.amazon.com/iam/home?region=us-west-2#security_credential
and then if you don’t have a key click on create new access key and
if you already have it save the information and enter it in front of
entries of aws configure command and also for region select
“us-west-2” is Oregon is selected in your dashboard.
After that you will be able to see the credential in the following:
The AWS credentials file – located at ~/.aws/credentials on Linux, OS
X, or Unix
Related
I am looking to install the AWS CLI on a Windows Server Core EC2 instance. As per the Documentation, the AWS CLI should be installed with msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi.
The problem with this, is that it will attempt to bring up a GUI - Windows server core does not have any GUI, and therefore we cannot interact with it. I have tried /quiet and other such commands, but the terminal simply gives no response.
How can I install the AWS CLI on a Windows Server Core EC2 instance?
Install the AWS Command Line Interface (CLI)
AWS Command Line Interface (CLI) Silent Install (MSI)
Navigate to: https://aws.amazon.com/cli/
Download the AWSCLIV2.msi to a folder created at (C:\Downloads)
Open an Elevated Command Prompt by Right-Clicking on Command Prompt and select Run as Administrator
Navigate to the C:\Downloads folder
Enter the following command: MsiExec.exe /i AWSCLIV2.msi /qn
Press Enter
After a few moments you will find AWS Command Line Interface (CLI) entries in the Installation Directory and Programs and Features in the Control Panel.
aws ec2
you can follow the step
it will be help you to install AWS CLI you can open this below link
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
you can install cli
and run command in terminal ➡ aws configure
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
insert your information in above like this
hope it will help for you...
amazonwebservices aws ec2
I am new to AWS and I am trying to register an image on ECR on windows. To do that I am using PowerShell to connect to AWS.
Below is my version
PS C:\> aws --version
aws-cli/2.0.0 Python/3.7.5 Windows/10 botocore/2.0.0dev4
I used aws configure command to login. I went to users -> createdUser -> Security Credentials for Access key and Secret key.
When I use Get-ECRLoginCommand
PS C:\> Get-ECRLoginCommand
Get-ECRLoginCommand : The request signature we calculated does not match the signature you provided. Check your AWS
Secret Access Key and signing method. Consult the service documentation for details.
At line:1 char:1
+ Get-ECRLoginCommand
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...inCommandCmdlet:GetECRLoginCommandCmdlet) [Get-ECRL
oginCommand], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.ECR.AmazonECRException,Amazon.PowerShell.Cmdlets.ECR.GetECRLoginCommandCmdlet
Can someone please help me how to registry docker image on ECR?
Even on Windows,
it's easier to use push instructions on Linux and macOS.
you just need to install AWS CLI, docker, and set up AWS credentials.
Install AWS CLI version 2
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi
To confirm the installation
C:\> aws --version
aws-cli/2.2.43 Python/3.8.8 Windows/10 exe/AMD64 prompt/off
In AWS IAM, create user with the required role.
It's not recommended. I simply created a user with AdministratorAccess.
set up your AWS credentials
aws configure
AWS Access Key ID [None]: Access Key
AWS Secret Access Key [None]: Secret Key
Default region name [None]: us-west-2
Default output format [None]: json
Now, Authenticate the docker of the Amazon ECR registry
aws ecr get-login-password | docker login --username AWS --password-stdin YOUR-REGISTRY-URL
Login Succeeded
Finally, Pushing a Docker Image
docker build -t YOUR-BUILD-NAME .
docker tag YOUR-BUILD-NAME:latest YOUR-REGISTRY-URL/YOUR-BUILD-NAME:latest
docker push YOUR-REGISTRY-URL/YOUR-BUILD-NAME:latest
Try uninstalling AWS CLI V2 and install AWS CLI V1 that fixed the problem for me.
You need to first set up you aws credentials on your Windows PC.
Separately you need to set up it for aws cli and aws sdk:
from documentation:
Credentials Store Locations
The AWS Tools for PowerShell can use either of two credentials stores:
The AWS SDK store, which encrypts your credentials and stores them in your home folder. > In Windows, this store is located at: C:\Users\username\AppData\Local\AWSToolkit\RegisteredAccounts.json.
The AWS SDK for .NET and Toolkit for Visual Studio can also use the AWS SDK store.
The shared credentials file, which is also located in your home folder, but stores credentials as plain text.
By default, the credentials file is stored here:
On Windows: C:\Users\username.aws\credentials
On Mac/Linux: ~/.aws/credentials
The AWS SDKs and the AWS Command Line Interface can also use the credentials file. If you're running a script outside of your AWS user context, be sure that the file that contains your credentials is copied to a location where all user accounts (local system and user) can access your credentials.
Example:
PS > Set-AWSCredential `
-AccessKey AKIA0123456787EXAMPLE `
-SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY `
-StoreAs MyNewProfile
Source: https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html#specifying-your-aws-credentials-store
Try this
Get-AWSCredential -ListProfileDetail
If you get something like this(2 defaults)
The 1st default is causing the issue! you should remove it with the following command
Remove-AWSCredentialProfile -ProfileName default
Once you only have a single default left(the working one) Get-ECRLoginCommand should work as expected.
I'm trying to create a reusable delegation set to use as whitelisted nameservers for my domains, using aws cli on Mac OS X. My AWS credentials (those of an IAM profile I created for that purpose with full administrator privileges, an location set to us-east-1) were correctly entered during setup and accepted by the system.
When entering the command
$ aws route53 create-reusable-delegation-set --caller-reference [CALLER-REFERENCE] --hosted-zone-id [HOSTED_ZONE] --generate-cli-skeleton
the request is successful and I get the response:
{
"CallerReference": "",
"HostedZoneId": ""
}
But when I remove --generate-cli-skeleton and enter
aws route53 create-reusable-delegation-set --caller-reference [CALLER-REFERENCE] --hosted-zone-id [HOSTED_ZONE]
I get this:
An error occurred (InvalidClientTokenId) when calling the CreateReusableDelegationSet operation: The security token included in the request is invalid.
I reality, my IAM credentials, despite being valid, and despite the profile I am using (donaldjenkins) having full administrator privileges, are refused systematically in all aws services and for all commands, not just Route53.
I've been unable to pinpoint the cause of this despite extensive research. Any suggestions gratefully receieved.
Deleting my credentials file (Linux, macOS, or Unix: ~/.aws Windows: %UserProfile%\.aws) then running aws configure again worked for me
The solution is to delete existing credentials for the IAM user and issue new ones. For some reason the credentials recorded during the initial setup of aws cli never worked properly, but overwriting them with new ones removed the issue instantly.
I had the same exact issue.
I'm running NodeJS on my local environment, and trying to deploy to Amazon using code deploy and some other aws tools.
What worked for me was to delete the current config and credentials folder, regnerate a new key and use. THis was after i originally installed aws cli and added the keys, had to add the keys again.
Depending on your folder structure, navigate to your home directory.
On mac if you open a new terminal, it should show your current home directory: "/Users/YOURNAME"
cd .aws
rm -rf config
rm -rf credentials
After you do this, go back to your home directory, then run:
"aws configure".
Enter your Key and secret key.
You can find more details here: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration under Quickly Configuring the AWS CLI
I'm trying to use the AWS CLi for the first time, and I am doing it through putty by SSHing to the ec2 instance.
I want to run a command like "aws ec2 authorize-security-group-ingress [options]"
But I get the following error: "A client error (UnauthorizedOperation) occurred when calling the AuthorizeSecurityGroupIngress operation: You are not authorized to perform this operation."
I believe that this is related to IAM user credentials. I have found out where to create IAM users, however I still don't understand how this helps me to execute this command when I'm logged into the server as ec2-user or root, or run the command through CRON.
I have done a fair amount of reading regarding the access controls on AWS in their documentation, but I seem to be missing something.
How can I allow the command to be executed from within the AWS instance?
The missing information I was looking for is the command: aws configure
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
I've got two different apps that I am hosting (well the second one is about to go up) on Amazon EC2.
How can I work with both accounts at the command line (Mac OS X) but keep the EC2 keys & certificates separate? Do I need to change my environment variables before each ec2-* command?
Would using an alias and having it to the setting of the environment in-line work? Something like: alias ec2-describe-instances1 = export EC2_PRIVATE_KEY=/path; ec2-describe-instances
You can work with two accounts by creating two profiles on the aws command line.
It will prompt you for your AWS Access Key ID, AWS Secret Access Key and desired region, so have them ready.
Examples:
$ aws configure --profile account1
$ aws configure --profile account2
You can then switch between the accounts by passing the profile on the command.
$ aws dynamodb list-tables --profile account1
$ aws s3 ls --profile account2
Note:
If you name the profile to be default it will become default profile i.e. when no --profile param in the command.
More on default profile
If you spend more time using account1, you can make it the default by setting the AWS_DEFAULT_PROFILE environment variable. When the default environment variable is set, you do not need to specify the profile on each command.
Linux, OS X Example:
$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables
Windows Example:
$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls
How to set "manually" multiple AWS accounts ?
1) Get access - key
AWS Console > Identity and Access Management (IAM) > Your Security Credentials > Access Keys
2) Set access - file and content
~/.aws/credentials
[default]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}
[{{profile_name}}]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}
3) Set profile - file and content
~/.aws/config
[default]
region={{region}}
output={{output:"json||text"}}
[profile {{profile_name}}]
region={{region}}
output={{output:"json||text"}}
4) Run - file with params
Install command-line app - and use AWS Command Line it, for example for product AWS EC2
aws ec2 describe-instances -- default
aws ec2 describe-instances --profile {{profile_name}} -- [{{profile_name}}]
Ref
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
IMHO, the easiest way is to edit .aws/credentials and .aws/config files manually.
It's easy and it works for Linux, Mac and Windows. Just read this for more detail (1 minute read).
.aws/credentials file:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
.aws/config file:
[default]
region=us-west-2
output=json
[profile user1] <-- 'profile' in front of 'profile_name' (not for default)!!
region=us-east-1
output=text
You should be able to use the following command-options in lieu of the EC2_PRIVATE_KEY (and even EC2_CERT) environment variables:
-K <private key>
-C <certificate>
You can put these inside aliases, e.g.
alias ec2-describe-instances1 ec2-describe-instances -K /path/to/key.pem
Create or edit this file:
vim ~/.aws/credentials
List as many key pairs as you like:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Set a local variable to select the pair of keys you want to use:
export AWS_PROFILE=user1
Do what you like:
aws s3api list-buckets # any aws cli command now using user1 pair of keys
You can also do it command by command by including --profile user1 with each command:
aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys
More details: Named profiles for the AWS CLI
The new aws tools now support multiple profiles.
If you configure access with the tools, it automatically creates a default in ~/.aws/config.
You can then add additional profiles - more details at: Getting started with the AWS CLI
I created a simple tool, aaws, to switch between AWS accounts.
It works by setting the AWS_DEFAULT_PROFILE in your shell. Just make sure you have some entries in your ~/.aws/credentials file and it will easily switch between multiple accounts.
/tmp
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
/tmp
$ aaws luk3
[luk3] 🔐 /tmp
$ aws s3 ls
2013-11-05 21:40:04 luk3thomas.com
I wrote a toolkit to switch default AWS profile.
The mechanism is physically moving the profile key to the default section in config and credentials files.
The better solution today should be one of the following ways:
Use aws command option --profile.
Use environment variable AWS_PROFILE.
I don't remember why I didn't use the solution of --profile, maybe I was not realized its existence.
However the toolkit can still be useful by doing other things. I'll add a soft switch flag by using the way of AWS_PROFILE in the future.
$ xsh list aws/cfg
[functions] aws/cfg/move
[functions] aws/cfg/set
[functions] aws/cfg/activate
[functions] aws/cfg/get
[functions] aws/cfg/delete
[functions] aws/cfg/list
[functions] aws/cfg/copy
Repo: https://github.com/xsh-lib/aws
Install:
curl -s https://raw.githubusercontent.com/alexzhangs/xsh/master/boot | bash && . ~/.xshrc
xsh load xsh-lib/aws
Usage:
xsh aws/cfg/list
xsh aws/cfg/activate <profilename>
You can write shell script to set corresponding values of environment variables for each account based on user input. Doing so, you don't need to create any aliases and, furthermore, tools like ELB tools, Auto Scaling Command Line Tools will work under multiple accounts as well.
To use an IAM role, you have to make an API call to STS:AssumeRole, which will return a temporary access key ID, secret key, and security token that can then be used to sign future API calls. Formerly, to achieve secure cross-account, role-based access from the AWS Command Line Interface (CLI), an explicit call to STS:AssumeRole was required, and your long-term credentials were used. The resulting temporary credentials were captured and stored in your profile, and that profile was used for subsequent AWS API calls. This process had to be repeated when the temporary credentials expired (after 1 hour, by default).
More details: How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI