I'm attempting to use the AWS CLI tool to upload a file to Amazon Glacier. I installed awscli using pip:
sudo pip install awscli
I created a new AWS IAM group example with AmazonGlacierFullAccess permissions.
I created a new AWS IAM user example and added the user to the example group. I also created a new access key for the user.
I created a new AWS Glacier Vault example and edited the policy document to allow the example user to allow actions glacier:* with no conditions.
I then ran aws configure and added the "Access Key ID" and "Secret Access Key" as well as the default region.
When I run:
aws glacier list-vaults
I get the error:
aws: error: argument --account-id is required
If I add the account ID:
aws --account-id=[example user account ID] glacier list-vaults
I get this error:
A client error (UnrecognizedClientException) occurred when calling the ListVaults operation: No account found for the given parameters
I figured I might have gotten something in the group assignment wrong, so I added the AdministratorAccess policy directly to the example user. Now I can run commands such as aws s3 ls, but I still cannot aws glacier list-vaults without getting the aws: error: argument --account-id is required error.
Have I missed something in my AWS configuration? How can I further troubleshoot this issue?
Looks like for AWS Glacier you need the account ID List Vaults (GET vaults)
You can get your account id (12 digits) from Support page - Top right on your AWS dashboard.
Related
I am trying to register a respository on AWS S3 to store ElasticSearch snapshots.
I am following guide and ran the very first command listed in the doc.
But I am getting the error Access Denied while executing that command.
The role that is being used to perform operations on S3 is the AmazonEKSNodeRole.
I have assigned the appropriate permissions to the role to perform operations on the S3 bucket.
Also, here is another doc which suggests to use kibana for ElasticSearch version > 7.2 but I am doing the same via cURL requests.
Below is trust Policy of the role through which I am making the request to register repository in the S3 bucket.
Also, below are the screenshots of the permissions of the trusting and trusted accounts respectively -
I've been trying to access a project in AWS devicefarm using AWS CLI.
Steps taken:
Downloaded the AWS CLI tool
Configured my credentials according to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html using aws configure command
executed aws devicefarm list-uploads --arn myProjectArn
and what i get is this error:
An error occurred (AccessDeniedException) when calling the ListUploads operation:
User: arn:aws:iam::replacingANumber:user/myUserName is not authorized to perform: devicefarm:ListUploads
on resource:
arn:aws:devicefarm:us-west-2:replacingANumber:project:replacingALongString with an explicit deny
The docs:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html say i'm missing permissions, but devOps team in my company says i have all the permissions.
What am I missing?
Either misconfigured AWS CLI or insufficient permissions.
This can be 2 things:
Your AWS CLI is misconfigured. Make sure that when you run aws sts get-caller-identity, you get the same role as the one that the devops team claims to have the correct permission. Also, make sure that your default region is us-west-2.
If the above is correctly setup, then it comes from the permissions defined in the IAM policy. If you are able to view the policy associated with your user/role, you can check out the policy simulator to figure out which permission is missing.
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
I need to activate transfert accelerate on one of my buckets in S3, but I can't because of account limitation.
I've tried so far:
creating a user with IAM, gave him AdministratorAccess, create a bucket, enable transfer accelerate, got this (via the CLI):
An error occurred (AccessDenied) when calling the PutBucketAccelerateConfiguration operation: Access Denied
same thing via the console, same error.
same thing with the root account ( I guess with the root account I have all the permissions ).
still relevant?
if so, from the official docs:
Add a named profile for the administrator user in the AWS CLI config file. You use this profile when executing the AWS CLI commands.
[adminuser]
aws_access_key_id = adminuser access key ID
aws_secret_access_key = adminuser secret access key
region = aws-region
does this work for you?
aws s3 ls --profile adminuser
In the logstash configuration file, I gave the following input plugin.
input{
s3{
bucket => 'bucket_name'
region => 'eu-west-1'
}
}
When I started logstash, it threw an error asking for AWS credentials. But I cannot provide AWS access_key_id and secret_key. I found that with IAM roles on EC2 instances, we shouldn't have to provide AWS credentials explicitly for an application that make those requests. I tried to understand how to configure IAM roles from a logstash Github issue, but failed. Please suggest how I should configure logstash file so that I can get data from S3 without providing AWS credentials explicitly.
When you are creating the EC2 instance, you may assign it an IAM role. If you don't give it a role when you create it, you cannot ever give it a role. You can modify the properties of a role (e.g. give the role more or less access) but you cannot change what role an instance has after the instance has been created.
The easiest way to test if an instance has the credentials you need is with the command-line tools:
$ echo $AWS_ACCESS_KEY_ID
$
That shows that we don't have the environment variable set, so if we're getting credentials, they must be instance creds.
$ aws --region=eu-west-1 s3 ls my.bucket
PRE some-directory/
PRE another-dir/
2015-11-05 18:03:53 464 little-file
2014-10-28 15:32:13 19740 bigger-file.html
$
I was able to list the bucket contents, so the EC2 instance where I'm running this command must have an IAM role that allows it to list this bucket contents!