I am attempting to setup some custom CloudWatch metrics using mon-put-data from within my AWS EC2 instance. According to the documentation I am using it correctly.
mon-put-data --namespace Layer --metric-name ResponseTime --dimensions "app=AppName" --value 2
However, when I run it I get the following error:
mon-put-data: Malformed input-Bad credentials in file: /user/.aws/credentials [keyId: null | secretKey null]
The Format of the credentials file is below and was auto generated using aws configure
[default]
aws_access_key_id = KJHJKHJKHJKHJKHJKHJK
aws_secret_access_key = KHKJJKHJKHJKHJH123123kjhjkhjk12312
I have also confirm that the AWS_CREDENTIAL_FILE path exists and is correct. Also, I have confirmed that the IAM User has full access to CloudWatch and EC2.
Can someone please tell me what I am doing wrong?
I managed to get it working with the addition of the -I and -S options. Not really ideal have the credentials inline, but it works for now.
mon-put-data -I <Key ID> -S <Secret Key> --namespace Layer --metric-name ResponseTime --dimensions "app=AppName" --value 2
Obviously mon-put-data command uses a credential file that has a different format to the one created by AWS CLI. Unfortunately there is nothing in the documentation to define it and I can't find the code to debug it.
I originally misread your question and thought you were using the actual AWS CLI tool, which uses the INI-style format like you posted:
[default]
aws_access_key_id = KJHJKHJKHJKHJKHJKHJK
aws_secret_access_key = KHKJJKHJKHJKHJH123123kjhjkhjk12312
However, when you use mon-put-data, it doesn't follow any of the configuration or options from the CLI.
For the service-specific CLIs (like Cloudwatch tools), you have to setup the tool as detailed on this page.
You have to generate a file of this format:
AWSAccessKeyId=<Write your AWS access ID>
AWSSecretKey=<Write your AWS secret key>
Then you have to pass --aws-credential-file as your argument, or set the environment variable AWS_CREDENTIAL_FILE.
If you were using the standard all-in-one AWS CLI, you could do the exact same thing as mon-put-data by using aws.cloudwatch.put-metric-data.
Related
I have a few different projects I work on. I use AWS and I use Kubernetes. I have a number of AWS credentials stored in my ~/.aws/credentials each with a label like
[account-1]
aws_access_key = x
aws_secret_access_key = y
[account-2]
aws_access_key = x
aws_secret_access_key = y
How can i toggle between them and easily set my config?
Currently I type aws configure in the terminal and manually paste the key/secret/regionn every time i want to switch between them.
When you hit the aws configure command, every time a new profile will be created in the ~/.aws/credentials. You can generate all the required profiles single time and then set environment variable based on the project you're working.
For example,
while working on project 1, set the environment variable
export AWS_PROFILE=account-1
and while working on project 2, set the environment variable
export AWS_PROFILE=account-2
If you are using zsh and oh-my-zsh with the aws plugin, you have the asp command.
asp account-1
and if your theme is set up nicely, your commandline prompt will tell you what account you're in.
In addition to #Gunjan answer you can also pass the profile name like this
$ aws ecr get-login-password --region us-east-1 --profile account-1
If you want to connect to multiple eks clusters
$ aws eks --region us-east-1 update-kubeconfig --name account-1-eks --region eu-west-1 --profile account-1
You need to have proper IAM permissions to run this command
This command will generate a kube config file in ~/.kube
move that file to some another location and add alias in your bash_profile or .zshrc like this line
account-1-eks='export KUBECONFIG=:/path/to/the/account-1-eks.config
Now reload your shell and you can switch using the alias like account-1-eks
You can repeat the steps for multiple accounts
I am having problems configuring my AWS credentials on Serverless using my terminal. Once I place:
serverless config credentials --provider aws --key xx --secret xxx --profile serverless-admin2
After that the system responds "setting up aws..." and doesn't do anything else. Am I doing something wrong?
The command just only creates a new entry in your ~/.aws/credentials file. Thus to check if it worked, inspect ~/.aws/credentials and see if [serverless-admin2] profile was created with your aws keys.
If not, you can add the profile yourself there.
I am trying to configure AWS CONFIGURE via AWS CLI on my laptop having Windows 10 professional. This is not the first time I am configuring AWS CONFIGURE. I already have many profiles settings.
I have enough free system memory and storage and have sufficient rights to run aws configure. I am using Python 3.6
Here is the detail, how I am trying to setup AWS CONFIGURE.
When I run this command again, it asks all the values again.
Even if I run an AWS CLI command using this new profile; to create a lambda function ( aws lambda create-function xxxxxxxxx --profile lambdaprofile ).
It gives below error.
The config profile (lambdaprofile) could not be found.
Please help me.
Some times this issue happens and AWS CLI is unable to set new profile and settings in config file.
Here is a fix of this issue.
Run below command from windows console.
notepad %USERPROFILE%\.aws\credentials
You will see last line of credentials file with overlapping line.
e.g in your particular case, it would be showing like below.
region = us-east-1[lambdaprofile]
aws_access_key_id = AKIAIGCOZJBAKIAIGCOZJB
aws_secret_access_key = gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
region = use-east-1
Similar issue would be in config file, which can be checked by opening this file.
notepad %USERPROFILE%\.aws\config
To fix this issue set [lambdaprofile] to new line, preferably add another empty line before [lambdaprofile]. It should look like below.
region = us-east-1
[lambdaprofile]
aws_access_key_id = AKIAIGCOZJBAKIAIGCOZJB
aws_secret_access_key = gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
region = use-east-1
Also do the same fix in config file. After fixing it, if you will run aws configure --profile lambdaprofile it should show the previously saved values in credentials and config files.
You may also check if values are saved or not with below command.
aws configure list --profile lambdaprofile
Alternately to the fix detail mentioned above, you can also set new profile directly with AWS CONFIGURE SET
e.g in your particular case.
aws configure --profile lambdaprofile set aws_access_key_id AKIAIGCOZJBAKIAIGCOZJB
aws configure --profile lambdaprofile set aws_secret_access_key gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
aws configure --profile lambdaprofile set region use-east-1
or
aws configure set profile.lambdaprofile.aws_access_key_id AKIAIGCOZJBAKIAIGCOZJB
aws configure set profile.lambdaprofile.aws_secret_access_key gHZWwhUxRLtwQRUknGgHZWwhUxRLtwQRUknG
aws configure set profile.lambdaprofile.region use-east-1
I am trying to use aws container service as per the documentation in http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_GetStarted.html
The below error is thrown when running the command:
aws ecs list-container-instances --cluster default
You must specify a region. You can also configure your region by running "aws configure".
The documentation does not mention anything about specifying a default region. How do we do it in a console?
I think you need to use for example:
aws ecs list-container-instances --cluster default --region us-east-1
This depends of your region of course.
"You must specify a region" is a not an ECS specific error, it can happen with any AWS API/CLI/SDK command.
For the CLI, either set the AWS_DEFAULT_REGION environment variable. e.g.
export AWS_DEFAULT_REGION=us-east-1
or add it into the command (you will need this every time you use a region-specific command)
AWS_DEFAULT_REGION=us-east-1 aws ecs list-container-instances --cluster default
or set it in the CLI configuration file: ~/.aws/config
[default]
region=us-east-1
or pass/override it with the CLI call:
aws ecs list-container-instances --cluster default --region us-east-1
#1- Run this to configure the region once and for all:
aws configure set region us-east-1 --profile admin
Change admin next to the profile if it's different.
Change us-east-1 if your region is different.
#2- Run your command again:
aws ecs list-container-instances --cluster default
If you have configured all what is needed in .aws/config and .aws/credentials but still have this error - double-check names in square brackets.
It should be [profile myLovelyAccName] in config and [myLovelyAccName] in credentials.
Two points to note:
the word "profile" and one space after - in the config file only
no typos in the acc name!
Just to add to answers by Mr. Dimitrov and Jason, if you are using a specific profile and you have put your region setting there,then for all the requests you need to add
"--profile" option.
For example:
Lets say you have AWS Playground profile, and the ~/.aws/config has [profile playground] which further has something like,
[profile playground]
region=us-east-1
then, use something like below
aws ecs list-container-instances --cluster default --profile playground
I posted too soon however the ways to configure are given in below link
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
and way to get access keys are given in below link
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-set-up.html#cli-signup
I've got two different apps that I am hosting (well the second one is about to go up) on Amazon EC2.
How can I work with both accounts at the command line (Mac OS X) but keep the EC2 keys & certificates separate? Do I need to change my environment variables before each ec2-* command?
Would using an alias and having it to the setting of the environment in-line work? Something like: alias ec2-describe-instances1 = export EC2_PRIVATE_KEY=/path; ec2-describe-instances
You can work with two accounts by creating two profiles on the aws command line.
It will prompt you for your AWS Access Key ID, AWS Secret Access Key and desired region, so have them ready.
Examples:
$ aws configure --profile account1
$ aws configure --profile account2
You can then switch between the accounts by passing the profile on the command.
$ aws dynamodb list-tables --profile account1
$ aws s3 ls --profile account2
Note:
If you name the profile to be default it will become default profile i.e. when no --profile param in the command.
More on default profile
If you spend more time using account1, you can make it the default by setting the AWS_DEFAULT_PROFILE environment variable. When the default environment variable is set, you do not need to specify the profile on each command.
Linux, OS X Example:
$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables
Windows Example:
$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls
How to set "manually" multiple AWS accounts ?
1) Get access - key
AWS Console > Identity and Access Management (IAM) > Your Security Credentials > Access Keys
2) Set access - file and content
~/.aws/credentials
[default]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}
[{{profile_name}}]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}
3) Set profile - file and content
~/.aws/config
[default]
region={{region}}
output={{output:"json||text"}}
[profile {{profile_name}}]
region={{region}}
output={{output:"json||text"}}
4) Run - file with params
Install command-line app - and use AWS Command Line it, for example for product AWS EC2
aws ec2 describe-instances -- default
aws ec2 describe-instances --profile {{profile_name}} -- [{{profile_name}}]
Ref
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
IMHO, the easiest way is to edit .aws/credentials and .aws/config files manually.
It's easy and it works for Linux, Mac and Windows. Just read this for more detail (1 minute read).
.aws/credentials file:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
.aws/config file:
[default]
region=us-west-2
output=json
[profile user1] <-- 'profile' in front of 'profile_name' (not for default)!!
region=us-east-1
output=text
You should be able to use the following command-options in lieu of the EC2_PRIVATE_KEY (and even EC2_CERT) environment variables:
-K <private key>
-C <certificate>
You can put these inside aliases, e.g.
alias ec2-describe-instances1 ec2-describe-instances -K /path/to/key.pem
Create or edit this file:
vim ~/.aws/credentials
List as many key pairs as you like:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Set a local variable to select the pair of keys you want to use:
export AWS_PROFILE=user1
Do what you like:
aws s3api list-buckets # any aws cli command now using user1 pair of keys
You can also do it command by command by including --profile user1 with each command:
aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys
More details: Named profiles for the AWS CLI
The new aws tools now support multiple profiles.
If you configure access with the tools, it automatically creates a default in ~/.aws/config.
You can then add additional profiles - more details at: Getting started with the AWS CLI
I created a simple tool, aaws, to switch between AWS accounts.
It works by setting the AWS_DEFAULT_PROFILE in your shell. Just make sure you have some entries in your ~/.aws/credentials file and it will easily switch between multiple accounts.
/tmp
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
/tmp
$ aaws luk3
[luk3] 🔐 /tmp
$ aws s3 ls
2013-11-05 21:40:04 luk3thomas.com
I wrote a toolkit to switch default AWS profile.
The mechanism is physically moving the profile key to the default section in config and credentials files.
The better solution today should be one of the following ways:
Use aws command option --profile.
Use environment variable AWS_PROFILE.
I don't remember why I didn't use the solution of --profile, maybe I was not realized its existence.
However the toolkit can still be useful by doing other things. I'll add a soft switch flag by using the way of AWS_PROFILE in the future.
$ xsh list aws/cfg
[functions] aws/cfg/move
[functions] aws/cfg/set
[functions] aws/cfg/activate
[functions] aws/cfg/get
[functions] aws/cfg/delete
[functions] aws/cfg/list
[functions] aws/cfg/copy
Repo: https://github.com/xsh-lib/aws
Install:
curl -s https://raw.githubusercontent.com/alexzhangs/xsh/master/boot | bash && . ~/.xshrc
xsh load xsh-lib/aws
Usage:
xsh aws/cfg/list
xsh aws/cfg/activate <profilename>
You can write shell script to set corresponding values of environment variables for each account based on user input. Doing so, you don't need to create any aliases and, furthermore, tools like ELB tools, Auto Scaling Command Line Tools will work under multiple accounts as well.
To use an IAM role, you have to make an API call to STS:AssumeRole, which will return a temporary access key ID, secret key, and security token that can then be used to sign future API calls. Formerly, to achieve secure cross-account, role-based access from the AWS Command Line Interface (CLI), an explicit call to STS:AssumeRole was required, and your long-term credentials were used. The resulting temporary credentials were captured and stored in your profile, and that profile was used for subsequent AWS API calls. This process had to be repeated when the temporary credentials expired (after 1 hour, by default).
More details: How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI