I'm very new to jenkins. I installed the S3 plugin. I wish to use AWS IAM S3 roles to make the plugin work.
However, I can't find any way to configure IAM roles within this plugin. I can see only setting up the access key and secret key.
Has anyone used IAM roles with this plugin?
Kindly help.
Thanks in advance.
IAM roles are assigned to EC2 instances at launch. There's nothing else to configure, thus your S3 plugin should just automatically work. This is dependent on the plugin supporting IAM roles, which it looks like it does according to your link. You will have to assign the correct bucket policy though using the instructions also found at the link.
Related
Kind of a newbie still with AWS IAM. Is there a way to find all of the available Roles in a given account that have a specific Policy attached? i.e. if you only know the Policy, and you don't know the roles it's attached to, how do you find all of the roles that a given policy is attached?
If you're using API/CLI, you can make use of the ListEntitiesForPolicy call. A CLI command that you could run would be:
$ aws iam list-entities-for-policy --policy-arn <arn_of_policy> --entity-filter Role
Go to Identity and Access Management (IAM) -> Policies -> Choose a spesific policy. The info you are looking for is under Policy usage tab.
I'm trying to get manual snapshots setup for my AWS Elasticsearch cluster. I'm not sure how to setup the correct IAM permissions on the S3 bucket though because there is already a service-role created and I'm unable to add additional policies.
What am I supposed to do here?
Thanks!
I was able to resolve this by creating a second IAM role using the CLI (it doesn't seem to be an option through the GUI)
I have an AWS root account and I created a IAM user with Administrator policy attached. The problem is that when I make some operations like aws ec2 create-key-pair in the aws-cli, I got UnauthorizedOperation error. But if I sign into the management console using the same IAM user, I can create a key pair with no problem.
I double checked my access key id and secret access key is right. I even re-created these and configured in aws-cli to make sure I am using that user account with admin permissions. None of these worked
Is there any setting I'm not aware of that enables aws-cli access permissions?
=============== below is latest update ================
I checked my user info with aws sts get-caller-identify, and it shows my company's account id. I tried to run aws configure again and followed by aws sts get-caller-identity, it still shows that im using my company's account. How do I switch user from CLI?
In case this helps anyone, the issue for me was that my AWS account used MFA. I never considered you'd have to do this on the command-line too. Here is a guide from Amazon on the subject:
How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
This is an incredibly big pot hole to step into... but there is a precedence of where aws cli looks for credentials.
IAM credentials not found on AWS CLI
The answer of the question here explains it throughly.
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser
I am using latest version of s3cmd 1.5.2. As per this post, 1.5.0-alpha2 supports IAM Roles, so I am assuming this must be supported in 1.5.2 as well. I added "security_token" in s3cfg file as mentioned in this post. But I am still getting error "ERROR: S3 error: The AWS Access Key Id you provided does not exist in our records." Am I doing something wrong or this version doesn't support IAM Roles?
I figured out the answer myself. After diving into the s3cmd code, found out that instead of adding "security_token" as mentioned in the post and other sources, we need to add "access_token" in the s3cfg file. If you are using s3cmd on a cluster associated with a role then there is no need to pass any s3cfg file as well. All releases from 1.5.0-alpha2 and above support IAM Roles.
These days, it is recommended to use the AWS Command-Line Interface (CLI).
As with any software that uses the AWS SDK, the AWS CLI will automatically use role-based credentials if the Amazon EC2 instance is launched with a role. Credentials can also be specified via environment variables or a configuration file.