AWS/CLI

From Ever changing code
Jump to navigation Jump to search

Install AWS cli (command line)

curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install awscli

or 

sudo apt-get install awscli  #it will update a lot of packages to Python3 but will leave 2.7 as default

Configure AWS cli credentials

When you run aws configure and enter credentials, they are stored in a file at ~/.aws/credentials. Additionally, some configuration settings—such as the default region—are stored at ~/.aws/config. 

$ aws configure                 #sets up default profile
$ aws configure --profile dev   #configure named 'dev' profile
$ aws configure --profile piotr #configure named 'piotr' profile
$ aws ec2 describe-regions      #to get a list all available regions

The /.aws/config profile sections must have the format of [profile profile-name], except for the default profile. For example:


Example ~/.aws/credentials file 

[default]
aws_access_key_id=111xxxxxxxxxxxxxxxxx
aws_secret_access_key=111xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[profile dev]
aws_access_key_id=222xxxxxxxxxxxxxxxxx
aws_secret_access_key=222xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[profile piotr]
aws_access_key_id=333xxxxxxxxxxxxxxxxx
aws_secret_access_key=333xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can also use environment variables described here

Configure AWS cli with Cross-Account Roles & MFA

Let’s assume that we have 4 AWS accounts:

  • 1 where we provision IAM users, create their API Credentials and assign MFA - identity-account (acc_no: 000xxxxxxxxx)
    • user 'piotr' mfa_arn: arn:aws:iam::000xxxxxxxxx:mfa/user.name
  • 3 for our different environments
    • development (acc_no: 111xxxxxxxxx)
      • role: CrossAccountSignin_Admin: role_arn:aws:iam::111xxxxxxxxx:role/CrossAccountSignin_Admin
      • Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent
    • staging (acc_no: 222xxxxxxxxx)
      • role: CrossAccountSignin_Admin: role_arn:aws:iam::222xxxxxxxxx:role/CrossAccountSignin_Admin
      • Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent
    • production (acc_no: 333xxxxxxxxx)
      • role: CrossAccountSignin_Admin: role_arn:aws:iam::333xxxxxxxxx:role/CrossAccountSignin_Admin
      • Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent

Let’s also assume that the proper roles and policies have already been put in place, allowing us to switch between accounts using the management console. We can create CLI profiles for each of these accounts.


Credentials file ~/.aws/credentials 

[piotr-identity-account]
aws_access_key_id=333xxxxxxxxxxxxxxxxx
aws_secret_access_key=333xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Config file ~/.aws/config 

[profile piotr-identity-account]
region = eu-west-1

[profile development]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::111xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr

[profile staging]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::222xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr

[profile production]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::333xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr
Test
$ aws ec2 describe-instances --profile development
Enter MFA code for arn:aws:iam::000xxxxxxxxx:mfa/piotr: ***

Examples

Create a reusable delegation set with a unique string '20170409' 

aws route53 create-reusable-delegation-set --caller-reference 20170409

List the reusable-delegation-set created in ~/.aws/credentials profile 

aws route53 list-reusable-delegation-sets --profile terraform-profile

IAM server certificates

List IAM server certificates, delete a certificate 

aws iam list-server-certificates  --output text  --query 'ServerCertificateMetadataList[*].[Expiration,ServerCertificateName]'  | sort
aws iam list-server-certificates | grep <ServerCertificateName>
aws iam delete-server-certificate --server-certificate-name <ServerCertificateName>


Upload a certificate to IAM 

aws iam upload-server-certificate --server-certificate-name cert_name --certificate-body file://cert_name.crt \
                                  --certificate-chain file://cert_name.pem --private-key file://cert_name.key


Check expiry date 

certificate_name=<ServerCertificateName>
aws iam get-server-certificate --server-certificate-name $certificate_name --output text --query 'ServerCertificate.CertificateBody' | openssl x509 -text | less

List all instances and their status

aws ec2 describe-instances --query 'Reservations[*].Instances[*].[State.Name,InstanceId,Tags[?Key==`Name`].Value]' --output text

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=AWS/CLI&oldid=3224