Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 22:12
    stubblyhead commented #3328
  • Jan 31 2019 21:58
    codecov-io commented #3899
  • Jan 31 2019 21:57
    codecov-io commented #3899
  • Jan 31 2019 21:57

    stealthycoin on develop

    chore: Use OrderedDict in yamlh… Import from ordereddict and sim… Support parsing yaml merge tags and 2 more (compare)

  • Jan 31 2019 21:57
    stealthycoin closed #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:55
    codecov-io commented #3899
  • Jan 31 2019 21:45
    shwetaskatdare synchronize #3899
  • Jan 31 2019 21:45
    codecov-io commented #3899
  • Jan 31 2019 20:40
    codecov-io commented #3899
  • Jan 31 2019 20:40
    codecov-io commented #3899
  • Jan 31 2019 20:39
    codecov-io commented #3899
  • Jan 31 2019 20:39
    codecov-io commented #3899
  • Jan 31 2019 20:38
    codecov-io commented #3899
  • Jan 31 2019 20:27
    shwetaskatdare opened #3899
  • Jan 31 2019 19:20
    vvasc starred aws/aws-cli
  • Jan 31 2019 18:29
    klaytaybai unlabeled #3892
  • Jan 31 2019 18:29
    klaytaybai labeled #3892
James Albert
@jamesalbert
that was the solution to my problem
anirudh singh
@anirudh_p2014_twitter
Hi
can anyone tell me how to get authentication via awscli
James Albert
@jamesalbert
@anirudh_p2014_twitter I don't think this channel is very active any more but I think I can help
have you already run aws configure?
Aaron
@slapula
Anyone having issues with the secrets manager API right now? Having problems listing secrets
I should really get on a support plan...
Ricky Pritchett
@originalsosa
I'm looking for a way to configure the aws cli for all users vs user specific configuration i.e. ~/.aws/config. Is it possible to do so?
Aaron
@slapula
Nevermind. Not sure why I'm getting a NextToken in my listing when I only have one secret...
vengadeshg
@vengadeshg
HI can you please tell the best approach for copying the files from one folder to other in AWS S3
Randall Kahler
@angrychimp
@originalsosa what do you mean? Are you trying to do this on a single instance? Or on workstations? Seems more like a configuration orchestration question than an aws-cli question, but maybe provide some more info?
@vengadeshg You'll need to use s3 and s3api. You can use aws s3 ls <bucket>/<prefix> to list files in your source, then iterate over those to copy them to a target using aws s3api copy-object --copy-source <bucket>/<prefix> --bucket <target_bucket> --key <target_prefix>
Randall Kahler
@angrychimp
something like
aws s3 ls s3://bucket/prefix/ | awk '{print $NF}' | xargs -L 1 -I{} sh -c 'aws s3api copy-object --bucket new_bucket --key prefix/{} --copy-source old_bucket/prefix/{}'
Randall Kahler
@angrychimp
I'm not sure if that exactly will work but it gives you an idea
In theory that should also work with aws s3 ls --recursive
Marwan Rabbâa
@waghanza
Hi,
When using awscli we can override some parameters
but the parameters are used on cli, could we use an other storage type ?
redis, key <=> value file
mar77i
@mar77i
hello world
so, I'm writing a script to take care of deployments here, and I set AWS_ACCESS_ID, AWS_REGION and AWS_SECRET_KEY, but the aws command line still complains Unable to locate credentials. You can configure credentials by running "aws configure".
the thing is I don't want my CI runner to hold a permanent configuration, but I see no indication in the docs on what could be missing. can someone help me out here?
mar77i
@mar77i
oh.
AWS_ACCESS_KEY_ID, not AWS_ACCESS_ID, right?
the climate is rather out of control for a regular friday.
John Carlyle
@stealthycoin
@mar77i its AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY https://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html
smashingx1
@smashingx1
Does anybody know if there's a room for AWS EC2 and/or S3, EBS, etc?
pretty much the console
Randall Kahler
@angrychimp
Like console questions?
Since it’s not a git repo there isn’t a gitter room for it. You can try here or StackOverflow.
SHASWAT GUPTA
@shaswatgupta
Hey, AWS ACM documentation says "request-certificate" has an option [--validation-method <value>]. But aws acm request-certificate help does not shows any such option even after installing awscli version 1.15.37 which got released few hours back. I tried using --validation-method DNS but awscli throws error.
SHASWAT GUPTA
@shaswatgupta
Can anyone help me with this ?
bogeylnj
@bogeylnj

Anyone knowledgeable around IAM automation with STS and NO IAM Users and have a moment to discuss?

e.g., we are migrating and have a security requirement to not use IAM Users (normal?). We have batch/pipeline/etc processes that need to access AWS resources. How might we do this?

( I'll scroll up for any nuggets o' info while I await and eager volunteer \o/ :) )
Randall Kahler
@angrychimp

@shaswatgupta I've got aws-cli version 1.15.4 and when I run aws acm request-certificate help I do see the --validation-method option.
https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html

What is the exact error you're getting?

aws acm request-certificate --domain-name example.com --validation-method DNS works just fine for me
@bogeylnj I'm not sure what you're trying to accomplish. If you're attempting a platform migration and need to run automation tasks, you can create IAM roles and assign those roles to EC2 instances or Lambda functions, then execute automation scripts via those resources. That can be done without IAM users
James Tosi
@chocolate-elvis
The aws s3 sync is pretty mouthy and I’m trying to keep a log of just the files transferred, not their copy states in 1 sec interval written to a log file. Is this possible? Thanks!
James Tosi
@chocolate-elvis
Found this aws/aws-cli#519
Johan Smits
@johan-smits
How can I configure a AWS EB with a application lb and IPv6?
https://forums.aws.amazon.com/message.jspa?messageID=853945
I can't find the correct attributes to set though the cli.
bogeylnj
@bogeylnj

@angrychimp Thanks for replying! I think the crux of it is authenticating for "least privilege".

As an example, I have a pipeline that runs on-prem from which I need to deploy a lambda. I want to use a least privilege role that only has access to create/update that lambda (or, at least some measure of least privilege).

I have created this pipeline currently with a manual gate for a User to to supply STS keys, but am working towards full automation of acquiring AWS keys to do the code push to s3 and then passing those AWS Keys to TF to do the actual provisioning of the lambda (I wouldn't want to give our CI server keys with full access to AWS accounts)
I have also created an AWS support ticket when I posted here where the support person remarked that utilizing STS would be the best option and to use a SAML assertion for authentication (but, they said acquiring the SAML assertion response is outside their purview, understandably).

But, automating this authentication step is where I'm at. I'm exploring methods for doing this, or I'm going back to the security team and submitting to them that "we don't seem to gain much by storing a "SAML assertion" instead of IAM User keys".

Randall Kahler
@angrychimp

@bogeylnj There has to be trust at some point along the chain, right? If you're looking for actual pipeline automation, I see there being two options. If you want to use external authentication you could use Directory Service to tie an external user (such as an Active Directory service account) to a role, which in turn could allow for STS. But then you have to figure out how to allow your pipeline resources to authenticate with AD (again, as an example), so you still have credentials hard coded somewhere.

In my opinion the safest thing to do is create an automation IAM user with limited access to what you need - S3, Lambda, etc. - and really restrict access to the resources it needs to manage. You can use ARN conditions to make sure you're only touching relevant resources.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

You have to hard-code the IAM API key/secret into your pipeline, but at least it can only do exactly what you want it to do. You can use CloudTrail to audit activity and ensure no one is using your pipeline incorrectly. Then just make sure you control access to where ever those keys are stored.

bogeylnj
@bogeylnj

@angrychimp
I completely agree with your first sentence and IAM User recommendation; but I am not savvy enough at this point to confront the security requirements. (Thanks again for your replies - very helpful)

Our AWS Console access is being controlled via Federated Identities and Conditional Policies OktaMFA>STS>IAMRoleWithSpecificResourcesAndConditions. So, everything you describe makes sense.

When I question the security requirement, I think persistent keys will be one of the cons they present with IAM Users. But, this is something that I want to clarify more and more, lately. And, your suggestion supports that.

Some concerns I see are:

  • a need to fully define "least" privilege - does it need to be: byAccount, byTeam, byFunction, etc.
  • the more granular the privilege definition, the more IAM Users that will need to be created and thus, managed. (I assume we will need to rotate keys every so often, control/audit usage, retire unused Users, revoke unused access, etc, etc)
  • citations :) I have a good level of trust with the security team, but I may need some references. Any good resources you have come across/bookmarked that discuss this?

In your experience, are IAM Users used predominantly or are others attempting to avoid them? Most things I find just talk about IAM Users with required access (which in the case of a CI/CD server might be AdministratorAccess).

Bob Benson
@bbenson29
when using awscli to create Cross-Account Log Data Sharing with Subscriptions from doc’s on https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html I keep getting InvalidParameterException saying An error occurred (InvalidParameterException) when calling the PutDestination operation: Could not deliver test message to specified destination. Check if the destination is valid. and this is my command aws-log aws logs put-destination --destination-name snplydst --target-arn arn:aws:kinesis:region:999999999999:stream/RecipientStream --role-arn arn:aws:iam::999999999999:role/CWLtoKinesisRole
Bob Benson
@bbenson29
can anyone help?
schnipdip
@schnipdip

Hey people I am trying to create an AMI from an OVA and have been running into trouble. I am using the Amazon Linux box..
I am now receiving this error after inputting this command into the cli.
aws ec2 import-image --description "Vormetric DSM 6.0" --disk-containers file://containers.json

This is the error message then appears:
Could not connect to the endpoint URL: "https://ec2.us.east.1.amazonaws.com/"

I did a reset the original error message was it wasn't locating the region us-east-1 in aws configure set region us-east-1

schnipdip
@schnipdip
figured out the problem
Michael L Parks
@ayespi
EC2 Instance
Smruti Ranjan Patra
@Smruti567
hi all, i want to get the cost for my ec2 instances through aws cli . Can any one help here
J@tin
@prensoni0143
I am trying to get Tags of Target Groups through CLI, in one AWS Account I am able to get but another AWS account, it's getting error.

$ aws elbv2 describe-tags --resource-arns arn:aws:elasticloadbalancing:us-west-2:044443245626:targetgroup/T-1/62a3060e529c7e69

An error occurred (ValidationError) when calling the DescribeTags operation: 'arn:aws:elasticloadbalancing:us-west-2:044443245626:targetgroup/T-1/62a3060e529c7e69' must be in ARN format