Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 22:12
    stubblyhead commented #3328
  • Jan 31 2019 21:58
    codecov-io commented #3899
  • Jan 31 2019 21:57
    codecov-io commented #3899
  • Jan 31 2019 21:57

    stealthycoin on develop

    chore: Use OrderedDict in yamlh… Import from ordereddict and sim… Support parsing yaml merge tags and 2 more (compare)

  • Jan 31 2019 21:57
    stealthycoin closed #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:56
    codecov-io commented #3899
  • Jan 31 2019 21:55
    codecov-io commented #3899
  • Jan 31 2019 21:45
    shwetaskatdare synchronize #3899
  • Jan 31 2019 21:45
    codecov-io commented #3899
  • Jan 31 2019 20:40
    codecov-io commented #3899
  • Jan 31 2019 20:40
    codecov-io commented #3899
  • Jan 31 2019 20:39
    codecov-io commented #3899
  • Jan 31 2019 20:39
    codecov-io commented #3899
  • Jan 31 2019 20:38
    codecov-io commented #3899
  • Jan 31 2019 20:27
    shwetaskatdare opened #3899
  • Jan 31 2019 19:20
    vvasc starred aws/aws-cli
  • Jan 31 2019 18:29
    klaytaybai unlabeled #3892
  • Jan 31 2019 18:29
    klaytaybai labeled #3892
Randall Kahler
@angrychimp

@bogeylnj There has to be trust at some point along the chain, right? If you're looking for actual pipeline automation, I see there being two options. If you want to use external authentication you could use Directory Service to tie an external user (such as an Active Directory service account) to a role, which in turn could allow for STS. But then you have to figure out how to allow your pipeline resources to authenticate with AD (again, as an example), so you still have credentials hard coded somewhere.

In my opinion the safest thing to do is create an automation IAM user with limited access to what you need - S3, Lambda, etc. - and really restrict access to the resources it needs to manage. You can use ARN conditions to make sure you're only touching relevant resources.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

You have to hard-code the IAM API key/secret into your pipeline, but at least it can only do exactly what you want it to do. You can use CloudTrail to audit activity and ensure no one is using your pipeline incorrectly. Then just make sure you control access to where ever those keys are stored.

bogeylnj
@bogeylnj

@angrychimp
I completely agree with your first sentence and IAM User recommendation; but I am not savvy enough at this point to confront the security requirements. (Thanks again for your replies - very helpful)

Our AWS Console access is being controlled via Federated Identities and Conditional Policies OktaMFA>STS>IAMRoleWithSpecificResourcesAndConditions. So, everything you describe makes sense.

When I question the security requirement, I think persistent keys will be one of the cons they present with IAM Users. But, this is something that I want to clarify more and more, lately. And, your suggestion supports that.

Some concerns I see are:

  • a need to fully define "least" privilege - does it need to be: byAccount, byTeam, byFunction, etc.
  • the more granular the privilege definition, the more IAM Users that will need to be created and thus, managed. (I assume we will need to rotate keys every so often, control/audit usage, retire unused Users, revoke unused access, etc, etc)
  • citations :) I have a good level of trust with the security team, but I may need some references. Any good resources you have come across/bookmarked that discuss this?

In your experience, are IAM Users used predominantly or are others attempting to avoid them? Most things I find just talk about IAM Users with required access (which in the case of a CI/CD server might be AdministratorAccess).

Bob Benson
@bbenson29
when using awscli to create Cross-Account Log Data Sharing with Subscriptions from doc’s on https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html I keep getting InvalidParameterException saying An error occurred (InvalidParameterException) when calling the PutDestination operation: Could not deliver test message to specified destination. Check if the destination is valid. and this is my command aws-log aws logs put-destination --destination-name snplydst --target-arn arn:aws:kinesis:region:999999999999:stream/RecipientStream --role-arn arn:aws:iam::999999999999:role/CWLtoKinesisRole
Bob Benson
@bbenson29
can anyone help?
schnipdip
@schnipdip

Hey people I am trying to create an AMI from an OVA and have been running into trouble. I am using the Amazon Linux box..
I am now receiving this error after inputting this command into the cli.
aws ec2 import-image --description "Vormetric DSM 6.0" --disk-containers file://containers.json

This is the error message then appears:
Could not connect to the endpoint URL: "https://ec2.us.east.1.amazonaws.com/"

I did a reset the original error message was it wasn't locating the region us-east-1 in aws configure set region us-east-1

schnipdip
@schnipdip
figured out the problem
Documentation can be found here: https://stackoverflow.com/questions/51161430/amazon-web-services-converting-ova-to-ami-cant-call-importimage-operation
Michael L Parks
@ayespi
EC2 Instance
Smruti Ranjan Patra
@Smruti567
hi all, i want to get the cost for my ec2 instances through aws cli . Can any one help here
J@tin
@prensoni0143
I am trying to get Tags of Target Groups through CLI, in one AWS Account I am able to get but another AWS account, it's getting error.

$ aws elbv2 describe-tags --resource-arns arn:aws:elasticloadbalancing:us-west-2:044443245626:targetgroup/T-1/62a3060e529c7e69

An error occurred (ValidationError) when calling the DescribeTags operation: 'arn:aws:elasticloadbalancing:us-west-2:044443245626:targetgroup/T-1/62a3060e529c7e69' must be in ARN format

James
@jahmzu
can i get aws cloud9 help here?
Randall Kahler
@angrychimp
Cloud9 stuff isn’t really fit for this channel but if you DM me I can see if I can help.
Or you can try reddit.com/r/aws
Kumuda123
@Kumuda123
I am currently developing an app(in Flutter ) which can send sms messages to users whenever data is updated in Firebase. I was thinking to use Amazon AWS to implement the same. Is there a way I can integrate Firebase and AWS ? Or will i need to integrate it ?
Randall Kahler
@angrychimp
if you're just using AWS to send SMS messages you're going to run into issues (particularly with subscription management). You're better off finding a separate SMS aggregator and integrating that.
manu ^^
@teamhanded

hey all. can I get Secrets Manager values with a trailing slash from Parameter Store? https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html shows examples of a single key without a path, and these are the errors I get when trying to get the SM values with and without trailing slash (/dev/my/key is the credential in SM - also note the "null" in the first error:

$ aws ssm get-parameter --name /aws/reference/secretsmanager/dev/my/key --with-decryption

An error occurred (ParameterNotFound) when calling the GetParameter operation: An error occurred (ParameterNotFound) when referencing Secrets Manager: Secret aws/reference/secretsmanager/dev/my/keynull not found.

$ aws ssm get-parameter --name /aws/reference/secretsmanager//dev/my/key --with-decryption

An error occurred (ValidationException) when calling the GetParameter operation: Parameter name: can't be prefixed with "ssm" (case-insensitive). If formed as a path, it can consist of sub-paths divided by slash symbol; each sub-path can be formed as a mix of letters, numbers and the following 3 symbols .-_

It works for an existing SM value created without trailing slash. Should I escape the trailing slash somehow?

Saipradeep92
@Saipradeep92
Is there any room for pyspark
smashingx1
@smashingx1
I disabled the ethernet card of my EC2 instance so I can’t connect now
I have been trying to connect to the instance by adding a new ethernet interface but I get this error: No available network interfaces were found for this VPC or availability zone
So, does that mean that I need to create the ethernet interface inside of VPC or what is the deal?
abtheninja
@abtheninja
aws cloudformation create-stack --stack-name my-new-stack --template-url https://s3-us-west-2.amazonaws.com/path/to/the/template --capabilities CAPABILITY_NAMED_IAM --region us-west-2 --parameters https://s3-us-west-2.amazonaws.com/path/to/the/json
i am getting below error while try to create the stack
Error parsing parameter '--parameters': Unable to retrieve https://s3-us-west-2.amazonaws.com/path/to/the/json: received non 200 status code of 403
does someone know why it would be ? i am just trying to pass the parameters using a json file
Rich
@richard-ball
Does anyone know how to update cloudfront CDN instantly in way similar to Linkedin/facebook etc for image profile updating? Invalidations are taking up to 10seconds.
Harshana Nanayakkara
@harshana5
hey Guys I just updated the aws powershell tool and trying to connect to our ecr using my creds
and i'm getting Get-ECRLoginCommand : The security token included in the request is invalid. checked my creds all seems to be okay and when i fire the same get creds on my nix instance it seems to work
thoughts ?
brian p o'rourke
@bpo
I'm trying to get the test suite running for aws-cli for the first time, running into difficulty on OSX 10.13.6, with TestCPCommand.test_cp_with_error_and_warning and TestSyncCommand.test_warning_on_invalid_timestamp failing. It looks like the test utilities are trying to generate an invalid timestamp but it's not throwing the expected OverflowError on this system. Does this sound possible and/or does anyone have a working OSX setup that I could compare notes with?
abtheninja
@abtheninja
i got this figured out. for some reason , it wont take the parameters from a S3 bucket unless its public. I had to use pass the parameters from a local file.
aws cloudformation create-stack --stack-name my-new-stack --template-url https://s3-us-west-2.amazonaws.com/path/to/the/template --capabilities CAPABILITY_NAMED_IAM --region us-west-2 --parameters file:///path/to/json
praveen
@praveeneeswar
hey all , how can i use cli to command s3 life cycle policy with transition time about 1 year ? In documentation it's different . can we merge as I have to give specific path to purge and transition into glacier .? please help me .
https://docs.aws.amazon.com/AmazonS3/latest/dev/lifecycle-configuration-examples.html
smashingx1
@smashingx1
Is this the only aws channel to discuss anything aws related stuff?
Because it seems like this channel is for CLI for AWS like the title says
zzl
@zzl0
Hello, I have created a pgcli/mycli-like command line tool for AWS Athena https://github.com/dbcli/athenacli , welcome to try it. ;)
Azer Abdullaev
@Like-all
Hi all! Is there a way for aws s3 sync to throttle down disk I/O? My intention was to sync ~600 GB of pictures to S3, but every time I try to do that, the disk usage jumps up to 100% and makes a huge impact on the site operation. I saw in strace output that the tool walks recursively over the directory tree and collects stats, so I'd love to find a way to decrease the rate limit of those operations, if possible.
Thanks in advance!
zzl
@zzl0
@Like-all have you tried to reduce max_concurrent_requests https://docs.aws.amazon.com/cli/latest/topic/s3-config.html#max-concurrent-requests
pavel schudel
@pavel1860
hi! does anyone knows how to install python requirements on the AWS server that runs the lambda function? because I uploading modules like numpy that ware installed in a virtual env for mac to aws linux like it says in the documentation but this module has c compiled libraries that need to be installed on aws linux and not mac.
Fred Myerscough
@oniice
architecture question....
i have a docker image i want to use to "chunk" up large CSV files. what is the best feature on AWS to run and scale this on?
I want to be able to fire a payload to it from a lambda when it finds a file that is too big is detected in S3
have tried using fargate but we hit the 20 instances cap quite quickly
Saurabh Rayakwar
@monothorn
“Securing AWS Access” https://medium.com/@monothorn/securing-aws-access-d3d9200c3612
Saipradeep92
@Saipradeep92
If the run the script from emr I won’t be needing the aws credentials but if I try the same in local system I need the credentials. Just a quick question, when you give the aws credentials using fs.s3a.access.key how does the pyspark program understand that those are meant for aws only?! Do I need to include any package as well for that? - still a noob in aws
kdxvc
@kdxvc
Hello,
Is it possible to set http headers on S3 objects using the aws cli?
in particular I have automated deployment to s3 where I would like to set the cache control header on one of the objects I create
Harry Moreno
@morenoh149
@kdxvc looks like awscli can't do it but https://github.com/s3tools/s3cmd can
kdxvc
@kdxvc
@morenoh149 Thanks!
David Filiatrault
@FireballDWF
Curious if the aws-cli team will be collaborating with the AmazonLinux team to have Amazon Linux 2 Repo's updated during ReInvent to include any new services released?