I am trying to construct a command, which will list kms keys from my aws account, but there is a problem
every kms keys is having tags, like "env prod" i want to list all kms keys which match certain tags
% aws kms list-resource-tags --key-id 01e685-a1-482-ba3-9c4ac3adf
{
"Tags": [
{
"TagKey": "env",
"TagValue": "prod"
},
{
"TagKey": "owner",
"TagValue": "kms"
},
]
}
% aws resourcegroupstaggingapi get-resources --region us-east-1 --resource-type-filters kms --tag-filters Key=Initiator,Values=Terraform
{
"ResourceTagMappingList": [
{
"ResourceARN": "arn:aws:kms:us-east-",
"Tags": [
{
"Key": "env",
"Value": "prod"
},
{
"Key": "hello",
"Value": "hello"
},
{
"Key": "Initiator",
"Value": "Terraform"
},
{
AWS kms does not support it. But you can use resourcegroupstaggingapi
aws resourcegroupstaggingapi get-resources --region us-east-2 \
--resource-type-filters kms --tag-filters Key=env,Values=prod
Update select key ids.
--query 'ResourceTagMappingList[].ResourceARN' | jq '.[]' -r | awk -F'/' '{print $2}'
aws resourcegroupstaggingapi get-resources --region us-west-2 --resource-type-filters kms |jq -r '.ResourceTagMappingList[]|{kms_arn:.ResourceARN, tags: .Tags[]|select(.Key=="Environment") |select( .Value |contains("temp"))}' |jq -r '.kms_arn' |cut -d '/' -f 2
Related
I have multiple lifecycle policies for a bucket, whenever I try to create a new one, I have to manually do the following things:
STEP 1:
Run:
aws s3api get-bucket-lifecycle-configuration --bucket my-bucket > lifecycle.json
STEP 2:
then edit the lifecycle.json and append the new policy
STEP 3:
Run:
aws s3api put-bucket-lifecycle-configuration --bucket <bucket_name> --lifecycle-configuration file://lifecycle.json
otherwise, it will replace the old policies.
Is there any way to directly append the new policy with the existing ones?
For Example:
My Existing policies:
{
"Rules": [
{
"Expiration": {
"Days": 365
},
"ID": "Policy 1",
"Filter": {
"Prefix": "dir1/dir2/code/"
},
"Status": "Enabled"
},
{
"Expiration": {
"Days": 90
},
"ID": "Policy 2",
"Filter": {
"Prefix": "Name/Address/code/"
},
"Status": "Enabled"
}
]
}
I want to add this policy:
{
"Rules": [
{
"Expiration": {
"Days": 20
},
"ID": "TEST_POLICY_09082021_ARANI2",
"Filter": {
"Prefix": "backup/ARANI2/files/"
},
"Status": "Enabled"
}
]
}
How can I get the cluster ca certificate from the arm template for some ManagedClusters?
In terraform we use:
azurerm_kubernetes_cluster.aks_cluster.kube_config.0.cluster_ca_certificate
But in ARM I can't find it anywhere.
Can you please give some help?
Thanks
My solution:
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "get-cluster-ca",
"location": "[resourceGroup().location]",
"identity": {
....
}
},
"kind": "AzureCLI",
"azCliVersion": "2.0.80",
"environmentVariables": [
{
"name": "RESOURCE_GROUP_NAME",
"value": "[resourceGroup().name]"
},
{
"name": "CLUSTER_NAME",
"value": "[variables('cluster_name')]"
}
],
"scriptContent": "#!/bin/bash\r\n\r\naz aks get-credentials --resource-group ${RESOURCE_GROUP_NAME} --name ${CLUSTER_NAME}\r\n\r\naz aks install-cli\r\n\r\necho '{\"ca\":' $(kubectl config view --raw -o json | jq -c '.clusters[0].cluster.\"certificate-authority-data\"') > $AZ_SCRIPTS_OUTPUT_PATH\r\n",
"timeout": "PT30M",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
],
"outputs": {
"result": {
"value": "[reference('get-cluster-ca').outputs.ca]",
"type": "string"
}
}
when sending CLI command - ec2 describe-instances --instance-id , I am getting all the data, but I need to get specifically the private ip's , and its returning null, even though I can see them .
The CLI command : ec2 describe-instances --instance-id i-0b7xxxxxxxxxxx --query Reservations[] --output json , is returning the following output :
[
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-1bxxxxxxx",
"InstanceId": "i-0b7xxxxxxxxx",
"InstanceType": "r4.2xlarge",
"KeyName": "QA-xxx-xxxxxyz",
"LaunchTime": "2019-05-21T06:40:57.000Z",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "eu-west-1c",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-172-xxx-11-211.eu-west-
1.compute.internal",
"PrivateIpAddress": "172.xxx.11.211",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-3362797a",
"VpcId": "vpc-02a19a65",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2019-04-28T11:19:09.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-02a052466755e023d"
}
}
],
"ClientToken": "qa-sip-sc1-1FBXNRII3WO13",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::1xxxxxxx14:instance-profile/qa.tester.SBC-HA",
"Id": "AIPAI2xxxxxRPSC"
},
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2019-04-28T11:19:09.000Z",
"AttachmentId": "eni-attach-05xxxxxa8",
"DeleteOnTermination": false,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "SC1 interface for HA and cluster maintenance",
"Groups": [
{
"GroupName": "qa-sip-EvgenyZ-qa-Auto-network-clusterSecurityGroup-A4xxxxxxxC8",
"GroupId": "sg-0a2xxxxxxx2a"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:xx:xx:xx:xx:xa",
"NetworkInterfaceId": "eni-xxxxxxxx",
"OwnerId": "xxxxxxx",
"PrivateDnsName": "ip-172-xxx-11-211.eu-west-1.compute.internal",
"PrivateIpAddress": "172.xxx.11.211",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-172-xxx-11-211.eu-west-1.compute.internal",
"PrivateIpAddress": "172.xxx.11.211"
},
{
"Primary": false,
"PrivateDnsName": "ip-172-xxx-9-204.eu-west-1.compute.internal",
"PrivateIpAddress": "172.xxx.9.204"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-3xxxxa",
"VpcId": "vpc-xxxxx5"
}
I want to get the PrivateIpAddresses:172-xxx-9-204 and 172.xxx.11.211.
for this I am using the following CLI command
ec2 describe-instances --instance-id i-0b722cc96f7a14bfc --query
Reservations[].Instances[].PrivateIpAddress[].PrivateIpAddress --output
json
getting null.
expecting : 72-xxx-9-204 and 172.xxx.11.211
In the output of the query with --query=Reservations[] the Instances object is inside a list. So you have to index into the list first.
[*].Instances[*].PrivateIpAddress
This will give you:
[
[
"172.xxx.11.211"
]
]
Similarly,
[*].Instances[*].NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress
Gives you:
[
[
[
[
"172.xxx.11.211",
"172.xxx.9.204"
]
]
]
]
Side Note: AWS CLI uses the JMESPath query language. You can experiment with your queries here: http://jmespath.org/
For me following query worked:
aws ec2 describe-instances --instance-id <id> --query Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress --output json
I have a large number of route53 records that I have to move and am following https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html
I have created the txt file and have updated it, but when I run the command, I get the following error
PS C:\> aws route53 change-resource-record-sets --hosted-zone-id ZNEWZONE1245 --profile new_account --change-batch file://list-records-ZNEWZONE1245.json
'ascii' codec can't encode character u'\xff' in position 26: ordinal not in range(128)
here is the contant for list-records-ZNEWZONE1245.json
{
"Comment": "Import domain.tld route53 sets",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet":{
"ResourceRecords": [
{
"Value": "192.0.2.4"
}
],
"Type": "A",
"Name": "domain.tld.",
"TTL": 300
}
},
{
"Action": "CREATE",
"ResourceRecordSet":{
"ResourceRecords": [
{
"Value": "5 ALT2.ASPMX.L.GOOGLE.COM"
},
{
"Value": "1 ASPMX.L.GOOGLE.COM"
},
{
"Value": "10 ALT4.ASPMX.L.GOOGLE.COM"
},
{
"Value": "10 ALT3.ASPMX.L.GOOGLE.COM"
},
{
"Value": "5 ALT1.ASPMX.L.GOOGLE.COM"
}
],
"Type": "MX",
"Name": "domain.tld.",
"TTL": 300
}
}
]
}
Any advise is much appreciated.
Try changing the encoding on the json file to ANSI.
Open list-records-ZNEWZONE1245.json on a text editor (I use Notepad++)
Change the file encoding from UTF to ANSI
Save the file.
Re-run your AWS CLI command:
PS C:\> aws route53 change-resource-record-sets --hosted-zone-id ZNEWZONE1245 --profile new_account --change-batch file://list-records-ZNEWZONE1245.json
I am trying to get the volume id of the device mounted at /dev/sdf to a particular instance.
Command:
aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=$instance_id_main --region us-west-2 --output json
Output:
{
"Volumes": [
{
"AvailabilityZone": "us-west-2a",
"Attachments": [
{
"AttachTime": "2017-06-15T12:59:18.000Z",
"InstanceId": "i-073cfdf5832e5a7ab",
"VolumeId": "vol-096ca253d37b3e42b",
"State": "attached",
"DeleteOnTermination": false,
"Device": "/dev/sdf"
}
],
"Tags": [
{
"Value": "NewVolume",
"Key": "Name"
}
],
"Encrypted": false,
"VolumeType": "gp2",
"VolumeId": "vol-096ca253d37b3e42b",
"State": "in-use",
"Iops": 100,
"SnapshotId": "",
"CreateTime": "2017-06-15T12:39:06.687Z",
"Size": 5
},
{
"AvailabilityZone": "us-west-2a",
"Attachments": [
{
"AttachTime": "2017-06-15T12:57:46.000Z",
"InstanceId": "i-073cfdf5832e5a7ab",
"VolumeId": "vol-0189e6a20392bb709",
"State": "attached",
"DeleteOnTermination": true,
"Device": "/dev/sda1"
}
],
"Tags": [
{
"Value": "NewTesting",
"Key": "Name"
}
],
"Encrypted": false,
"VolumeType": "gp2",
"VolumeId": "vol-0189e6a20392bb709",
"State": "in-use",
"Iops": 100,
"SnapshotId": "snap-0a642b1f5be55819a",
"CreateTime": "2017-06-15T12:57:46.027Z",
"Size": 8
}
]
}
I have tried with --query option of describe volume given in the example then I got below output.
Command:
aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=$instance_id_main --query 'Volumes[*].{ID:VolumeId,Tag:Tags}' --region us-west-2 --output json
[
{
"Tag": [
{
"Value": "NewVolume",
"Key": "Name"
}
],
"ID": "vol-096ca253d37b3e42b"
},
{
"Tag": [
{
"Value": "NewTesting",
"Key": "Name"
}
],
"ID": "vol-0189e6a20392bb709"
}
]
Then I tried to get the Attachments and I got below error.
Command:
aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=$instance_id_main --query 'Volumes[*].{Attachments:Device[*]}' --region us-west-2 --output text
Output:
[
{
"Attachments": null
},
{
"Attachments": null
}
]
Any idea would be appreciated.
die() { status=$1; shift; echo "FATAL: $*"; exit $status; }
EC2_INSTANCE_ID="`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id || die \"wget instance-id has failed: $?\"`"
EC2_AWSAVZONE=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
EC2_REGION=${EC2_AWSAVZONE::-1}
DATA_VOLUME_ID="`aws ec2 describe-volumes --filters Name=attachment.device,Values=/dev/sdf Name=attachment.instance-id,Values=$EC2_INSTANCE_ID --query 'Volumes[*].{ID:VolumeId}' --region $EC2_REGION --output text`"
echo $DATA_VOLUME_ID
Output:
vol-096ca253d37b3e42b
Another method using describe-instances
#query using instance name
aws ec2 describe-instances --query 'Reservations[].Instances[].BlockDeviceMappings[?DeviceName==`/dev/sdf`].[Ebs.VolumeId]' --filters Name=tag:Name,Values=${INSTANCE_NAME} --output=text
#query using instance-id
aws ec2 describe-instances --instance-ids ${INSTANCE_ID} --query 'Reservations[].Instances[].BlockDeviceMappings[?DeviceName==`/dev/sdf`].[Ebs.VolumeId]' --output=text
If you're on Nitro you can use the ebsnvme-id utility to get the volume ID from a device like this:
awk '{print $3'} < <(/sbin/ebsnvme-id --volume /dev/nvme1n1)
Bonus:
You can get the device mounted at a specific mountpoint with findmnt like this:
findmnt -noheadings --output SOURCE --target /mnt/foo
Put all this together, and you can get the EBS Volume ID of the volume mounted at /mnt/foo like this:
awk '{print $3}' < <(
/sbin/ebsnvme-id --volume "$(
findmnt -noheadings --output SOURCE --target /mnt/foo
)"
)