I am trying to create an SFTP user with the help of AWS CLI in my Linux Box.
Below is the AWS CLI command which I am passing in my bash script (my ssh public key is in a file, with the help of variable I am passing same into AWS CLI options section)
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body $customer_name_pub_value --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role customer-sftp-role
Below is the ERROR which I am facing while executing above commands:
[developer#dev-lin demo]$ aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body $customer_name_pub_value --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role customer-sftp-role
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
Unknown options: developer#dev-lin.domain.com, XXXXXXXXXXAB3NzaC1yc2EAAAADAQABAAABAQCm2hI3Y33K1GVbdQV0lfkm/klZRJS7Kcz8+53e/BoIbVMFH0jqm1aejELDFgPnN7HvIZ/csYGzF/ssTx5lXVaHQh/qkYwfqQBg8WvXVB0Jmogj1hr6z5M8Qy/3oCx0fSmh6e/Ekfk8vHhiHQlGZV3o8a2AW5SkP8IH/OgT6Bq+SMuB+xtSciVBZqSLI0OgYtOZ0MyxBzfLau1Tyegu5lVFevZDVjecnIaS4l+v2VIQ/OgaZ40oAI3NuRZ2EdnLqEqFyLjasx4kcuwNzD5oaXAU6T9UsqKN2rVLMKrXXXXXXXXXXX
Am I missing something bash syntax while passing option value!
UPDATE 30-March-2020
as per suggestions in below comments, I have added AWS ARN Role in command, now facing different issue than previous
CODE:
customer_name='demo'
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user --user-name $customer_name --home-directory script-test/power-archive-ireland/$customer_name/ --server-id s-aaabbbccc --ssh-public-key-body "$customer_name_pub_value" --tags 'Key=Product,Value="demo",Key=Environment,Value=dev,Key=Contact,Value="dev.user#domain.com",Key=Service,Value="sftp"' --role "arn:aws:iam::8XXXXXXXXX2:role/customer-sftp-role"
ERROR
An error occurred (ValidationException) when calling the CreateUser operation: 1 validation error detected: Value 'script-test/power-archive-ireland/demo/' at 'homeDirectory' failed to satisfy constraint: Member must satisfy regular expression pattern: ^$|/.*
Yes, for the final bug, you should feed it as a list of objects:
--tags [{Key="Product", Value="demo"}, {Key="Environment", Value="dev"}, {Key="Contact", Value="dev.user#domain.com"}, {Key="Service", Value="sftp"
You may need to put "Key" and "Value" in quotes or even perhaps have to try key:value pairs (i.e. {"Product": "demo"}), but this should be the general syntax.
Below is the final working CLI command:
Changes
Added ROLE ARN (Thanks #user1394 for the suggestion)
Biggest issue resolved by placing / before --home-directory option (bad AWS documentation (https://docs.aws.amazon.com/cli/latest/reference/transfer/create-user.html) and their out-dated RegEx ^$|/.*)
Transform the broken CLI into JSON based CLI to fix the final bug (not all the tags were able to attach in old command)
#!/bin/bash
customer_name='demo'
customer_name_pub_value=$(cat /home/developer/naman/dir/$customer_name.pub)
aws transfer create-user \
--user-name $customer_name \
--server-id s-aaabbbccc \
--role "arn:aws:iam::8XXXXXXXXX2:role/customer-sftp-role" \
--ssh-public-key-body "$customer_name_pub_value" \
--home-directory /script-test/power-archive-ireland/$customer_name \
--tags '[
{"Key": "Product", "Value": "demo"},
{"Key": "Environment", "Value": "dev"},
{"Key": "Contact", "Value": "dev.user#domain.com"},
{"Key": "Service", "Value": "sftp"}
]'
Related
I am deploying a Node.js app to EC2 using CodeDeploy. I am storing credentials within AWS Systems Manager, Parameter Store however cannot find a method to expose these to my application.
I am using PM2 for process management. I can successfully retrieve the parameter from the Parameter Store on the target machine, so there are no permission issues. For example:
aws ssm get-parameters --region us-east-1 --names LOCAL_CACHE_PATH --with-decryption --query Parameters[0].Value`
...successfully returns the correct string. I attempt to use this in my applicationStart.sh CodeDeploy file and start the app:
#!/bin/bash
export LOCAL_CACHE_PATH=$(aws ssm get-parameters --region us-east-1 --names LOCAL_CACHE_PATH --with-decryption --query Parameters[0].Value)
pm2 start ecosystem.config.js --env production
LOCAL_CACHE_PATH returns undefined in my app when accessing process.env.LOCAL_CACHE_PATH.
So the environment variable is available within the applicationStart.sh script and yet undefined when the app starts from that script.
I am looking for a recommended approach to use environment variables from the Parameter Store with CodeDeploy.
I have read literally dozens of posts on similar topics but cannot resolve it. Very much appreciate any guidance.
The solution I am using is to write the environment variables to a .env file and use that in my app:
afterInstall.sh:
echo LOCAL_CACHE_PATH=$(aws ssm get-parameters --output text --region us-east-1 --names LOCAL_CACHE_PATH --with-decryption --query Parameters[0].Value) >> /home/ubuntu/foo/.env
I can't find a way to list IAM users with the following info:
Username
Key age
Password age
Last login
MFA Enabled
last use
key Active?
I have tried aws iam list-users but that doesn't tell me much.
Is this possible using the AWS CLI? If so, how?
I will put in an answer, since 4 people have voted, unfairly I think, to close the question.
The short answer is, no, there's no one command you can use to do this, and I can understand why that's confusing and surprising.
Some of this info can be found in the credential report using:
aws iam generate-credential-report
aws iam get-credential-report
See the docs for how to programmatically obtain the credentials report (ref).
From there you can get:
mfa_active
access_key_1_active
access_key_1_last_used_date
access_key_1_last_rotated
password_last_used
password_last_changed
Some other info can be found in the list-access-keys subcommand:
▶ aws iam list-access-keys --user-name alex
{
"AccessKeyMetadata": [
{
"UserName": "alex",
"Status": "Active",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"AccessKeyId": "XXXXXXXX"
}
]
}
Thus, you can get the "Status" and "CreateDate" from here too using commands like:
aws iam list-access-keys --user-name alex \
--query "AccessKeyMetadata[].CreateDate" \
--output text
More info again can be found in:
▶ aws iam get-login-profile --user-name alex
{
"LoginProfile": {
"UserName": "alex",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"PasswordResetRequired": false
}
}
You can also get the access key last used date this way:
access_key_id=$(aws iam list-access-keys \
--user-name alex \
--query "AccessKeyMetadata[].AccessKeyId" \
--output text)
aws iam get-access-key-last-used \
--access-key-id $access_key_id
For example of output:
{
"UserName": "alex",
"AccessKeyLastUsed": {
"Region": "XXXXXX",
"ServiceName": "iam",
"LastUsedDate": "XXXX-XX-XXT05:28:00Z"
}
}
I think that covers all the fields you asked about. Obviously, you would need to write a bit of code around all this to get it all together.
Does anyone have an example of how to create a dns entry, for a lightsail hosted domain, using the aws cli?
I haven't been able to find an example of the format for the --domain-entry parameter of the create-domain-entry sub-command.
I made use of Mike's syntax to create a TXT record for DMARC. (Thank you Mike!)
I'd been trying to create it in the UI. I kept getting this error: Input error: Target should be enclosed in quotation marks: ""v=DMARC1; p=none; rua="mailto:dmarc#YOURDOMAINNAME.com"".
After trying several times with different recommended quote configurations, I bailed on the UI, and used Mike's syntax in a bash script. In my case, I also removed the extra quotes I had around the email address inside the rua portion. This may have been the source of my errors in the UI.
Here's what successfully created the DMARC record for me:
#!/usr/bin/bash
aws lightsail --region us-east-1 \
create-domain-entry \
--domain-name 'YOURDOMAINNAME.com' \
--domain-entry '{"name":"_dmarc.YOURDOMAINNAME.com","target":"\"v=DMARC1; p=none; rua=mailto:dmarcreports#YOURDOMAINNAME.com\"","isAlias":false,"type":"TXT"}'
Of course, replace YOURDOMAINNAME with your domain name, and the mailto name with the email at which you want to receive DMarc reports.
The command below will create an A record using the CLI
aws lightsail create-domain-entry \
--domain-name mikegcoleman.com \
--region us-east-1 --domain-entry \
name=blog.mikegcoleman.com,target=52.40.235.176,isAlias=false,type=A
Note that you need to specify the region as all domain actions with the Lightsail CLI need to be performed against us-east-1
For a TXT record the following should work. I think there is some funkiness with the CLI that it doesn't like the inline domain entry, and needs the JSON to do the TXT record, so it's formatted difrerently from above:
aws lightsail --region us-east-1 \
create-domain-entry \
--domain-name 'mikegcoleman.com' \
--domain-entry '{"name":"test.mikegcoleman.com","target":"\"response\"","isAlias":false,"type":"TXT"}'
Yes!
The answer from #binarybelle to create a BASH script and add the command as the JSON version worked for me too in order to add a TXT entry for DKIM.
The extra trick with a long DKIM entry is to split the text key into 2 parts, so lots of escaping the extra double-quotes :-)
#!/bin/bash
/usr/local/bin/aws lightsail --region us-east-1 \
create-domain-entry --domain-name 'mydomain.co.uk' \
--domain-entry '{"name":"default._domainkey.mydomain.co.uk","target":"\"v=DKIM1; h=sha256; k=rsa; \" \"p=MIIBIjxxxxxxxxxxxiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAurVgfLc8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9cRHBTEOIR4lmIgatpit\" \"t+v7oQzngmfKpBNoTeyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQIDAQAB\"","isAlias":false,"type":"TXT"}'
I am trying to use the amazon cli to get media from an active kinesis stream.
the command I am trying is:
aws kinesis-video-media get-media --stream-name testStream --start-selector '{ "StartSelectorType":"NOW" }' --endpoint-url 'https://<code>.kinesisvideo.ap-northeast-1.amazonaws.com'
but I get:
usage: aws [options] <command> <subcommand> [<subcommand> ...]
[parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: too few arguments
according to the docu, StartSelectorType is the only flag I really need?
Thanks
The get-media Command Reference says that you also need to provide an outfile:
get-media
[--stream-name <value>]
[--stream-arn <value>]
--start-selector <value>
outfile <value>
See also: Boto3 kinesis video stream: Error when calling the GetMedia operation
I would like to use SSM Parameters in Serverless Variables.
Following the docs, I ran this command:
aws ssm put-parameter --name foo --value bar --type SecureString
And I added this to my serverless.yml:
custom:
foo: ${ssm:foo}
When I deploy, I get this warning however:
Serverless Warning --------------------------------------
A valid SSM parameter to satisfy the declaration 'ssm:foo' could not be found.
How do I access this variable? Thanks!
I needed to set the same region for both the serverless function, as well as the ssm variable assignment:
aws ssm put-parameter --name foo--value bar --type SecureString --region us-east-1
if the parameter is a SecureString, you need to add ~true after the path to the parameter on the serverless.yml file, as explained here: https://serverless.com/framework/docs/providers/aws/guide/variables#reference-variables-using-the-ssm-parameter-store
This will tell the framework to decrypt the value. Make sure that you have permissions to use the key used to encrypt the parameter.
Check your IAM policy. To get the parameters, the user doing the deployment needs access to SSM. This offers full access. See the docs to narrow it down a bit (ie: GetParameters, GetParameter).
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": [
"*"
]
Add this to the provider section in serverless.yml file
iamRoleStatements:
- Effect: "Allow"
Action:
- "ssm:GetParameters"
Resource: "*"
to use SSM variables, you need to prefix /aws/reference/secretsmanager/
example
${ssm:/aws/reference/secretsmanager/${self:provider.stage}/service/mysecret~true}