I'm trying to compile a full list of EC2 instances in my AWS account via the aws-cli. I'm successfully querying everything except the associated security groups for each instance. When I try pulling the security group name it comes through as None. Below is the command I've run. I've also tried 'Groups'.
aws ec2 describe-instances --region=us-west-2 --query 'Reservations[*].Instances[*].[Tags[?Key==`Name`].Value|[0],InstanceId,Placement.AvailabilityZone,State.Name,KeyName,SecurityGroups.GroupName]' --output table
That's because each instance might have multiple security groups assigned to it, so SecurityGroups is an array. you can access the first element in the array if instead of doing:
SecurityGroups.GroupName
you'll do:
SecurityGroups[0].GroupName
but that will show you only the first security group in the list. If you want to see the whole list you'll have to change your query to something like:
aws ec2 describe-instances --region "us-west-2" --query 'Reservations[*].Instances[*].[InstanceId,SecurityGroups[].GroupName |[*]]' --output text
Related
I am trying to add the tags to my existing VPC.
I am trying to solve this problem using AWS cli for multiple VPC's.
But could not find the appropriate command to add the tag using AWSCLI.
Can someone please help. TIA.
You can add tags to the existing resources using create-tags
Adds or overwrites only the specified tags for the specified Amazon EC2 resource or resources. When you specify an existing tag key, the value is overwritten with the new value.
https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html
aws ec2 create-tags --resources vpc-1234567 --tags Key=Stack,Value=production
Or multiple tags
aws ec2 create-tags \
--resources vpc-1234567 i-1234567890abcdef0 \
--tags Key=webserver,Value= Key=stack,Value=Production
Make sure your default region is correct for VPC or add region to the cli command.
I am trying to list down all the EC2 instances with its IAM role attached using boto3 in python3. But I don't find any method to get the IAM role attached to existing EC2 instance. is there any method in boto3 to do that ?
When I describe an Instance, It has a key name IamInstanceProfile. That contains instance profile id and arn of the iam instance profile. I don't find name of IAM instance profile or any other info about IAM roles attached to it. I tried to use instance profile id to describe instance profile, But it seems to describe an instance profile, we need name of instance profile (not the id).
Can someone help on this ? I might be missing something.
Thanks
When we describe EC2 instance, We get IamInstanceProfile key which has Arn and id.
Arn has IamInstanceProfile name attached to it.
Arn': 'arn:aws:iam::1234567890:instance-profile/instanceprofileOrRolename'
This name can be used for further operation like get role description or listing policies attached to role.
Thanks
You can get the metadata of an EC2 instance by making an HTTP call to http://169.254.169.254/latest/meta-data/ from the instance.
In your case, you may want to navigate to http://169.254.169.254/latest/meta-data/iam/security-credentials to get the IAM role attached to the instance.
EC2 Instance Metadata
You can call IAM list_instance_profiles(), and then filter the results by the ARN or ID from EC2 describe_instances() result. This response will contain Roles for given instance profile.
Boto3 IAM documentation
Hi I would like to use AWS CLI fillters to find the security group. I found in tutorial command i should use, but it doesn't work.
aws ec2 describe-security-groups --filters Name=key,Values="xxx" --profile dev
I have a few security groups with tags with schema like this:
tags:
- Key : aws-security-group05
Value : 1.0.1.1
And I want to find ID of security group by fillterring by tags and values.
You have to provide correct syntax like below-
For example, if you want to list down all security groups which are having a tag named as Department and the value of that tag is HR,
aws ec2 describe-security-groups --filters Name=tag:Department,Values=HR
for your case it would be -
aws ec2 describe-security-groups --filters Name=tag:aws-security-group05,Values=1.0.1.1
above command will display all the details about security group, if you just want to see id of the security group, pls use --query parameter
example-
aws ec2 describe-security-groups --filters Name=tag:aws-security-group05,Values=1.0.1.1 --query 'SecurityGroups[].GroupId' --out text
I am trying to get all the Amazon EC2 instances with some specific tags like environment and service in auto scaling group using the AWS CLI .
As of now I included only one tag. How can I include both the tags and I need the full information of ID like Availability zone, launch configuration, instances, name, etc.
How can I do that?
I am using query like:
aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[? Tags[? (Key=='Environment') && Value=='staging']]".AutoScalingGroupName
Some of the information you seek (eg Launch Configuration) can be obtained from the Auto Scaling Group (using a command similar to what you provided above), while some of the information relates to the instances that are launched within the auto scaling group (eg Availability Zone).
Here is a command that will return information about instances in a specific Amazon EC2 auto scaling group (eg my-autoscaling-group):
aws ec2 describe-instances --filter Name=tag:aws:autoscaling:groupName,Values=my-autoscaling-group --query "Reservations[*].Instances[*].[InstanceId,Placement.AvailabilityZone,Tags[?Key=='Name']|[0].Value]"
I tried to find set aws-cli locally using IAM role & without using access key/secret access key. But unable to get information from meta url[http://169.256.169.256/latest/meta-data].
I am running Ec2 instance with Ubuntu Server 16.04 LTS (HVM), SSD Volume Type - ami-f3e5aa9c.I have tried to configure aws-cli on that instance.I am not sure what type of role/policy/user needed to get aws-cli configured in my Ec2 instance.
Please provide me step by step guide to achieve that.I just need direction.So useful link also appreciated.
To read Instance Metadata, you dont need to configure the AWS CLI. The problem in your case, is you are using a wrong URL to read the Instance Metadata. The correct URL to use is http://169.254.169.254/ . For example, if you want to read the AMI id of the Instance, you can use the follow command.
curl http://169.254.169.254/latest/meta-data/ami-id
However, if you would like to configure the AWS cli without using the Access/Secret Keys. Follow the below steps.
Create an IAM instance profile and Attach it to the EC2 instance
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Roles, Create role.
On the Select role type page, choose EC2 and the EC2 use case. Choose Next: Permissions.
On the Attach permissions policy page, select an AWS managed policy that
grants your instances access to the resources that they need.
On the Review page, type a name for the role and choose Create role.
Install the AWS CLI(Ubuntu).
Install pip if it is not installed already.
`sudo apt-get install python-pip`
Install AWS CLI.
`pip install awscli --upgrade --user`
Configure the AWS CLI. Leave AWS Access Key ID and AWS Secret Access
Key as blank as we want to use a Role.
$ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-west-2
Default output format [None]: json
Modify the Region and Output Format values if required.
I hope this Helps you!
AWS Documentation on how to setup an IAM role for EC2
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html