We have a django app deployed on elastic beanstalk, and added a feature that accesses an oracle DB. cx-Oracle requires the Oracle client library (instant client), and we would like to have the .zip for the library available as a private object in our S3 bucket, public object is not an option. We want to avoid depending on an Oracle link with wget. I am struggling to develop a .config file in the .ebextensions directory that will install the .zip S3 any time it is deployed. How can was set-up the config to install on deployment?
os: Amazon Linux AMI 1
Sure that is a common practice to get your private files from s3.
You need to have IAM permission (on EB cluster) to access your s3 bucket and download files.
The config in .ebextensions can look something like this:
container_commands:
install:
command: |
#!/bin/bash -xe
aws s3 cp s3:/bucket-name/your-file local-filename
Just like a friendly suggestion, EB is ok to start with but if your app will go to production you will run on some problems (like cannot enforce some ports to not be opened etc) and maybe there are some better options for you to host your app (ECS, EKS etc)
I need to SSH on to my Linux box from Jenkins using AWS cli. To do so, AWS documentation states I need to use my pem key:
ssh -i /path/my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
However, Jenkins does not have access to where I have the pem file stored and moving it is not an option.
I have generated a sshagent in Jenkins using my pem file, but cannot find any documentation or examples that show how replacing the path to pem file with my sshagent would work.
Does anyone have any any idea what the syntax is or could be point me in the direction of some documentation on this?
You have mixed two questions or things:
to ssh you certainly need the .pem key but not to execute the aws cli. Use below for ssh from jenkins to ec2 instance.
Instead of doing the above you can update the EC2 instance ec2-user /home/ec2-user/.ssh/authorized_keys with the public key of the jenkins user.
For executing aws cli commands if you want you need to use Access Credentials.
I accidentally typed in the wrong aws-access-id and secret key after running eb init when going through the tutorial Deploying an Express Application to Elastic Beanstalk
Now I am getting the following error "Error: "my-mistyped-key" not a valid key=value pair (missing equal-sign) in Authorization header..."
What is the best way to reset my credential so that I can run "eb init"
go to ~/.aws/config and change your credentials there
On windows, you can find the config file to delete at C:\Users\You\.aws\
You will have to enable viewing hidden files
If you have the AWS CLI installed, type aws configure and you can re-enter your credentials.
I have a shell script which is supposed to download some files from S3 and mount an ebs drive. However, I always end up with "Unable to locate credentials".
I have specified my credentials with the aws configure command and the commands work outside the shell script. Could somebody, please, tell me (preferably in detail) how to make it work?
This is my script
#!/bin/bash
AWS_CONFIG_FILE="~/.aws/config"
echo $1
sudo mkfs -t ext4 $1
sudo mkdir /s3-backup-test
sudo chmod -R ugo+rw /s3-backup-test
sudo mount $1 /s3-backup-test
sudo aws s3 sync s3://backup-test-s3 /s3-backup/test
du -h /s3-backup-test
ipt (short version):
Thanks for any help!
sudo will change the $HOME directory (and therefore ~) to /root, and remove most bash variables like AWS_CONFIG_FILE from the environment. Make sure you do everything with aws as root or as your user, dont mix.
Make sure you did sudo aws configure for example. And try
sudo bash -c 'AWS_CONFIG_FILE=/root/.aws/config aws s3 sync s3://backup-test-s3 /s3-backup/test'
You might prefer to remove all the sudo from inside the script, and just sudo the script itself.
While you might have your credentials and config file properly located in ~/.aws, it might not be getting picked up by your user account.
Run this command to see if your credentials have been set:aws configure list
To set the credentials, run this command: aws configure and then enter the credentials that are specified in your ~/.aws/credentials file.
The unable to locate credentials error usually occurs when working with different aws profiles and the current terminal can't identify the credentials for the current profile.
Notice that you don't need to fill all the credentials via aws configure each time - you just need to reference to the relevant profile that was configured once.
From the Named profiles section in AWS docs:
The AWS CLI supports using any of multiple named profiles that are
stored in the config and credentials files. You can configure
additional profiles by using aws configure with the --profile option,
or by adding entries to the config and credentials files.
The following example shows a credentials file with two profiles. The
first [default] is used when you run a CLI command with no profile.
The second is used when you run a CLI command with the --profile user1
parameter.
~/.aws/credentials (Linux & Mac) or %USERPROFILE%\.aws\credentials (Windows):
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
So, after setting up the specific named profile (user1 in the example above) via aws configure or directly in the ~/.aws/credentials file you can select the specific profile:
aws ec2 describe-instances --profile user1
Or export it to terminal:
$ export AWS_PROFILE=user1
Answering in case someone stumbles across this based on the question's title.
I had the same problem where by the AWS CLI was reporting unable to locate credentials.
I had removed the [default] set of credentials from my credentials file as I wasn't using them and didn't think they were needed. It seems that they are.
I then reformed my file as follows and it worked...
[default]
aws_access_key_id=****
aws_secret_access_key=****
region=eu-west-2
[deployment-profile]
aws_access_key_id=****
aws_secret_access_key=****
region=eu-west-2
This isn't necessarily related to the original question, but I came across this when googling a related issue, so I'm going to write it up in case it may help anyone else. I set up aws on a specific user, and tested using sudo -H -u thatuser aws ..., but it didn't work with awscli 1.2.9 installed on Ubuntu 14.04:
% sudo -H -u thatuser aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region us-east-1 config_file ~/.aws/config
I had to upgrade it using pip install awscli, which brought in newer versions of awscli (1.11.93), boto, and a myriad of other stuff (awscli docutils botocore rsa s3transfer jmespath python-dateutil pyasn1 futures), but it resulted in things starting to work properly:
% sudo -H -u thatuser aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************WXYZ shared-credentials-file
secret_key ****************wxyz shared-credentials-file
region us-east-1 config-file ~/.aws/config
A foolish and cautionary tail of a rusty script slinger:
I had defined the variable HOME in my script as a place were the script should go to build the platform.
This variable overwrote the env var that defines the shell users $HOME. So the AWS command could not find ~/.aws/credentials because ~ was referencing the wrong place.
I hate to admit it, but I hope it helps saves someone some time.
Was hitting this error today when running aws cli on EC2. My situations is I could get credentials info when running aws configure list. However I am running in a corporate environment that doing things like aws kms decrypt requires PROXY. As soon as I set proxy, the aws credentials info will be gone.
export HTTP_PROXY=aws-proxy-qa.cloud.myCompany.com:8099
export HTTPS_PROXY=aws-proxy-qa.cloud.myCompany.com:8099
Turns out I also have to set NO_PROXY and have the ec2 metadata address in the list 169.254.169.254. Also, since you should be going via an s3 endpoint, you should normally have .amazonaws.com in the no_proxy too.
export NO_PROXY=169.254.169.254,.amazonaws.com
If you are using a .aws/config file with roles ensure sure your config file is correctly formatted. In my case I had forgotten to put the role_arn = in front of the arn. The default profile sits in the .aws/credentials file and contains the access key id and secret access key of the iam identity.
The config file contains the role details:
[profile myrole]
role_arn = arn:aws:iam::123456789012:role/My-Role
source_profile = default
mfa_serial = arn:aws:iam::987654321098:mfa/my-iam-identity
region=ap-southeast-2
You can quickly test access by calling
aws sts get-caller-identity --profile myrole
If you have MFA enabled like I have you will need to enter it when prompted.
Enter MFA code for arn:aws:iam::987654321098:mfa/my-iam-identity:
{
"UserId": "ARABCDEFGHIJKLMNOPQRST:botocore-session-15441234567",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/My-Role/botocore-session-15441234567"
}
I ran into this trying to run an aws-cli command from roots cron.
Since credentials are stored in $HOME/.aws/credentials and I initialized aws-cli through sudo, $HOME is still /home/user/. When running from cron, $HOME is /root/ and thus cron cannot find the file.
The fix was to change $HOME for the specific cron job. Example:
00 12 * * * HOME=/home/user aws s3 sync s3://...
(alternatives includes moving, copying or symlinking the .aws dir, from /home/user/ to /root/)
try adding sudo with aws command like sudo aws ec2 command and yes as meuh mentioned the awscli needs to be configured using sudo
pip install --upgrade awscli
or
pip3 install --upgrade awscli
I am writing a bash script that will automatically install and configure AWS CLI tools. I am able to install AWS CLI tools but unable to configure it.
My script is something like this:
#!/bin/bash
wget https://s3.amazonaws.com/aws-cli/awscli-bundle.zip
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
./awscli-bundle/install -b ~/bin/aws
./awscli-bundle/install -h
aws configure
AWS Access Key ID [None]: ABCDEFGHIJKLMNOP ## unable to provide this data
AWS Secret Access Key [None]: xbdwsdADDS/ssfsfa/afzfASADQASAd ## unable to provide this data
Default region name [None]: us-west-2 ## unable to provide this data
Default output format [None]: json ## unable to provide this data
I wish to do the configuration using this script too. I wish that I can provide these credentials via script so that it prevents manual entry. How can this be done?
Use a configuration file rather than the aws configure command. Create a file called ~/.aws/config that looks like this:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region=us-west-2
output=json
More info in the docs.
the best practice is to install the awscli utility by BASH and copy the file from your own specified location of 2 files
without hitting
#aws configure
command these files will not get created, you can copy and paste the files using bash script and get all the execution done
~/.aws/credintials
~/.aws/config
where credentials contains
[default]
aws_access_key_id=ABCDEFGHIJKLMNOP
aws_secret_access_key=xbdwsdADDS/ssfsfa/afzfASADQASAd
and config file contains
[default]
output=json
region=us-west-2
This will help you to keep the keys at one place and you can also push the same for your execution for any CMT tool as well like Ansible.
you additionally configure this from the command line which will create the configuration file
aws configure set aws_access_key_id ABCDEFGHIJKLMNOP
aws configure set aws_secret_access_key xbdwsdADDS/ssfsfa/afzfASADQASAd
aws configure set default.region eu-west-1