Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
rb:aws-cli [04/05/2018 10:54]
andrew created
rb:aws-cli [19/09/2018 16:10] (current)
andrew [Roles with CodeCommit]
Line 3: Line 3:
  
 ===== Initial install ===== ===== Initial install =====
 +
 +AWS cli tool is written in python, and as python3 is the most recent, this is what will be installed. The awscli tool is installed through pip3.
 +
 +<​code>​
 +# yum install python3
 +
 +... edited...
 +
 +Install ​ 1 Package (+3 Dependent packages)
 +
 +Total download size: 11 M
 +Installed size: 51 M
 +Is this ok [y/d/N]: y
 +Downloading packages:
 +(1/4): python3-3.7.0-0.20.rc1.amzn2.0.1.x86_64.rpm ​                                    ​| ​ 64 kB  00:​00:​01 ​    
 +(2/4): python3-pip-9.0.3-1.amzn2.0.1.no ​                                               | 1.9 MB  00:​00:​03 ​    
 +(3/4): python3-setuptools-38.4.0-3.amzn2.0.6.noarch.rpm ​                               | 617 kB  00:​00:​01 ​    
 +(4/4): python3-libs-3.7.0-0.20.rc1.amzn2.0.1.x86_64.rpm ​                               | 8.0 MB  00:​00:​14 ​    
 +------------------------------------------------------------------------------------------------------------
 +Total                                                                                                                                                        487 kB/s |  11 MB  00:​00:​22 ​   ​
 +
 +# pip3 install awscli
 +WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
 +Collecting awscli
 +  Downloading https://​files.pythonhosted.org/​packages/​f8/​ab/​ab7b15a7a5524f47bb39279a59a7afdb1237162159ba7ff15cab28c96915/​awscli-1.16.15-py2.py3-none-any.whl (1.3MB)
 +    100% |████████████████████████████████| 1.3MB 981kB/​s ​
 +...edited... ​   ​
 +</​code>​
 +
 +
 +
 +AWS linux 2 does have a awscli tool in the linux repo, but it is not as recent as the pip installed one:-
 +
 +<​code>​
 +# aws --version
 +aws-cli/​1.14.8 Python/​2.7.14 Linux/​4.14.47-64.38.amzn2.x86_64 botocore/​1.8.12
 +[root@amazonlinux02 ~]#
 +</​code>​
 +
 +
 +Compare to the pip3 installed version:-
 +<​code>​
 +# /​usr/​local/​bin/​aws --version
 +aws-cli/​1.16.15 Python/​3.7.0rc1 Linux/​4.14.47-64.38.amzn2.x86_64 botocore/​1.12.5
 +[root@amazonlinux02 ~]#
 +</​code>​
 +
 +
 +
 +===== Setting up roles =====
 +
 +Roles allow proviledge escalation for a user to perform specific tasks. For this to be used in the cli, an extra section is added to the ''​.aws/​config''​ file:-
 +
 +<​code>​
 +[default]
 +output = json
 +region = eu-west-1
 +
 +
 +[profile sandbox]
 +role_arn = arn:​aws:​iam::​12345678:​role/​roles-sandboxadmin
 +source_profile = default
 +region = eu-west-1
 +</​code>​
 +
 +When a cli command is run, the ''​--profile sandbox''​ is added to awitch to that role:-
 +
 +<​code>​
 +server:​~/​.aws$ aws ec2 describe-instances --filters "​Name=instance-type,​Values=t2.micro"​ --query Reservations[].Instances[].InstanceId --profile sandbox
 +[
 +    "​i-0b99cb98dfabcdefg",​
 +    "​i-04888fe41agfedcba"​
 +]
 +server:​~/​.aws$
 +</​code>​
 +===== AWS CodeCommit =====
 +
 +AWS CodeCommit is a git compatible repository. It uses the git command locally, but if you are using roles, there is a restruction on using only https, not ssh to communticate to the remote repo. Also, there is a tie in with the aws command line which is why CodeCommit is here and not under [[rb:​git-cheatsheet|Git Cheatsheet]].
 +
 +AWS's IAM requires ''​HTTPS Git credentials for AWS CodeCommit''​ to be created from the ''​Security Credentials''​ tab under ''​Users''​. Click Generate and make a note of the values. These will become your git credentials to be used on the cli.
 +Also, you will be **required** to configure a Credential Helper, the name of this sounds like it is optional, but it isn'​t. ​
 +
 +IAM periodically resets the password used with the git credentials (above) and the Credential Helper is used to call out to IAM to get the updates password which is then used in the git command.
 +
 +<​code>​
 +git config --global credential.helper '!aws codecommit credential-helper $@'
 +git config --global credential.UseHttpPath true
 +</​code>​
 +
 +
 +==== Roles with CodeCommit ====
 +
 +In the .gitconfig file, the commands above add the helper line, but to use it with roles, it needs the ''​--profile''​ adding:-
 +
 +<​code>​
 +$ more  /​home/​user/​.gitconfig ​
 +[credential]
 + helper = !aws --profile sandbox codecommit credential-helper $@
 + UseHttpPath = true
 +$
 +</​code>​
 +
 +My understanding is that ''​git''​ feeds a string of arguments to the credential-helper ($@) and consumes the string returned to forward on to CodeCommit as the user password. ​ As it is an ''​aws''​ command it can take the --profile option. Without that, the helper will try to return the IAM users credentials not the role's credentials,​ git will present these and it will pushes and pulls will fail with ''​fatal:​ unable to access <​xx-repo>​ : The requested URL returned error: 403
 +
 +
 +
 +===== Creating a new repo =====
 +
 +This is shown with the role option ''​--profile sandbox''​
 +
 +
 +<​code>​
 +$ aws codecommit create-repository --repository-name CIS-Hardening --repository-description "Repo for ansible code to harden aws Linux2 image."​ --profile sandbox
 +{
 +    "​repositoryMetadata":​ {
 +        "​repositoryDescription":​ "Repo for ansible code to harden aws Linux2 image.",​
 +        "​cloneUrlSsh":​ "​ssh://​git-codecommit.eu-west-2.amazonaws.com/​v1/​repos/​CIS-AWS_Linux2",​
 +        "​repositoryId":​ "​91fb1234-833e-4705-8e1c-xxxxxxxx",​
 +        "​lastModifiedDate":​ 1537199788.236,​
 +        "​accountId":​ "​1234567890",​
 +        "​repositoryName":​ "​CIS-Hardening",​
 +        "​Arn":​ "​arn:​aws:​codecommit:​eu-west-2:​987654321:​CIS-Hardening",​
 +        "​cloneUrlHttp":​ "​https://​git-codecommit.eu-west-2.amazonaws.com/​v1/​repos/​CIS-AWS_Linux2",​
 +        "​creationDate":​ 1537199788.236
 +    }
 +}
 +$
 +$ aws codecommit list-repositories --profile sandbox
 +{
 +    "​repositories":​ [
 +        {
 +            "​repositoryName":​ "​AMI_PackerDefinitions-AWS_Linux2",​
 +            "​repositoryId":​ "​12345678-a3af-4d07-8319-20f112345678"​
 +        },
 +        {
 +            "​repositoryName":​ "​CIS-Hardening",​
 +            "​repositoryId":​ "​87654321-14cd-495a-8b4f-121987654321"​
 +        }
 +    ]
 +}
 +
 +</​code>​
 +
 +
  
  

rb/aws-cli.1525427649.txt.gz · Last modified: 04/05/2018 10:54 by andrew