AWS CLI Basics:

Assuming you have aws cli setup – if you are using an ec2 amazon AMI the AWS CLI is preinstalled for you – verify version of CLI with:

aws --version

# show the regions available – will work if you have ec2 privs…

aws ec2 describe-regions --output text | cut -f 3

More Advanced AWS CLI:

aws sns publish --generate-cli-skeleton
{
"TopicArn": "",
"TargetArn": "",
"PhoneNumber": "",
"Message": "",
"Subject": "",
"MessageStructure": "",
"MessageAttributes": {
"KeyName": {
"DataType": "",
"StringValue": "",
"BinaryValue": null
}
}
}
aws sns publish --generate-cli-skeleton > publish-arguments.json

# then after filling in the skeleton – not shown

aws sns publish –cli-input-json file://publish-arguments.json

# Or put your message in a text file and deliver it

cat message.txt
Hello World From A File

aws sns publish --topic-arn "arn:aws:sns:us-west-2:649999999999:Oregon-Manual-Publish" --message file://message.txt

# note the assumption on the “publish” above is that the topic “Oregon-Manual-Publish” exists and has been subscribed to.

Assuming Roles From AWS CLI

Ok, so now lets assume you have an ec2 user like ec2-user, and you want that user to ASSUME various AWS role, based on some desired action (like publish to SNS for example).

This way you can limit what a user is granted by default – in other words, they have to explicitly be granted the right to assume and do the assume.

To do this:

  • Create a role that contains the permissions you want to delegate – you can do this from the AWS Console (the easiest way).
  • The role you just created must also have a “Trust Relationship” defined for the users or services that can assume it.  For example the example below is part of the role definition and has two trust entities – a user name AssumeRoleOnly and a service all ec2:

Trusted entities
arn:aws:iam::641559118888:user/AssumeRoleOnly
The identity provider(s) ec2.amazonaws.com

  • Create a policy that grants the user the right to assume the role / and a trust (again console works) and associate it with your user either directly or via a group.
  • Create an AWS config and credentials file that looks something like:
cat config
[default]
output = text
region = us-west-2
role_arn = arn:aws:iam::641559999999:role/s3-Full-Access
source_profile = default

[profile sns-s3]
output = text
region = us-west-2
role_arn = arn:aws:iam::64155999999:role/s3-Full-Access
source_profile = default

$ cat credentials
[default]
aws_access_key_id = AKIAJLLNTHGfakekeyid
aws_secret_access_key = xlBdf3qgkbj3k/fakesecretaccesskey

Now you can do something like this:

aws sns publish --profile "sns-s3" --topic-arn "arn:aws:sns:us-west-2:641559115954:Oregon-Manual-Publish" --message file://message.txt

Here is a company that goes even further… warning it gets a bit complex…

https://blog.gruntwork.io/authenticating-to-aws-with-environment-variables-e793d6f6d02e

More from LonzoDB on AWS

Leave a Reply

Your email address will not be published. Required fields are marked *