Creating two types of IAM users in AWS using the CLI

To create a user in AWS IAM using the CLI (after you have configured it), use the following:

Create a user with programmatic access (access key ID and secret access key):

$ aws iam create-user \
  --user-name User_Prog_Access

Response: 
{
    "User": {
        "Path": "/",
        "UserName": "User_Prog_Access",
        "UserId": "AIDExampleUserId",
        "Arn": "arn:aws:iam::123333333:user/User_Prog_Access",
        "CreateDate": "2021-01-29T12:20:43+00:00"
    }
}

$ aws iam create-access-key \
  --user-name User_Prog_Access

Response:
{
    "AccessKey": {
        "UserName": "User_Prog_Access",
        "AccessKeyId": "AKIExampleAccessKeyID",
        "Status": "Active",
        "SecretAccessKey": "ttExampleSecretAccessKey",
        "CreateDate": "2021-01-29T12:21:22+00:00"
    }
}

And for a user with console access:

$ aws iam create-user \
  --user-name User_Console_Access

Response:
{
    "User": {
        "Path": "/",
        "UserName": "User_Console_Access",
        "UserId": "AIExampleUserId",
        "Arn": "arn:aws:iam::933323111111:user/User_Console_Access",
        "CreateDate": "2021-01-29T12:31:46+00:00"
    }
}

$ aws iam create-login-profile \
  --user-name User_Console_Access \
  --password Temp_Password4 \
  --password-reset-required

Response:
{
    "LoginProfile": {
        "UserName": "User_Console_Access",
        "CreateDate": "2021-01-29T12:35:28+00:00",
        "PasswordResetRequired": true
    }
}

Find the current AMI image (i.e. Ubuntu 16.04) in AWS using command line

If you would like to programatically find the current image of a specific distribution in AWS for your region, with the use of the aws cli, use the following (in this example looking for Ubuntu 16.04).

aws ec2 describe-images \
    --owners 099720109477 \
    --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-????????" "Name=state,Values=available" \
    --query "reverse(sort_by(Images, &CreationDate))[:1].ImageId" \
    --output text

Or for 18.04

aws ec2 describe-images \
    --owners 099720109477 \
    --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-????????" "Name=state,Values=available" \
    --query "reverse(sort_by(Images, &CreationDate))[:1].ImageId" \
    --output text

This is from the examples in the documentation here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html

Decode access secret key from Terraform IAM user creation

Problem

You want to use the pgp encryption when using Terraform to create an AWS IAM user, and you have the secret access token returned as an output but encoded.

Solution

Use the following to get the actual secret key decoded (after copying your encoded key to a file encrypted_key.txt:

$ cat encrypted_key.txt | base64 --decode | gpg -d

AWS allowing access to Billing to IAM user

Problem

When you create a new AWS account the access to Billing for IAM users is not enabled by default.

Solution

In order to allow access you have to follow the steps below:

  • Login to your AWS account with your root user (email and password)
  • Go to the top right drop down ‘My Account’
  • Find the section that is called ‘IAM User and Role Access to Billing information’, use ‘Edit’, tick the box ‘Enable access’ and then ‘Update’.

More information can be found in the Amazon’s help page https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate

Get a list of your Route53 subdomains using aws cli docker image

Problem

You would like to have a list of your subdomains for a specific domain (hosted zone), that are hosted in Amazon’s Route 53.

Solution

You can install the aws cli docker image from here https://github.com/cgswong/docker-aws if you don’t want to install the aws cli in your computer.

You can afterwards start the container with:

docker run -it cgswong/aws:latest

Then configure it by running the following and adding your credentials and zone:

efe9881d4fd:/tmp# aws configure
 AWS Access Key ID [None]: aws_access_key_id
 AWS Secret Access Key [None]: aws_secret_access_key
 Default region name [None]: eu-central-1
 Default output format [None]:

Then run the first command to get a list of the hosted zones and get the id of the hosted zone you want to find the subdomains for:

3efe9881d4fd:/tmp# aws route53 list-hosted-zones
{
    "HostedZones": [
        {
            "ResourceRecordSetCount": 2, 
            "CallerReference": "RISWorkflow-RD:xxxxx", 
            "Config": {
                "Comment": "HostedZone created by Route53 Registrar", 
                "PrivateZone": false
            }, 
            "Id": "/hostedzone/HOSTEDZONEID", 
            "Name": "domain.net."
        }, 

Then pick the HOSTEDZONEID and run the following to get a list of subdomains for that domain:

3efe9881d4fd:/tmp# aws route53 list-resource-record-sets --hosted-zone="HOSTEDZONEID" | grep "Name" | uniq

   "Name": "alpah.domain.com.",                                                                                                                                                                                                                                             
   "Name": "beta.domain.com.",                                                                                                                                                                                                                                       
   "Name": "lamda.domain.com.",
......

Error in AWS when trying to include puppet modules (Error: Could not find class apache2 for …)

Problem

You are trying to work with puppet modules in AWS, after installing puppet as a gem, but when you try to put the modules and manifests outside the main manifests/site.pp file you get an error similar to following:

Error: Could not find class apache2 for ip-xx-xx-xx-xx.eu-west-1.compute.internal on node ip-xx-xx-xx-xx.eu-west-1.compute.internal

Solution

Create a file for the puppet configuration in /etc/puppet/puppet.conf and add the paths to your own manifests and modules, like :

$aws sudo vi /etc/puppet/puppet.conf

and add your paths:

[main]
manifest = /home/ubuntu/puppet/manifests/site.pp
modulepath = /etc/puppet/modules:/usr/share/puppet/modules:/home/ubuntu/puppet/modules

.rvm/bin/rvm-shell: No such file or directory error

Problem

When trying to set up the capistrano deploy recipe to deploy to the vagrant virtual box as described in ‘Deploying rails’, you get the error:

.rvm/bin/rvm-shell: No such file or directory

when you have installed rvm system wide on the virtual box.

Solution

Make sure that you add the following into your deploy.rb file to set up the path for rvm:

set :rvm_bin_path, "/usr/local/rvm/bin"

Solution taken from here

sudo: puppet: command not found – when trying to use puppet with rvm in aws

When trying to use the

rvmsudo puppet apply --verbose manifests/site.pp

command in a aws instance to follow the instruction from ‘Deploying Rails’, the following error complains that the puppet command is not found, like:

sudo: puppet: command not found

After some searching and having a look at the blog post here and using the rvm notes in the aws instance and looking at this:

  * On some systems (like Ubuntu) rvmsudo requires following changes to work properly:
      http://stackoverflow.com/questions/257616/sudo-changes-path-why

It seems that for security reason the sudo command resets the path in the system.

You can actually see that this the case by running the command to display the path of the normal user:

aws$ echo 'echo $PATH' | sh

and the corresponding one for the sudo:

aws$ echo 'echo $PATH' | sudo sh

So a workaround to make it work is to add your group into the exemptions group in the visudo file, which means editing the visudo file:

sudo visudo

and adding the group that your user you are working with belongs to:

Defaults        env_reset
Defaults        exempt_group=name_of_your_group(or admin in some systems)