What are the permissions to grant, for the ACCESS_KEY and SECRET_KEY when setting up Promtail on EC2 machine?
Key / Role ARN will set on ec2_sd_config section of YML file
It needs the following IAM permissions:
ec2:DescribeInstance
ec2:DescribeTags
Resolved
Following permissions need be attached
"tag:GetResources",
"cloudwatch:ListTagsForResource",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeTargetGroups"
Related
I have an EC2 instance which is mapped with InstanceProfile. But the aws cli does not work for me, and asks to configure credentials.
$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region ap-southeast-2 env AWS_DEFAULT_REGION
Should the ec2 instance get the credentials automatically using the Instance profile ? How can I make it work ?
My Expectation:
aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************4G iam-role
secret_key ****************83 iam-role
region ap-southeast-2 env AWS_DEFAULT_REGION
The general and correct workflow to use aws cli with ec2 instance is to not configure your keys on instance ever( for security reasons you don't want your keys to be on a instance which you don't own) just configure the default region using AWS configure that's it.
From the sole create a role for ec2 instance which gives access to any of the resource for eg permission to read s3 buckets and attach that role to your ec2 instance
To attach a role to your instance:-
-> right-click on your instance
-> attach I am the role
-> search for the role and that's it
The issue was with the proxy used by my system.
The Best way to check is below command:
GET http://169.254.169.254/latest/meta-data/iam; echo
Try setting the correct proxy or add 169.254.169.254 to NO_PROXY and see whether you get a valid output for the above command.
When using the kubectl cli in a Windows DOS prompt, I get a prompt to enter a username, that works fine but when I press enter after entering a username the prompt for a password appears and then immediately acts like I hit the enter key, no chance to enter the password, looks like this, from the screen print you can see that I am using kubectl version 1.15.
If I try this using Git Bash, it behaves the same but responds with the error shown below
Same deal where the password prompt is not waiting for input.
Anyone ever seen this or have any thoughts on how I can provide a username and password to kubectl without storing it a plain test in the config file?
Also, I am using a corporate Kubernates cluster, so no options to move to a more current version or do anything else that would require admin access.
Posting this answer as community wiki with general guidelines for issues similar to this:
TL;DR
The prompt for username and password is most probably caused by misconfigured .kube/config.
As for:
Anyone ever seen this or have any thoughts on how I can provide a username and password to kubectl without storing it a plain test in the config file?
There are a lot of possibilities for authentication in Kubernetes. All of them have some advantages and disadvantages. Please take a look on below links:
Medium.com: Comparing kubernetes authentication methods
Kubernetes.io: Authentication
The prompt for username and password can appear when .kube/config file is misconfigured. I included one possible reason below:
Starting with correctly configured .kube/config for a minikube instance.
apiVersion: v1
clusters:
- cluster:
certificate-authority: PATH_TO_SOMEWHERE/.minikube/ca.crt
server: https://172.17.0.3:8443
name: minikube
contexts:
- context:
cluster: minikube
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: PATH_TO_SOMEWHERE/client.crt
client-key: PATH_TO_SOMEWHERE/client.key
Issuing commands with above .kube/config should not prompt for user and password as below:
$ kubectl get pods
No resources found in default namespace.
Editing .kube/config and changing:
user: minikube
to:
user: not-minikube
Will lead to:
$ kubectl get pods
Please enter Username: minikube
Please enter Password:
Correctly configuring .kube/config is heavily dependent on a solution used (like minikube, kubeadm provisioned cluster, and a managed cluster like GKE). Please refer to official documentation of solution used.
I found this post because I had the same problem, and I knew the cause after seeing people's answers. Comment to add.
I fixed the kube config with the command
aws eks update-kubeconfig --region region-code --name my-cluster
Create a kubeconfig for Amazon EKS
When ssh into a aws ec2 linux instance, the user is ec2-user by default. Then I need to set aws credentials by writing to ~/.aws/credentials, but got permission denied. I feel that if I use sudo then the credentials file would be owned by root user, as a result my api server can't read from it.
What's the correct approach to set up aws credentials there?
The 'correct' way to setup the credentials, is to assign a role to the ec2 instance when you create it (or assign them after you create it). That role can be created and assigned to the EC2 instance via the AWS console - there is no need to ssh in and create the credentials there.
See: Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console | AWS Security Blog
You can create the credentials file locally, then upload to your ec2 instance.
create the credentials file locally
$ vim credentials
upload to your ec2 instance
$ scp /path/credentials username#servername:/path
I am a newbie trying to get a Docker image into an AWS container registry. According to the AWS documentation, I enter credentials into the AWS CLI and then issue the command aws ecr get-login.
This results in the following:
C:\Users\xxx\Desktop>aws ecr get-login --region us-east-1
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation:
User: arn:aws:iam::847077264418:user/xxx
is not authorized to perform: ecr:GetAuthorizationToken on resource: *
Clearly this is something in the AWS IAM. How do I fix it?
By default, IAM users don't have permission to create or modify Amazon
ECR resources, or perform tasks using the Amazon ECR API. (This means
that they also can't do so using the Amazon ECR console or the AWS
CLI.) To allow IAM users to create or modify resources and perform
tasks, you must create IAM policies that grant IAM users permission to
use the specific resources and API operations they'll need, and then
attach those policies to the IAM users or groups that require those
permissions.
from http://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html
Can anybody tell me how to automate the aws configure in bash with a one liner?
Example:
$ aws configure --profile user2
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text
Application: I want to automate this inside a Docker Entrypoint!
If you run aws configure set help you will see that you can supply settings individually on the command line and they will be written to the relevant credentials or config file. For example:
aws configure set aws_access_key_id AKIAI44QH8DHBEXAMPLE
You can also run this interactively to modify the default credentials:
aws configure
Or run it interactively to create/modify a named profile:
aws configure --profile qa
Note: with the first technique above, whatever command you type will appear in your history and this is not a good thing for passwords, secret keys etc. So in that case, use an alternative that does not cause the secret parameter to be logged to history, or prevent the entire command being logged to history.
One liner
aws configure set aws_access_key_id "AKIAI44QH8DHBEXAMPLE" --profile user2 && aws configure set aws_secret_access_key "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" --profile user2 && aws configure set region "us-east-1" --profile user2 && aws configure set output "text" --profile user2
Note: setting region is optional (also never set it with an empty string if you don't have any region, or it will be buggy); as well as the user profile, if you don't set it it will go under default settings.
👍 Better practice with Secrets
Use secrets, then use associated environment variables:
aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile user2 && aws configure set aws_secret_access_key "$AWS_ACCESS_KEY_SECRET" --profile user2 && aws configure set region "$AWS_REGION" --profile user2 && aws configure set output "text" --profile user2
📖 To know more
Run aws configure set help to get command line options.
Documentation for aws configure set.
Documentation for secrets: Docker, Kubernetes, GitLab.
If you want to automate you should use files rather than CLI. Your CLI only write those files.
➜ cat ~/.aws/config
[profile_1]
output = json
region = eu-west-1
[profile_2]
output = json
region = eu-west-1
➜ cat ~/.aws/credentials
[profile_1]
aws_access_key_id =
aws_secret_access_key =
[profile_2]
aws_access_key_id =
aws_secret_access_key =
For those inclined to use bash, the following works quite well and keeps secrets out of your scripts. In addition, it will also save your input to a named profile in one go.
printf "%s\n%s\nus-east-1\njson" "$KEY_ID" "$SECRET_KEY" | aws configure --profile my-profile
I think this is the answer in one line
aws configure set aws_access_key_id $YOUR_ACCESS_KEY_ID; aws configure set aws_secret_access_key $YOUR_SECRET_ACCESS_KEY; aws configure set default.region $YOUR_AWS_DEFAULT_REGION
One liner
aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile profile_name_here && aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile profile_name_here && aws configure set region "$AWS_REGION" --profile profile_name_here && aws configure set output "json" --profile profile_name_here
Setting individual configuration
profile_name_here is the aws profile name to be saved to your aws config. Replace it with your own.
ACCESS KEY
aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile profile_name_here
SECRET ACCESS KEY
aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile profile_name_here
REGION
aws configure set region "$AWS_REGION" --profile profile_name_here
OUTPUT
aws configure set output "json" --profile profile_name_here
The value specified here is json but you can replace it from the list of supported output formats from aws docs.
json
yaml
yaml-stream
text
table
Note:
That $AWS_ACCESS_KEY_ID, $AWS_SECRET_ACCESS_KEY and $AWS_REGION are variables from your AWS credentials file or environment variables if you are using CI. You can also replace them using regular strings value but that is not safe.
Building upon the suggestion by Tom in jarmod's answer, to "configure your keys in a config file that you then share with your docker container instead".
I found that slightly confusing as I'm new to using Docker and awscli.
Also, I believe most who end up at this question are similarly trying to use Docker and awscli together.
So what you'd want to do, step by step is:
Create a credentials file containing
[default]
aws_access_key_id = default_access_key
aws_secret_access_key = default_secret_key
that you copy to ~/.aws/credentials, using a line in Dockerfile like
COPY credentials /root/.aws/credentials
and a config file containing
[default]
region = us-west-2
output = table
that you copy to ~/.aws/config, using a line in Dockerfile like
COPY config /root/.aws/config
Reference:
aws configure set help