aws ec2 instance - permission denied to write to ~/.aws/credentials - bash

When ssh into a aws ec2 linux instance, the user is ec2-user by default. Then I need to set aws credentials by writing to ~/.aws/credentials, but got permission denied. I feel that if I use sudo then the credentials file would be owned by root user, as a result my api server can't read from it.
What's the correct approach to set up aws credentials there?

The 'correct' way to setup the credentials, is to assign a role to the ec2 instance when you create it (or assign them after you create it). That role can be created and assigned to the EC2 instance via the AWS console - there is no need to ssh in and create the credentials there.
See: Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console | AWS Security Blog

You can create the credentials file locally, then upload to your ec2 instance.
create the credentials file locally
$ vim credentials
upload to your ec2 instance
$ scp /path/credentials username#servername:/path

Related

How to connect to a Windows EC2 instance using Ansible?

From reading the Connect to your Windows instance AWS EC2 docs page, my understanding is that it is not possible to SSH to Windows EC2 instances.
The typical procedure to connect to a Windows EC2 instance manually is to download the remote desktop file, get the password for the instance, and then use the Remote Desktop Connection tool to RDP to the instance (more detail is in the docs page above).
If I am correct that Windows EC2 instances do not support connecting via SSH, how can you connect to a Windows EC2 in an Ansible playbook?
I would prefer to be able to do this without installing any software on the Windows EC2 instance beforehand, but if that is necessary, I can do that.
I have found you need to do the following to connect to a Windows EC2 instance using Ansible:
You need to configure the EC2 to allow connections from Ansible using the ConfigureRemotingForAnsible.ps1 script. This can be done either by setting this as the user data when you create the EC2, or by running this script after the EC2 is created.
You need add a security group, or configure a security group already added to the EC2 to allow the following incoming requests to the EC2 from the host(s) that the Ansible playbook will be running on:
WinRM
TCP requests to whatever you configure as the Ansible port
You need to install pywinrm>=0.3.0 so Ansible can use WinRM to connect to the EC2.
You need to run the Ansible playbook with ansible_connection variable set to winrm, and the ansible_winrm_scheme variable set to http. This can be done with --extra-args or any other way that variables are set.
You need to provide the public IP address of the Windows EC2 host, either under hosts in the playbook, or in a host file passed to ansible-playbook with -i.
You need to get or set the EC2's Administrator password, and then provide this password with the ansible_password variable for the EC2.

Unable to transfer files from an on-prem production server to an AWS EC2 in PLE server

How to transfer files from an on-prem production server to an AWS EC2 in PLE server using password-less SCP from the same service account id on the origination and the destination servers?
The easiest option is to setup some authentication on your AWS machine. I assume you would already have key based SSH access to the server. For key based access you can simply execute the below mentioned command:
scp -i <path_to_private_key> <source_file_path> username#PublicIP:/tmp/
path_to_private_key is the private key used for SSH to your AWS machine
source_file_path is the file to be copied
username is theSSH username used to SSH to your AWS machine
PublicIP is the IP of your AWS machine

Adding pem key to jenkins box

I have a jenkins box, I have ssh in to it and from there I want to access one of the Ec2 instance in AWS, I tried ssh -i "mykeyname.pem" ec2-user#DNSname but It throws me an error "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)".
I have the PEM file of the EC2 instance I want to connect. But is there any way I can ssh in to the instance..?
There are two possible reasons.
Default user name is not "ec2-user"
Please check your using image "jenkins box".
If it doesn't use "ec2-user", change user name for ssh commands
Your key-pair is incorrect
Once you created EC2 instance with correct key-pair, you could access EC2 instance with such commands
Please check your using key-pair name
FYI
Connecting to Your Linux Instance Using SSH

Ansible - ELB - EC2

I am new to ansible - I am using ansible to add the instances created by ELB ( my AWS will create instances for ELB) to ansible hosts file and access the instances from ansible server. From a linux machine, i use jumpbox and .pem key to access the ec2instance. How will I do in ansible ?
You should be able to pass in the flag --private-key=. You will probably also want to use -u ec2user to instruct Ansible to login as the correct user.

Container credentials access denied exception

I am a newbie trying to get a Docker image into an AWS container registry. According to the AWS documentation, I enter credentials into the AWS CLI and then issue the command aws ecr get-login.
This results in the following:
C:\Users\xxx\Desktop>aws ecr get-login --region us-east-1
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation:
User: arn:aws:iam::847077264418:user/xxx
is not authorized to perform: ecr:GetAuthorizationToken on resource: *
Clearly this is something in the AWS IAM. How do I fix it?
By default, IAM users don't have permission to create or modify Amazon
ECR resources, or perform tasks using the Amazon ECR API. (This means
that they also can't do so using the Amazon ECR console or the AWS
CLI.) To allow IAM users to create or modify resources and perform
tasks, you must create IAM policies that grant IAM users permission to
use the specific resources and API operations they'll need, and then
attach those policies to the IAM users or groups that require those
permissions.
from http://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html

Resources