I launched an instance with an iam role
I now want to remove the role from the instance via powershell
I must be confused about the terminology here because I'm reading this doc and I don't see how to remove a role from an instance.
I want to run this command on the EC2 instance that the role will be removed from.
There can only be one role assigned to an instance so is there a way to dynamically get the iam role that has been assigned to an instance and remove it from the instance via the powershell api?
You can do that using AWS CLI (v1.11.46 or newer). You can disassociate an IAM instance profile from a running or stopped instance using the disassociate-iam-instance-profile command.
For more details, see the disassociate-iam-instance-profile CLI command documentation.
You cannot change (add or remove) IAM Roles on an instance once it has been created. This is a limitation of the EC2 service and is the same no matter which CLI you use so it isn't just powershell that cannot do this.
You have to re-create the instance with new roles if you want to change them.
Adding and changing Roles on EC2 instances is now (early 2017) supported via the CLI or Console.
You can just remove a role via the CLI remove-role-from-instance-profile or via the console by replacing the old with the offered "No Role" option.
Related
I have a small group of people using AWS services.
When we first started, I mistakenly created EC2 instances under the root account, instead of creating them as an individual IAM user.
Now none of the IAM users can see those EC2 instances in the EC2 management portion of the AWS web console. The only way to see them is to log in as the AWS root account user.
Is there any way to make these EC2 instances visible to the IAM users?
AWS has documentation describing how to make instances visible to other accounts, but the same instructions don't seem to apply to this scenario.
The default policy for a IAM user is deny all services on AWS. So you have to provide appropriate permission for the IAM user. Generate policy using this website or assign AWS managed policies to the user.
You can get the information about attaching a policy to an IAM user on the document
You can create a read-only group for EC2 instances by following these steps:
Create a new group which will have all read-only users for EC2
Select and attach the predefined policy AmazonEC2ReadOnlyAccess from the list when creating the new group
Put all the IAM users to this newly created group
I'm trying to use codedeploy with autoscaling in order to automate the deployment of my application.
I have everything ready. When developing all the parts (hooks' scripts, roles etc) I installed the codedeploy agent manually. Now I want to make it production ready, which means that the codedeploy agent will be installed at sysprep (by providing the powershell commands via user data in launch configuration).
The problem is that it's not working. The script either runs and fails for some reason (are there any logs to confirm?) or it doesn't run at all. My AMI is based on a aws standard windows AMI. The EC2ConfigService is present.
Do you have any idea of what could be the problem or if I have some way to find what's the problem (logs)?
You could take a look at C:\Program Files\Amazon\Ec2ConfigService\Logs\Ec2ConfigLog.txt
On Linux AMIs you can also find the user data script execution logs in the ec2 console when you right click your instance -> Instance Settings -> Get System Log.
I wish to create the following using Cloudformation:
An autoscale group with a single spot instance, with an assigned route53 record which will always be directed to the instance, even if the instance is replaced.
I know how to do this with the Ruby API (not cloudformation).
How can I define this using Cloudformation ?
You have two options:
Option #1: Update R53 in your spot instance, after it boots:
In your Cloudformation template create an IAM role with permissions to update the appropriate R53 record
Assign that role to your spot instance
When your spot instance initializes have it update R53 directly via the REST APIs. I usually do this by setting a shell script in the UserData and have cloudinit run it on boot.
To update via Ruby you'll need the access id, access key and security token. Since you assigned an IAM role to the instance these are available via the Metadata API. Most libraries automatically pull out these values so you might not even need to do it manually. Boto and the nodejs SDK does it automatically.
Option #2: Use an ELB
In your CloudFormation create an ELB
In your CloudFormation create an R53 alias record that points at the ELB's DNS name
If cost is a factor, an ELB may be a little expensive to just add an extra layer of indirection.
I have an AWS account with 14 instances and using scalr. I added the Api reference details and it showed up, at that time instances were pretty low. As and when I keep adding new instances it accepted few and reject the rest. Now I have an instance newly made on AWS which is not getting loaded in scalr.
Any ideas?
Instances that you create using AWS will not show up in Scalr.
Instead, you create Farms (in Scalr) through the use of custom and/or pre-configured Scalr Roles. When you launch those farms/roles, it will launch the required instances in AWS. It's like a wrapper around AWS that provides extra features, but it will only ever know about instances that have been launched from a Scalr role.
It is possible to import an existing server into Scalr although it involves installing the scalarizr software onto that server and opening some ports. Full details can be found here. Once complete, you'll have a new role that you can add to a farm and then launch.
I cannot find decent documentation about using CloudFormation with Windows 2008 R2 AMI. AWS recently released a new Windows AMI which has CloudFormation tools pre-installed.
The AMI itself can be found here :
https://aws.amazon.com/amis/microsoft-windows-server-2008-r2-base-cloudformation
Aim: I want to use CloudFormation so that during bootup the instance can download the latest dlls and config files of my application from S3.
In that AMI, by default, where are these tools located under C:\ ? ( I did a search in the file system and couldn't find it)
Do these tools already run by default automatically on bootup ? Or do I have to write a script to do so and re-bundle (remake) an EBS backed AMI ? I would like to test this !
To try out the sample templates provided by AWS for Windows, I tried launching the Windows Sharepoint template given here : https://s3.amazonaws.com/cloudformation-templates-us-east-1/Windows_Single_Server_SharePoint_Foundation.template .When I try to launch this stack given by that template, it gives me the following error and rollsback :
AccessDenied. User doesn't have permission to call iam:CreateUser
As per the "Account Owner", my IAM account belongs to the Administrators Group which "cannot create new users", if that's the case how should I tackle this issue.
As per my understanding, if I have to use CloudFormation to retrieve metadata, the CloudFormation stack creates a new IAM user with only "DescribeStackResource" action permission and this new IAM user lives as long as that stack lives.
It will be available under C:\Program Files (x86)\Amazon\cfn-bootstrap but not sure whether it will run on boot, that I have to verify.