I cannot find decent documentation about using CloudFormation with Windows 2008 R2 AMI. AWS recently released a new Windows AMI which has CloudFormation tools pre-installed.
The AMI itself can be found here :
https://aws.amazon.com/amis/microsoft-windows-server-2008-r2-base-cloudformation
Aim: I want to use CloudFormation so that during bootup the instance can download the latest dlls and config files of my application from S3.
In that AMI, by default, where are these tools located under C:\ ? ( I did a search in the file system and couldn't find it)
Do these tools already run by default automatically on bootup ? Or do I have to write a script to do so and re-bundle (remake) an EBS backed AMI ? I would like to test this !
To try out the sample templates provided by AWS for Windows, I tried launching the Windows Sharepoint template given here : https://s3.amazonaws.com/cloudformation-templates-us-east-1/Windows_Single_Server_SharePoint_Foundation.template .When I try to launch this stack given by that template, it gives me the following error and rollsback :
AccessDenied. User doesn't have permission to call iam:CreateUser
As per the "Account Owner", my IAM account belongs to the Administrators Group which "cannot create new users", if that's the case how should I tackle this issue.
As per my understanding, if I have to use CloudFormation to retrieve metadata, the CloudFormation stack creates a new IAM user with only "DescribeStackResource" action permission and this new IAM user lives as long as that stack lives.
It will be available under C:\Program Files (x86)\Amazon\cfn-bootstrap but not sure whether it will run on boot, that I have to verify.
Related
I have created a Java Web application with Elastic Beanstalk using AWS CodeStar. The application works, no problem there. But the EC2 instance the Elastic Beanstalk provisioned is running Amazon Linux 1. I need to have Amazon Linux 2, because some of the things I want to install there run only on Amazon Linux 2. The AMI used for the instance is aws-elasticbeanstalk-amzn-2018.03.0.x86_64-tomcat8.5java8-hvm-202102251130.
When you are creating a project via CodeStar, you can only select instance type (I selected t3.micro for start). There is no way to select operating system. You also cannot specify OS in the EC2 console or Elastic Beanstalk console. Solution might be to select a different AMI in the Auto-scaling group, but I am not sure if the template provided by CodeStar will work on AL2, since it was built for AL1.
So my question is:
Is there an easy way to get a AL2 instance for a CodeStar project?
If the only solution is to specify AMI, which one should it be and how to make sure my project will work there?
There are two ways to change it, but I don't know if forcing EB platform version change won't break some CodeStar compatibilities. Anyway, you can give it a go, if you want.
First option, you can go to your source code repo, and open template.yml. Find line SolutionStackName: !Ref 'SolutionStackName' and change to which platform you want, e.g.:
SolutionStackName: 64bit Amazon Linux 2 v4.1.6 running Tomcat 8.5 Corretto 11
The change should trigger re-deployment of your CodeStar project and EB env.
Or second option, go to CodePiepline of your CodeStar project and edit Deploy stage's GenerateChangeSet action. In the Advanced settings of the action, got to Parameter overrides and "SolutionStackName":"64bit Amazon Linux 2018.03 v3.4.4 running Tomcat 8.5 Java 8", to what you want, e.g.:
"SolutionStackName":"64bit Amazon Linux 2 v4.1.6 running Tomcat 8.5 Corretto 11",
Please not that you may need also to add permissions to the role CodePipeline uses for CloudFormation. The name of the role can be found in GenerateChangeSet action details. Once you have the name, you can go to IAM console, and add missing permissions. In my test, I did try to find minimum needed permissions, so I just added bunch of them (bad practice):
AmazonEC2FullAccess
AdministratorAccess-AWSElasticBeanstalk
AWSCloudFormationFullAccess
Finally, the demo application that CodeStar uses probably will not work with the updated environment as it was designed for older EB platforms, not new ones.
When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:
spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."
The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/
I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.
my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.
Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles
Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).
You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.
Consider this scenario:
your gcloud SDK may be well credentialed with person#domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud
the VM hosting your code and SDK is running as 12345678901-compute#developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.
More information on Service Accounts here:
https://cloud.google.com/compute/docs/access/service-accounts
Probably you didn't add access to your database tododb for account in the file pointed by GOOGLE_APPLICATION_CREDENTIALS. Use, for example, Cloud Spanner Database User role for this account in Google Console.
I launched an instance with an iam role
I now want to remove the role from the instance via powershell
I must be confused about the terminology here because I'm reading this doc and I don't see how to remove a role from an instance.
I want to run this command on the EC2 instance that the role will be removed from.
There can only be one role assigned to an instance so is there a way to dynamically get the iam role that has been assigned to an instance and remove it from the instance via the powershell api?
You can do that using AWS CLI (v1.11.46 or newer). You can disassociate an IAM instance profile from a running or stopped instance using the disassociate-iam-instance-profile command.
For more details, see the disassociate-iam-instance-profile CLI command documentation.
You cannot change (add or remove) IAM Roles on an instance once it has been created. This is a limitation of the EC2 service and is the same no matter which CLI you use so it isn't just powershell that cannot do this.
You have to re-create the instance with new roles if you want to change them.
Adding and changing Roles on EC2 instances is now (early 2017) supported via the CLI or Console.
You can just remove a role via the CLI remove-role-from-instance-profile or via the console by replacing the old with the offered "No Role" option.
I'm trying to use codedeploy with autoscaling in order to automate the deployment of my application.
I have everything ready. When developing all the parts (hooks' scripts, roles etc) I installed the codedeploy agent manually. Now I want to make it production ready, which means that the codedeploy agent will be installed at sysprep (by providing the powershell commands via user data in launch configuration).
The problem is that it's not working. The script either runs and fails for some reason (are there any logs to confirm?) or it doesn't run at all. My AMI is based on a aws standard windows AMI. The EC2ConfigService is present.
Do you have any idea of what could be the problem or if I have some way to find what's the problem (logs)?
You could take a look at C:\Program Files\Amazon\Ec2ConfigService\Logs\Ec2ConfigLog.txt
On Linux AMIs you can also find the user data script execution logs in the ec2 console when you right click your instance -> Instance Settings -> Get System Log.
Is it possible to clone a EC2 instance data and all?
You can make an AMI of an existing instance, and then launch other instances using that AMI.
The easier way is through the web management console:
go to the instance
select the instance and click on instance action
create image
Once you have an image you can launch another cloned instance, data and all. :)
There is no explicit Clone button. Basically what you do is create an image, or snapshot of an existing EC2 instance, and then spin up a new instance using that snapshot.
First create an image from an existing EC2 instance.
Check your snapshots list to see if the process is completed. This usually takes around 20 minutes depending on how large your instance drive is.
Then, you need to create a new instance and use that image as the AMI.
Nowadays it is even easier to clone the machine with EBS-backed instances released a while ago. This is how we do it in BitNami Cloud Hosting.
Basically you just take a snapshot of the instance which can be used
later to launch a new server. You can do it either using AWS console
(saving the EBS-backed instance as AWS AMI) or using the EC2 API
tools:
create a snapshot with ec2-create-snapshot
and then launch an instance from a snapshot
Cloning the instance is nothing else but creating the backup and then
launching a new server based on that. You can find bunch of articles
out there describing this problem, try to find the info about "how to
..." backup or resize the whole EC2 instance, for example this blog is
a really good place to start: alestic.com
To Answer your question: now AWS make cloning real easy see Launch instance from your Existing Instance
On the EC2 Instances page, select the instance you want to use
Choose Actions --> Image and Templates, and then Launch More Like This.
Review & Launch
This will take the existing instance as a Template for the new once.
or you can also take a snapshot of the existing volume and use the snapshot with the AMI (existing one) which you ping during your instance launch
You can use AWS API or console UI to create an AMI(Amazon Machine Image) of your running instance. You can specify to reboot the instance when create your AMI. Then you can use AWS API or console UI to launch more instances with the AMI you created.
You can do it very easily with a Cloud Management software -like enStratus, RightScale or Scalr (disclaimer: I work there). With the cloned farm you can:
Create a snapshot or a pre-made image to launch another day
Duplicate your configuration to test it before production