AWS CLI Basics:
Assuming you have aws cli setup – if you are using an ec2 amazon AMI the AWS CLI is preinstalled for you – verify version of CLI with:
aws --version
# show the regions available – will work if you have ec2 privs…
aws ec2 describe-regions --output text | cut -f 3
More Advanced AWS CLI:
aws sns publish --generate-cli-skeleton { "TopicArn": "", "TargetArn": "", "PhoneNumber": "", "Message": "", "Subject": "", "MessageStructure": "", "MessageAttributes": { "KeyName": { "DataType": "", "StringValue": "", "BinaryValue": null } } } aws sns publish --generate-cli-skeleton > publish-arguments.json
# then after filling in the skeleton – not shown
aws sns publish –cli-input-json file://publish-arguments.json
# Or put your message in a text file and deliver it
cat message.txt Hello World From A File aws sns publish --topic-arn "arn:aws:sns:us-west-2:649999999999:Oregon-Manual-Publish" --message file://message.txt
# note the assumption on the “publish” above is that the topic “Oregon-Manual-Publish” exists and has been subscribed to.
Assuming Roles From AWS CLI
Ok, so now lets assume you have an ec2 user like ec2-user, and you want that user to ASSUME various AWS role, based on some desired action (like publish to SNS for example).
This way you can limit what a user is granted by default – in other words, they have to explicitly be granted the right to assume and do the assume.
To do this:
- Create a role that contains the permissions you want to delegate – you can do this from the AWS Console (the easiest way).
- The role you just created must also have a “Trust Relationship” defined for the users or services that can assume it. For example the example below is part of the role definition and has two trust entities – a user name AssumeRoleOnly and a service all ec2:
Trusted entities
arn:aws:iam::641559118888:user/AssumeRoleOnly
The identity provider(s) ec2.amazonaws.com
- Create a policy that grants the user the right to assume the role / and a trust (again console works) and associate it with your user either directly or via a group.
- Create an AWS config and credentials file that looks something like:
cat config [default] output = text region = us-west-2 role_arn = arn:aws:iam::641559999999:role/s3-Full-Access source_profile = default [profile sns-s3] output = text region = us-west-2 role_arn = arn:aws:iam::64155999999:role/s3-Full-Access source_profile = default $ cat credentials [default] aws_access_key_id = AKIAJLLNTHGfakekeyid aws_secret_access_key = xlBdf3qgkbj3k/fakesecretaccesskey
Now you can do something like this:
aws sns publish --profile "sns-s3" --topic-arn "arn:aws:sns:us-west-2:641559115954:Oregon-Manual-Publish" --message file://message.txt
Here is a company that goes even further… warning it gets a bit complex…
https://blog.gruntwork.io/authenticating-to-aws-with-environment-variables-e793d6f6d02e
More from LonzoDB on AWS