forked from 9652040795/aws-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws-command-line-clir
220 lines (123 loc) · 8.97 KB
/
aws-command-line-clir
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html
# Identifying the EBS Device
# Other Linux
nvme id-ctrl -v /dev/nvme8n1p1 | head -n5
NVME Identify Controller:
# AmazonLinux
[ec2-user ~]$ sudo /sbin/ebsnvme-id /dev/nvme1n1
Volume ID: vol-01324f611e2463981
/dev/sdf
# KMS KEY & ALIAS CREATION
#######################################################################################
#!/bin/bash
# https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
echo -e "\nBest is to create the KMS Key Manually, because I foud the fields do change & behave differently because of A/c "string" length, so this is a demo, that is why I am using it.\n"
ACCOUNT_ID=`aws sts get-caller-identity | grep -i "account" | cut -d':' -d'"' -f4`
#KMS_KEY=`aws kms create-key | grep "key" | awk '{print $3}' | cut -f6 -d":" | cut -d"/" -f2`
ALIAS_NAME="jenkins"
KMS_KEY=`aws kms create-key | grep "key" `
echo -e "\nYour AWS A/c ID is "$ACCOUNT_ID"\n"
echo "$KMS_KEY"
echo -e 'aws kms create-alias --alias-name alias/YourAlias --target-key-id CopyTheTargetKMSkeyFromAbove&PasteHere'
echo 'aws kms list-aliases | grep "YourAlias"'
#END
##############################################################################################
# List All Stopped instances
# https://stackoverflow.com/questions/46457899/aws-cli-command-to-list-stopped-instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=stopped" --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value[]'
aws ec2 describe-instances --filters "Name=instance-state-name,Values=stopped" --query 'Reservations[].Instances[].{ID: InstanceId,Hostname: PublicDnsName,Name: Tags[?Key==`Name`].Value }'
# List All Running Instances
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" --query 'Reservations[].Instances[].{ID: InstanceId,Hostname: PublicDnsName,Name: Tags[?Key==`Name`].Value }'
# List Running Instances of a Specific VPC
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" Name=vpc-id,Values=YOURVPCID --query 'Reservations[].Instances[].{ID: InstanceId,Hostname: PublicDnsName,Name: Tags[?Key==`Name`].Value }'
################################################################################################
#!/bin/bash
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
# https://aws.amazon.com/premiumsupport/knowledge-center/sftp-iam-user-cli/
1. aws iam create-instance-profile --instance-profile-name Linux-Academy-ECS-Instance-Role
2. cat <<EOF >ec2-trust-relationship.json
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name Linux-Academy-ECS-Instance-Role --assume-role-policy-document file://ec2-trust-relationship.json --description "EC2 Access"
# Note: Attaching AWS Managed Policy ARN is fixed
3. aws iam attach-role-policy --role-name Linux-Academy-ECS-Instance-Role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
aws iam attach-role-policy --role-name Linux-Academy-ECS-Instance-Role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Add the s3access role to the s3access-profile instance profile.
4. aws iam add-role-to-instance-profile --instance-profile-name Linux-Academy-ECS-Instance-Role --role-name Linux-Academy-ECS-Instance-Role
# Create a keypair
aws ec2 create-key-pair --key-name Linux-Academy --query 'KeyMaterial' --output text > ~/.ssh/Linux-Academy.pem
# Create a s3 bucket
aws s3 mb s3://cloudgeeks.ca-ecs-learning
OR
aws s3api create-bucket --bucket cloudgeeks.ca-ecs-learning
aws s3 cp ecs.config s3://cloudgeeks.ca-ecs-learning/
aws s3 ls s3://cloudgeeks.ca-ecs-learning
aws ec2 run-instances --image-id ami-2b3b6041 --count 1 \
--instance-type t2.micro --iam-instance-profile Name=Linux-Academy-ECS-Instance-Role \
--key-name Linux-Academy --subnet-id subnet-0703816245a8a7457 \
--user-data file://copy-ecs-config-to-s3
# Get EC2 instance status
aws ec2 describe-instance-status --instance-id i-0eb3791217abd83ef
# Verify the EC2 instance is now part of the deepdive cluster
aws ecs list-container-instances --cluster deepdive
# Terminate EC2 instance
aws ec2 terminate-instances --instance-ids i-0eb3791217abd83ef
#END
# Get the ARN of SSM Policy for IAM Role `AmazonEC2RoleforSSM`
# Note down the ARN of the policy from the following command:
aws iam list-policies --scope AWS --query "Policies[?PolicyName == 'AmazonEC2RoleforSSM']"
# Optionally, you may also use the following command in addition to the value of DefaultVersionId from the above command to look at the JSON document of the policy in question via the CLI:
aws iam get-policy-version --policy-arn <ARN-OF-POLICY> --version-id <VERSION-ID-STRING-FROM-PREV-COMMAND>
# Create IAM Role for EC2 and Assign SSM Policy to It
# Copy the following JSON and create a new JSON file in your current directory. Name it EC2Trust.json:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
# Create the role and attach the trust policy JSON file you created above to it. Make sure you execute the following command in the same directory where you created the EC2Trust.json file:
aws iam create-role --role-name MyEC2SSMRole --assume-role-policy-document file://EC2Trust.json
# Assign policy from previous step to the newly created role:
aws iam attach-role-policy --role-name MyEC2SSMRole --policy-arn <SSM-POLICY-ARN>
# Create and Attach an Instance Profile to the IAM EC2 Service Role
# Create instance profile using the command below and note down the name you assign to the instance profile (in the case of the command below, it is MyEC2InstanceProfile). Note down the ARN of the instance profile returned to you from executing the command below. We'll be using it in the next step when we create an EC2 instance.
aws iam create-instance-profile --instance-profile-name MyEC2InstanceProfile
# Add the role created in second task to the instance profile created above:
aws iam add-role-to-instance-profile --instance-profile-name MyEC2InstanceProfile --role-name MyEC2SSMRole
# Gather Necessary Data for Plugging into EC2 Instance Creation Command
# Get subnet ID:
aws ec2 describe-subnets --query "Subnets[?Tags[?Value == 'SubnetA'] ].SubnetId | [0]"
# Get security group ID:
aws ec2 describe-security-groups --filters Name=group-name,Values=SG --query "SecurityGroups[?GroupName == 'SG'].GroupId | [0]"
# Get AMI ID (with SSM installed):
aws ec2 describe-images --filters "Name=architecture,Values=x86_64" "Name=description,Values=*Amazon Linux 2 AMI 2.0.2019*gp2" "Name=owner-id,Values=137112412989" "Name=image-type,Values=machine" --query "sort_by(Images, &CreationDate)[::-1].ImageId | [0]"
# Create an EC2 Instance Using Subnet, Security Group, and AMI ID
# Plug in the subnet ID, security group ID, AMI ID, and instance profile ARN in the following command:
aws ec2 run-instances --associate-public-ip-address --security-group-ids <SECURITY-GROUP-ID> --iam-instance-profile Arn=<INSTANCE-PROFILE-ARN> --instance-type t2.micro --image-id <AMI-ID> --subnet-id <SUBNET-ID> --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=MyEC2}]"
# Notice that we are giving our EC2 instance the name MyEC2 (basically we're tagging it with this name) so we can get its instance ID and later confirm that SSM sees it.
# If you gave your IAM instance profile the same name as given in the lab task(i.e. MyEC2InstanceProfile ) , you can fetch the Instance Profile ARN(required by command above), by using the following command:
aws iam get-instance-profile --instance-profile-name MyEC2InstanceProfile
# Confirm via SSM CLI API (or GUI) that the Newly Created EC2 Instance Is Visible to It
# Get the instance ID of the newly created instance (remember we named it MyEC2, so we'll use this name in the command to get its instance ID — if you tagged/named it differently, be sure to use that name):
aws ec2 describe-instances --filters Name=tag:Name,Values=MyEC2 --query "Reservations[].Instances[].InstanceId"
# Run the following SSM instance information API command to see if the same instance ID from the command above is showing up in SSM API's output (plug the instance ID you noted in the previous command into this command):
aws ssm describe-instance-information --query "InstanceInformationList[?InstanceId == '<INSTANCE-ID>']"
# The command should return an object with information about the newly configured EC2 instance with Systems Manager.
# Note: It can take up to five minutes for the instance to show up in the SSM GUI or API command output.
# You can also choose to skip this last step, log in to the AWS Management Console, and compare the EC2 instance value in the EC2 console with the instance ID value under AWS Systems Manager > Managed Instances.