yum install python python-setuptools easy_install pip pip install awscli aws --profile default configure AWS Access Key ID [None]: **** AWS Secret Access Key [None]: **** Default region name [None]: us-east-1 Default output format [None]: json, table, text から一つ選択 # ヘルプ aws help
yum install python26 python26-setuptools easy_install-2.6 pip pip2.6 install awscli
/.aws/config
[default] sts_regional_endpoints = regional
記事:
aws_profile=login mfa_serial=arn:aws:iam::123456789012:mfa/user01 alias awsmfa='echo -n "enter mfa token: " && read token && source <(aws sts get-session-token --duration-seconds 86400 --token-code "$token" --serial-number '$mfa_serial' --profile '$aws_profile' | jq -r ".Credentials | [\"export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\", \"export AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\",\"export AWS_SESSION_TOKEN=\(.SessionToken)\", \"echo Expiration: \(.Expiration)\"] | @tsv" | tr "\t" "\n")'
awsmfa enter mfa token: 073057 Expiration: 2023-01-02T09:22:09+00:00
env | grep -i aws ... AWS_SECRET_ACCESS_KEY=... AWS_ACCESS_KEY_ID=... AWS_SESSION_TOKEN=...
cat ~/.aws/config [profile example] output = json region = ap-northeast-1 aws configure --profile example aws sts get-session-token \ --serial-number arn:aws:iam::123456789012:mfa/example-user01 \ --token-code 12345 \ --profile example > ~/.aws/example.session1.json export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' ~/.aws/example.session1.json) export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' ~/.aws/example.session1.json) export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' ~/.aws/example.session1.json)
/.aws/config のAssumeRole先のprofileにrole_session_nameを追加
[profile example] ... role_session_name =
perl -p -i -e "s/^(role_session_name\s*=)$/$& $USER/g" ~/.aws/config
aws sts get-caller-identity --profile example
記事:
記事:
unset $(env | grep -o -P '^AWS_[\w\d]+')
env | grep -o -P '^AWS_[\w\d]+' | unset
profile=example region=ap-northeast-1 aws sqs list-queues --profile $profile --region $region --page-size 1000 --query 'QueueUrls[]' --output text \ | tr '\t' '\n' | gzip > sqs.${profile}.${region}.txt.gz
# pecoでCUIで選択させる AWS_PROFILE=$(grep -o -P '(?<=\[profile )[^\]]+' ~/.aws/config | peco) # 同様にregionも選択させる AWS_REGION=$(aws ec2 describe-regions --profile $AWS_PROFILE --query Regions[].RegionName --output text | tr '\t' '\n' | peco)
Example:
aws alias
ECSを使う時に、以下のエラーが出る事がある。
昔はroot userのみだったが、今はIAM userでadmin権限があれば変更できる。
Long arn format must be enabled for ECS managed tags
aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled --profile example aws ecs put-account-setting-default --name taskLongArnFormat --value enabled --profile example aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled --profile example
aws ec2 describe-regions --profile example
aws configure get aws_access_key_id --profile example
AWS management consoleから、S3 bucketに別AWSアカウントへのアクセス権限を追加した場合に必要になる。
AWS_PROFILE=example aws s3api list-buckets --profile $AWS_PROFILE| jq -r .Owner.ID
aws sts get-caller-identity --profile default { "Account": "1234567890", "UserId": "AIDXXXXXX", "Arn": "arn:aws:iam::1234567890:user/username" }
/.aws/config にクレデンシャル等もまとめてある状態から ~/.aws/credentials を生成したい場合
cp ~/.aws/config ~/.aws/credentials perl -p -i -e "s/profile\s+|^output.+[\r\n]|^region.+[\r\n]|^signature_version.+[\r\n]//g" ~/.aws/credentials
記事:
aws ec2 describe-reserved-instances-offerings \ --profile default \ # AWS profile --region ap-northeast-1 \ # 東京リージョン --instance-tenancy default \ # デフォルトか、ハードウェア専用か --offering-type "Partial Upfront" \ # 一部前払い(以前の重度利用) --offering-class standard \ 3年の場合はConvertibleも選べる --max-duration 31536000 \ # 1年 --filters "Name=product-description,Values=Linux/UNIX,Linux/UNIX (Amazon VPC)" "Name=scope,Values=Region" \ # Linuxのみ --instance-type m3.large \ --output json { "ReservedInstancesOfferings": [ { "OfferingClass": "standard", "OfferingType": "Partial Upfront", "ProductDescription": "Linux/UNIX", "InstanceTenancy": "default", "PricingDetails": [], "UsagePrice": 0.0, "RecurringCharges": [ { "Amount": 0.058000000000000003, "Frequency": "Hourly" } ], "Marketplace": false, "CurrencyCode": "USD", "FixedPrice": 463.0, "Duration": 31536000, "Scope": "Region", "ReservedInstancesOfferingId": "7875a3da-c41e-40bc-8f81-7e155f5bab77", "InstanceType": "m3.large" }, { "OfferingClass": "standard", "OfferingType": "Partial Upfront", "ProductDescription": "Linux/UNIX (Amazon VPC)", "InstanceTenancy": "default", "PricingDetails": [], "UsagePrice": 0.0, "RecurringCharges": [ { "Amount": 0.058000000000000003, "Frequency": "Hourly" } ], "Marketplace": false, "CurrencyCode": "USD", "FixedPrice": 463.0, "Duration": 31536000, "Scope": "Region", "ReservedInstancesOfferingId": "fbc08497-fd12-4bb0-a03b-5e0955899527", "InstanceType": "m3.large" } ] }
aws configure set preview.cloudfront true # または echo -e "[preview]\ncloudfront = true" >> ~/.aws/config
grep -v -P '^\s*$' ses-verify-email.txt | xargs -i aws --profile <AWS PROFILE> --region <AWS REGION> ses verify-email-identity --email-address {}
aws --region ap-northeast-1 list-clusters --active
aws --region ap-northeast-1 emr terminate-clusters --cluster-ids j-xxxxxxxx
AWS_PROFILE=default for region in $(aws --profile $AWS_PROFILE ec2 describe-regions --query "Regions[].[RegionName]" --output text); do \ aws --profile $AWS_PROFILE --region $region ec2 describe-instance-status --filters "Name=event.code,Values=*" --query "InstanceStatuses[].{InstanceId:InstanceId, Events:Events}" --output json > $AWS_PROFILE.$region.ec2.events.json ; \ aws --profile $AWS_PROFILE --region $region rds describe-events > $AWS_PROFILE.$region.rds.events.json ; \ aws --profile $AWS_PROFILE --region $region elasticache describe-events > $AWS_PROFILE.$region.elasticache.events.json ; \ done
cat *.ec2.events.json | jq '.[]|select(.Events[].Description|contains("Completed")==false)'
cat *.rds.events.json
cat *.elasticache.events.json
AWS_PROFILE=default for region in $(aws --profile $AWS_PROFILE ec2 describe-regions --query "Regions[].[RegionName]" --output text); do \ export region AWS_PROFILE; \ aws ec2 describe-instance-status \ --region $region \ --profile $AWS_PROFILE \ --filters "Name=event.code,Values=*" --query 'sort_by(InstanceStatuses[].[InstanceId,Events[0].Code,Events[0].NotBefore,Events[0].NotAfter],&[2])' --output text \ | xargs -I{} bash -c 'line="{}"; \ id=$(echo $line|cut -d" " -f1); \ name=$(aws ec2 describe-instances --region $region --profile $AWS_PROFILE --instance-ids $id --query "Reservations[].Instances[].[Tags[?Key==\`Name\`].Value|[0]]" --output text); \ echo -e "$AWS_PROFILE\t$region\t$name\t$line\t"' | sort > $AWS_PROFILE.$region.ec2.events.tsv ; \ done
find . -type f -name '*.tsv' -size 0c -delete
リソース指定方法や、タグの書式が違う。
aws --profile test-user ec2 create-tags \ --region us-east-1 \ --resources i-xxxxxx01 i-xxxxxx02 \ --tags Key=MY-KEY,Value=MY-VALUE
aws --profile test-user rds add-tags-to-resource \ --region us-east-1 \ --resource-name arn:aws:rds:us-east-1:1234567890:db:MY-RDS-01 \ --tags Key=MY-KEY,Value=MY-VALUE
aws --profile test-user s3api put-bucket-tagging \ --region us-east-1 \ --bucket mybucket \ --tagging ' { "TagSet": [ { "Key": "MY-KEY", "Value": "MY-VALUE" } ] }'
今ではACMを使った方が良い。
aws iam list-server-certificates { "ServerCertificateMetadataList": [ { "Path": "/", "Arn": "arn:aws:iam::000000000000:server-certificate/example.com", "ServerCertificateId": "XXXXXXXXXXXXXXXXXXXXX", "ServerCertificateName": "example.com", "UploadDate": "2014-01-02T03:40:50Z" } ] }
aws elb describe-load-balancers \ --query "LoadBalancerDescriptions[].[LoadBalancerName,ListenerDescriptions[].Listener[].SSLCertificateId]" \ --region us-east-1 [ [ "example.com", [ "arn:aws:iam::000000000000:server-certificate/example.com" ] ] ]
aws iam upload-server-certificate \ --server-certificate-name example.com.20170101 \ --certificate-body file://example.com.20170101.crt \ --private-key file://example.com.20170101.key.nopass \ --certificate-chain file://certificate_chain_file.crt
ARN="arn:aws:iam::012345678901:server-certificate/production/newCert" aws --region ap-northeast-1 \ elb create-load-balancer-listeners \ --load-balancer-name elb01 \ --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=$ARN
ARN="arn:aws:iam::012345678901:server-certificate/production/newCert" aws --region ap-northeast-1 \ elb set-load-balancer-listener-ssl-certificate \ --load-balancer-name elb01 \ --load-balancer-port 443 \ --ssl-certificate-id $ARN
aws iam delete-server-certificate \
--server-certificate-name example.com
# CentOS 6.3 # ec2 cli (java 1.6.0_24) bash ec2cli_vs_awscli.sh i-xxxxxxxx ec2 5 ... Elapsed time: 30.725 sec. # aws cli (python 2.6.6) bash ec2cli_vs_awscli.sh i-xxxxxxxx aws 5 ... Elapsed time: 26.984 sec.
jqなしでもそれなりに使える。
# EnableDateを含んでいる結果のみ aws iam list-virtual-mfa-devices --profile $AWS_PROFILE --query 'VirtualMFADevices[?EnableDate].SerialNumber' # EnableDateが無い結果のみ aws iam list-virtual-mfa-devices --profile $AWS_PROFILE --query 'VirtualMFADevices[?!EnableDate].SerialNumber'
aws s3api list-multipart-uploads --bucket $S3_BUCKET --profile $AWS_PROFILE --region $AWS_REGION --query 'length(Uploads)' # または --query 'Uploads | length(@)'
# 結果に改行が付かず、grepが効かない。 aws ... --output text --query 'TableNames[]' | grep 'hoge' # jqを使うと正常動作 aws ... --output json | jq -r '.TableNames[]' | grep 'hoge'
# 通常 aws rds describe-reserved-db-instances-offerings \ --region ap-northeast-1 \ --duration 1 \ --max-items 1 \ --query 'ReservedDBInstancesOfferings[].[DBInstanceClass,RecurringCharges]' [ [ "db.t1.micro", [ { "RecurringChargeAmount": 0.023, "RecurringChargeFrequency": "Hourly" } ] ] ] # "|[0]" 指定 aws rds describe-reserved-db-instances-offerings \ --region ap-northeast-1 \ --duration 1 \ --max-items 1 \ --query 'ReservedDBInstancesOfferings[].[DBInstanceClass,RecurringCharges[].RecurringChargeAmount|[0]]' [ [ "db.t1.micro", 0.023 ] ]
aws ec2 describe-instances --filters "Name=tag-key,Values=Name" \ "Name=tag-value,Values=my-host-01" \ --query "Reservations[*].Instances[*].InstanceId" \ --output table ------------------- |DescribeInstances| +-----------------+ | i-xxxxxxxx | +-----------------+
aws ec2 describe-volumes --query 'Volumes[*].{ID:VolumeId,AZ:AvailabilityZone,Size:Size}' [ { "AZ": "ap-northeast-1a", "ID": "vol-xxxxxxxx", "Size": 8 }, { "AZ": "ap-northeast-1b", "ID": "vol-xxxxxxxx", "Size": 8 } ]
aws elb describe-load-balancers \ --query "LoadBalancerDescriptions[].[DNSName,Instances[].InstanceId]" [ [ "example1-0000000000.ap-northeast-1.elb.amazonaws.com", [ "i-xxxxxxxx", "i-xxxxxxxx" ] ], [ "example2-0000000000.ap-northeast-1.elb.amazonaws.com", [ "i-xxxxxxxx" ] ] ]
aws elb describe-load-balancers \ --query "LoadBalancerDescriptions[].Instances[].[LoadBalancerDescriptions[].DNSName,InstanceId]" [ [ null, "i-xxxxxxxx" ], [ null, "i-xxxxxxxx" ] ]
aws elb describe-load-balancers \ --query "LoadBalancerDescriptions[].[LoadBalancerName,ListenerDescriptions[].Listener[].SSLCertificateId]" [ [ "example1", [ "arn:aws:iam::000000000000:server-certificate/example.com" ] ] ]
aws --profile test-user configure
/.aws/config
[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY region=us-east-1 [profile test-user] aws_access_key_id=AKIAI44QH8DHBEXAMPLE aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY region=us-west-2
aws --profile test-user s3 ls s3://mybucket
export AWS_CONFIG_FILE=~/.aws/config export AWS_DEFAULT_REGION=us-west-2 export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE export AWS_SECRET_ACCESS_KEY=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY export AWS_DEFAULT_OUTPUT=text
AWS ManagementConsoleのkeypairとローカルファイル(pem)を比較する場合
openssl pkcs8 -in ~/.ssh/example.pem -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
javaだったりruby製だったりした。
ec2-create-tags i-xxxxxxxx --tag "Name=host1.example.com"
ec2-create-tags vol-xxxxxxxx --tag "Name=host1.example.com"