#aws (2020-04)

aws Discussion related to Amazon Web Services (AWS)

aws Discussion related to Amazon Web Services (AWS) Archive: https://archive.sweetops.com/aws/

2020-04-08

PePe avatar

Hi, We have been using SSM parameter store and chamber with clousposse modules and everything is good but now we have multiple teams that need access to RDS and we have testing users added in and we added the password to Parameter store and we allow each user to assume a role that can decrypt and read the parameter but it is pretty cumbersome and prone to user error. We have been looking at RDS IAM auth which is too cumbersome so I was wondering what you guys will recommend in this situation ? I thought about setting the users with chamber to read the secrets or something like that

1
Mikael Fridh avatar
Mikael Fridh

IAM auth too cumbersome because of the work on the back-end or because of the effort needed on your (potentially diverse) set of clients?

PePe avatar

this is a people problem mostly

PePe avatar

people have a hard time using assume role policies and such

PePe avatar

in my side I have everything setup with assume role and it works

PePe avatar

but people have to do a bunch of steps to just read a password for testing

:-1:1
Mikael Fridh avatar
Mikael Fridh

Is it a people or a tooling problem? …

Mikael Fridh avatar
Mikael Fridh

If the diversity in client software isn’t too large - usually you can “help out” provide tooling..

PePe avatar

I used hasicorp Vault before and with vault you need to use the client or know how to make a curl request

Mikael Fridh avatar
Mikael Fridh

If it’s more or less a “free-for-all” on the client side, you really have to try to strip out the complexity on the back-end instead

PePe avatar

you are thinking too far

PePe avatar

this is way before any software is written

Mikael Fridh avatar
Mikael Fridh

So it’s even on the basic “accessing credentials” level.. for human consumption of said credential?

PePe avatar

is like “hey I need to access this Mysql for the software I need to write, ok so I will test the connectivity first, o I need a user and pass”

PePe avatar

correct

Mikael Fridh avatar
Mikael Fridh

Well, can you instead curate a few preferred tools for doing so?

“reveal-my-credentials.sh” “mysql-client-wrapper.sh” “my-mysql-proxy.sh”

Mikael Fridh avatar
Mikael Fridh

consider providing a docker which gives them a local unauthed mysql proxy on 127.0.0.1

Mikael Fridh avatar
Mikael Fridh

abstract all the horrible things in a “docker-proxy” …

Mikael Fridh avatar
Mikael Fridh

(sorry for just spitballing’ :D)

Mikael Fridh avatar
Mikael Fridh

I think it’s an interesting problem but I don’t have an immediate solution.

PePe avatar

it has to be very easy for them to do, that is one problem

PePe avatar

imagine that they had issues doing this on the console….

Mikael Fridh avatar
Mikael Fridh

Can they run docker? ..

PePe avatar

they could yes

randomy avatar
randomy
nrkno/terraform-provider-lastpass

Terraform Lastpass provider. Contribute to nrkno/terraform-provider-lastpass development by creating an account on GitHub.

camptocamp/terraform-provider-pass

Pass Terraform provider. Contribute to camptocamp/terraform-provider-pass development by creating an account on GitHub.

anasinnyk/terraform-provider-1password

Terraform provider for 1Password. Contribute to anasinnyk/terraform-provider-1password development by creating an account on GitHub.

:--1:1
randomy avatar
randomy

(i have not used any of those providers, nor do i know if those services work well for teams)

randomy avatar
randomy

it sounds like you just want to make passwords really easy for people to access, which isn’t a problem specific to RDS

PePe avatar

but we do not have company wide contract for those tools

randomy avatar
randomy

pass is open source, can be backed by git for syncing, and has an ios client

randomy avatar
randomy

i’m not saying it’s definitely the way to go, just an avenue to consider

PePe avatar

absolutely

Vlad Ionescu avatar
Vlad Ionescu

I did a thing which might be relevant to y’all//twitter.com/iamvlaaaaaaad/status/1247929989137403905> ( hope useful self-promotion is allowed here — if I’ve failed please let me know )

attachment image

How fast do containers scale up in AWS?

Is ECS faster than EKS? What about Fargate? Is there a speed difference between Fargate on ECS and Fargate on EKS?

Now we know! The results are what matters, but for the curious, full blog post at https://www.vladionescu.me/posts/scaling-containers-in-aws.html https://pbs.twimg.com/media/EVE3dX-UEAAIz8M.jpg

:--1:2
1
randomy avatar
randomy

Great work!

attachment image

How fast do containers scale up in AWS?

Is ECS faster than EKS? What about Fargate? Is there a speed difference between Fargate on ECS and Fargate on EKS?

Now we know! The results are what matters, but for the curious, full blog post at https://www.vladionescu.me/posts/scaling-containers-in-aws.html https://pbs.twimg.com/media/EVE3dX-UEAAIz8M.jpg

1
fidget_spinner1
sweetops avatar
sweetops

Anyone here have experience with NLBs? I’m looking at trying to expose an elasticache redis instance to the internet by putting an NLB in front of it

sweetops avatar
sweetops

The NLB’s target group sees the redis instance as healthy, using an IP target and TCP health check. But hitting the NLB with redis-cli ping, I get a timeout

sweetops avatar
sweetops

I’m sure there’s a reason why this won’t work, and just curious what it is

sweetops avatar
sweetops

do NLBs handle the egress traffic as well as the ingress? Or does an NLB only handle ingress?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Amazon Elastic Container Service now supports Amazon EFS file systems | Amazon Web Services attachment image

It has only been five years since Jeff wrote on this blog about the launch of the Amazon Elastic Container Service. I remember reading that post and thinking how exotic and unusual containers sounded. Fast forward just five years, and containers are an everyday part of most developers lives, but whilst customers are increasingly adopting […]

randomy avatar
randomy

Ooh this seems like a big deal

Amazon Elastic Container Service now supports Amazon EFS file systems | Amazon Web Services attachment image

It has only been five years since Jeff wrote on this blog about the launch of the Amazon Elastic Container Service. I remember reading that post and thinking how exotic and unusual containers sounded. Fast forward just five years, and containers are an everyday part of most developers lives, but whilst customers are increasingly adopting […]

randomy avatar
randomy

Fargate becomes viable for more things

2020-04-07

Abel Luck avatar
Abel Luck

I’m looking for scripts to make 2 common AWS actions easier:

  1. A script to simplifiy starting a session on an instance, ideally something that lists instances, autocompletes names, etc.
  2. A script that will 1) execute a state manager association and then poll until it finishes and output the log (from the s3 bucket) to my console Anyone know if something like these exist?
ikar avatar
pmazurek/aws-fuzzy-finder

SSH into instances using fuzzy search. Contribute to pmazurek/aws-fuzzy-finder development by creating an account on GitHub.

randomy avatar
randomy

https://github.com/claranet/ssha it’s project based, so each project defines a settings file with the relevant settings (like aws profile to use, filters for environments, etc). you cd into the project repo and run ssha and then browse through the instances and connect to one.

claranet/ssha

SSH into AWS EC2 instances. Contribute to claranet/ssha development by creating an account on GitHub.

randomy avatar
randomy

(we have hundreds of AWS profiles with various projects and environments so being project/settings-file based is very helpful in our case)

Zach avatar
gjbae1212/gossm

Interactive CLI tool that you can connect to ec2 using commands same as start-session, ssh in AWS SSM Session Manager - gjbae1212/gossm

androogle avatar
androogle
danmx/sigil

AWS SSM Session manager client. Contribute to danmx/sigil development by creating an account on GitHub.

PePe avatar
claranet/sshm

Easy connect on EC2 instances thanks to AWS System Manager Agent. Just use your ~/.aws/profile to easily select the instance you want to connect on. - claranet/sshm

Mikael Fridh avatar
Mikael Fridh

So many to choose from

Mikael Fridh avatar
Mikael Fridh
xen0l/aws-gate

Better AWS SSM Session manager CLI client . Contribute to xen0l/aws-gate development by creating an account on GitHub.

Abel Luck avatar
Abel Luck

Awesome

What about a tool for #2?

Running and outputing logs from state manager associations

Zach avatar

what are you trying to get? the console session logs?

Abel Luck avatar
Abel Luck

not session manager logs, but the output of associations, in our base the results of running ansible playbooks

Zach avatar

not really sure what ‘state association’ is in this case…
the results of running ansible playbooks
Have you looked at ARA? https://ara.readthedocs.io/en/latest/

Abel Luck avatar
Abel Luck

I could write a script I suppose, wouldn’t be too difficult:

• input state association id

• trigger association

• get execution id for the association

• poll for it to complete

• get execution output s3 directory

• fetch file from s3

• print file to console

Abel Luck avatar
Abel Luck

State Manager Associations are found in: AWS Console > Systems Manager > State Manager

Zach avatar

ahh - we only use systems manager for the Session connection and param store, so I’m not familiar with the rest of it. But ARA is a good tool for looking at the output of Ansible runs (just stick to the ara-api server for now, the ara-web is behind on development)

2020-04-06

2020-04-03

sahil kamboj avatar
sahil kamboj

Hey Folks i need to make docker swarm cluster on EC2 with auto scaling in Terraform scripts how can i add new scaled up Ec2 to docker manager setup

Mikhail Naletov avatar
Mikhail Naletov

What is docker manager?

Mikhail Naletov avatar
Mikhail Naletov

Do you mean add to docker swarm cluster?

In this case you should use userdata.

sahil kamboj avatar
sahil kamboj

yes

Mikhail Naletov avatar
Mikhail Naletov

something like this

Mikhail Naletov avatar
Mikhail Naletov
How to pass docker swarm manager token to worker nodes in AWS using Terraform

I am trying to create a Docker Swarm cluster using Terraform, I created 1 manager and 3 worker nodes. I installed Docker and initiated the Docker Swarm and created the manager token. How can I for…

:--1:1
sahil kamboj avatar
sahil kamboj

Thnx for help got it

sahil kamboj avatar
sahil kamboj

NOOB here please help

David avatar
David

How can I update an RDS master password in a way that my backend connections don’t have downtime? We currently are passing in the database URI onto our servers via an SSM param

PePe avatar

you need to restart the writer for that?

PePe avatar

I will recommend to use Secret manager integration to autorotate passwords

maarten avatar
maarten

You can create a new user with similar permissions, configure these credentials at the clients. Then you can change the master password as much as you want without causing downtime.

:--1:1
Abel Luck avatar
Abel Luck

Yea, this is what we do. We don’t use the RDS master password for anything except creating roles and databases for our apps. FWIW we use the postgresql ansible modules for this.

grv avatar

Hey guys, IAM related question. Suppose company A aws account has for instance three users who access the company A aws accounts using company SSO (auth linked to Azure AD). These 3 users additionally want access to a different company B AWS account (access to S3 buckets in company B account, both read/write). Requirement is, to use the SSO based credentials of company A. How can this be achieved? Requreiment is NOT to create separate IAM users in company A (and then trusted relationship), but to use SSO based temp credentials (24 hour tokens). Does anyone has any insight on how it can be achieved?

David Scott avatar
David Scott

The easiest implementation would be for company B to create roles for people from Company A to use. In those roles the assume role policy would allow the SSO-linked Roles from company A to assume the role in company B.

David Scott avatar
David Scott

This article goes over cross-account role assumption and permissions. It talks about dev/prod accounts, but the fundamentals of cross-account role assumption in it still apply to your situation.

Tutorial: Delegate Access Across AWS Accounts Using IAM Roles - AWS Identity and Access Management

Learn the steps for delegating API access in your AWS account to an AWS Identity and Access Management (IAM) user in another account. (First of four).

maarten avatar
maarten

Besides cross account roles you can use bucket policies: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

For Federation I would look into Okta if I were you, they can maybe also supply temporary access credentials. Okta can work together with Azure AD and AWS.

grv avatar

thanks for the input guys. We dont use okta.. to pricey for us haha

2020-04-02

    keyboard_arrow_up