Straight to the point

Testing cloudwatch alarm using AWS CLI

Many of us are using Cloudwatch alarms for triggering some action. It could be an SNS or a lambda function etc. We can use this AWS CLI command to temporarily set cloudwatch alarm state for testing purposes.

We can change the state of the alarm “MyalarmName” to ALARM as follows.

The alarm returns to actual state usually within seconds.

Increase session duration of AWS CLI while assuming role

This will be useful for you if you are using profile in aws CLI configuration files for switching roles with 2FA enabled. An example configuration as follows.

As per the example configuration above, we can execute AWS CLI commands in multiple AWS accounts by specifying the profile. I am not explaining the Role switching setup here. Consider the scenario, If you have a 2FA configured as mandatory while doing a role switch, we have to enter the 2FA token for running AWS commands every one hour even though the session duration set for the role is more than that. We can avoid this by appending the following parameter in the AWS config.

So, the whole code block will look like this

43200 seconds(12 hours) is the maximum that we can set . Make sure to adjust the role’s maximum session duration in IAM as well for this to work.

We can verify by this by checking the expiration date in the aws cli cache JSON file which will be residing inside the .aws/cli/cache path.

This parameter works well if you are using sessions in boto3 as well.

Redirect a route53 domain to another domain using S3

If you recently migrated your domain & DNS records from some third party domain registrar to AWS Route 53, you might be searching a way to configure a simple redirect of the apex (root) domain to an external domain. Many companies used to buy all the popular TLDs of their domains to avoid cybersquatting. All of those domains will be configured with a simple redirect to the main domain. It was easy while using the domain registrar’s DNS service as we were able to configure the redirect there with ease.

But, when using Route53, there is no direct way to do this. We can make use of S3 service to do this. In this example, I am trying to redirect to Assuming, we already have a hosted zone for

  • Create an S3 bucket with the name of domain “”
  • Please note that S3 bucket names must be globally unique. If the bucket name you need is already taken, you can’t use S3 for redirection and this documentation won’t be applicable for you. You may use other work arounds like redirection using a webserver in backend.
  • Go to properties and select “Static web hosting”
  • From the dropdown, select Redirect all requests to another host name.
  • Enter here and protocol (HTTP or HTTPS) and save it
  • Go to Route53 and select the hosted zone for
  • Create a record for with the below values

That’s it. You might need to wait for some time for the DNS propagation. Normally, the redirect will be enabled quickly. If your bucket endpoint is not populating while creating the record, Please wait for some more minutes, refresh the page and try again.

Find out which role is used when an AWS CLI command is called

This is very useful if you are running an AWS command on an ec2 instance which is using an IAM role or instance profile and you would like to verify if it is using the intended role.  

aws sts get-caller-identity

Access denied when using GRANT ALL ON *.* in AWS RDS Mysql

I was totally unaware about the fact that even a master account doesn’t have all the privileges in an RDS database(MySQL) until I got stuck with this issue. Today, I was asked to create a secondary admin user in one of our production DB with all privileges. The MySQL DB instance was running in AWS RDS. I tried the following command

I got the above error while trying to grant all privileges. I was sure about the command because the same command was working fine for non-RDS mysql instances. Few minutes of googling has given me the fix.


In order to protect the instance itself, RDS doesn’t allow even the master account to access to the mysql database. The mysql.* tables are considered off-limits here since I don’t have access to the mysql.* tables which are restricted by Amazon.  I can’t grant permissions on *.* since that would match MySQL, and %.* appears to not match those system tables.

So, the quick fix is to use %.* instead of *.*. 

The _ and % wildcards are permitted when specifying DB names in GRANT statements that grant privileges at the global or database levels.



Simulate upstream proxy timeout using nodejs

This is something that I have came across while tuning an nginx server which has multiple tomcat instances as upstream. We were trying to adjust the read timeout of the upstream proxies. It is hard to simulate this by stopping the backend as it will throw a 503 bad gateway. So, for simulating this, we used a nodejs script.

Fix 404 error for permalinks while using SSL in wordpress

This was an issue I have faced while setting up this blog. I was getting 404 errors for all the post links in this blog when selecting the non default permalink structure with SSL. 

First thing I tried was to regenerate the .htaccess file. Removed the existing .htaccess file in the WordPress root folder. Regenerated the file by switching  the permalink again. That didnt worked for me. The fix was something with the web sever level. Finally, I found the fix. 

The directory tag is required in ssl virtual host config of apache same as of http port 80, to allow override redirect rules using .htaccess of wordpress.


Thanks to this digitalocean thread 

Monitor ECS agent uptime using crontab and SNS

The Amazon ECS container agent allows container instances to connect to your cluster. If this agent is down for some reason, deployments to the service won’t be reflected in the instance and can cause discrepancy.
Here is a one-liner to check if ECS agent container is running. If it is not running, we are making use of AWS SNS service to send a notification to a topic.
if [ -z $(docker ps -f “name=ecs-agent” -f “status=running” -q) ]; then /usr/bin/aws –region=us-east-1 sns publish –topic-arn “arn:aws:sns:us-east-1:123456789012:Topicname” –message “ECS Agent is not running in $HOSTNAME.”; fi
Make sure that the instance role has permissions to publish to the required topic and the topic is already configured.
« Older posts

© 2019 Devopslife

Theme by Anders NorenUp ↑