Straight to the point

Recovering SSH public key with the private key

I recently came across this situation by which the public SSH key of a server is lost and I was instructed to add the public key to other server’s authorized_hosts file to enable password less SSH authentication. However I was not allowed to create a new keypair as the old key could be in place in multiple places. This ssh-keygen command was a lifesaver.

This command will recover the public key if you have the private key with you.

ssh-keygen -y -f id_rsa_private_key_file >

Please let me know via comments if you are having trouble with this command.

Managing AWS SimpleAD from Linux

SimpleAD is a managed directory service that is powered by a Samba 4 Active Directory Compatible Server. User accounts can be created in SimpleAD to access AWS applications such as AWS Client VPN, Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail.

I have used this service for user authentication in Client VPN. One of the challenges that we faced is that the user management in SimpleAD was very biased to Windows OS and not linux. It was not a good idea to manage a Windows server just to manage users where as all the other applications are running in Linux. After some googling, I came to know about some tools which can be used to manage users in SimpleAD. But none of them are complete or easy to understand. This inspired me to write a post on the same.

Install the packages samba-common, adcli on the Linux OS by which you are trying to manage the AD.

Take note of the Directory domain name and the DNS servers from the AWS SimpleAD console UI. The below example assumes username is the user that we are administering, “password” is the password, is the directory domain and, as the DNS servers for the directory

Create User

Delete User

List users

More adcli commands can be found here

Testing cloudwatch alarm using AWS CLI

Many of us are using Cloudwatch alarms for triggering some action. It could be an SNS or a lambda function etc. We can use this AWS CLI command to temporarily set cloudwatch alarm state for testing purposes.

We can change the state of the alarm “MyalarmName” to ALARM as follows.

The alarm returns to actual state usually within seconds.

Increase session duration of AWS CLI while assuming role

This will be useful for you if you are using profile in aws CLI configuration files for switching roles with 2FA enabled. An example configuration as follows.

As per the example configuration above, we can execute AWS CLI commands in multiple AWS accounts by specifying the profile. I am not explaining the Role switching setup here. Consider the scenario, If you have a 2FA configured as mandatory while doing a role switch, we have to enter the 2FA token for running AWS commands every one hour even though the session duration set for the role is more than that. We can avoid this by appending the following parameter in the AWS config.

So, the whole code block will look like this

43200 seconds(12 hours) is the maximum that we can set . Make sure to adjust the role’s maximum session duration in IAM as well for this to work.

We can verify by this by checking the expiration date in the aws cli cache JSON file which will be residing inside the .aws/cli/cache path.

This parameter works well if you are using sessions in boto3 as well.

Redirect a route53 domain to another domain using S3

If you recently migrated your domain & DNS records from some third party domain registrar to AWS Route 53, you might be searching a way to configure a simple redirect of the apex (root) domain to an external domain. Many companies used to buy all the popular TLDs of their domains to avoid cybersquatting. All of those domains will be configured with a simple redirect to the main domain. It was easy while using the domain registrar’s DNS service as we were able to configure the redirect there with ease.

But, when using Route53, there is no direct way to do this. We can make use of S3 service to do this. In this example, I am trying to redirect to Assuming, we already have a hosted zone for

  • Create an S3 bucket with the name of domain “”
  • Please note that S3 bucket names must be globally unique. If the bucket name you need is already taken, you can’t use S3 for redirection and this documentation won’t be applicable for you. You may use other work arounds like redirection using a webserver in backend.
  • Go to properties and select “Static web hosting”
  • From the dropdown, select Redirect all requests to another host name.
  • Enter here and protocol (HTTP or HTTPS) and save it
  • Go to Route53 and select the hosted zone for
  • Create a record for with the below values

That’s it. You might need to wait for some time for the DNS propagation. Normally, the redirect will be enabled quickly. If your bucket endpoint is not populating while creating the record, Please wait for some more minutes, refresh the page and try again.

Find out which role is used when an AWS CLI command is called

This is very useful if you are running an AWS command on an ec2 instance which is using an IAM role or instance profile and you would like to verify if it is using the intended role.  

aws sts get-caller-identity

Access denied when using GRANT ALL ON *.* in AWS RDS Mysql

I was totally unaware about the fact that even a master account doesn’t have all the privileges in an RDS database(MySQL) until I got stuck with this issue. Today, I was asked to create a secondary admin user in one of our production DB with all privileges. The MySQL DB instance was running in AWS RDS. I tried the following command

I got the above error while trying to grant all privileges. I was sure about the command because the same command was working fine for non-RDS mysql instances. Few minutes of googling has given me the fix.


In order to protect the instance itself, RDS doesn’t allow even the master account to access to the mysql database. The mysql.* tables are considered off-limits here since I don’t have access to the mysql.* tables which are restricted by Amazon.  I can’t grant permissions on *.* since that would match MySQL, and %.* appears to not match those system tables.

So, the quick fix is to use %.* instead of *.*. 

The _ and % wildcards are permitted when specifying DB names in GRANT statements that grant privileges at the global or database levels.



Simulate upstream proxy timeout using nodejs

This is something that I have came across while tuning an nginx server which has multiple tomcat instances as upstream. We were trying to adjust the read timeout of the upstream proxies. It is hard to simulate this by stopping the backend as it will throw a 503 bad gateway. So, for simulating this, we used a nodejs script.

« Older posts

© 2020 Devopslife

Theme by Anders NorenUp ↑