Devopslife

Straight to the point

Category: AWS

Testing cloudwatch alarm using AWS CLI

Many of us are using Cloudwatch alarms for triggering some action. It could be an SNS or a lambda function etc. We can use this AWS CLI command to temporarily set cloudwatch alarm state for testing purposes.

We can change the state of the alarm “MyalarmName” to ALARM as follows.

The alarm returns to actual state usually within seconds.

Increase session duration of AWS CLI while assuming role

This will be useful for you if you are using profile in aws CLI configuration files for switching roles with 2FA enabled. An example configuration as follows.

As per the example configuration above, we can execute AWS CLI commands in multiple AWS accounts by specifying the profile. I am not explaining the Role switching setup here. Consider the scenario, If you have a 2FA configured as mandatory while doing a role switch, we have to enter the 2FA token for running AWS commands every one hour even though the session duration set for the role is more than that. We can avoid this by appending the following parameter in the AWS config.

So, the whole code block will look like this

43200 seconds(12 hours) is the maximum that we can set . Make sure to adjust the role’s maximum session duration in IAM as well for this to work.

We can verify by this by checking the expiration date in the aws cli cache JSON file which will be residing inside the .aws/cli/cache path.

This parameter works well if you are using sessions in boto3 as well.

Redirect a route53 domain to another domain using S3

If you recently migrated your domain & DNS records from some third party domain registrar to AWS Route 53, you might be searching a way to configure a simple redirect of the apex (root) domain to an external domain. Many companies used to buy all the popular TLDs of their domains to avoid cybersquatting. All of those domains will be configured with a simple redirect to the main domain. It was easy while using the domain registrar’s DNS service as we were able to configure the redirect there with ease.

But, when using Route53, there is no direct way to do this. We can make use of S3 service to do this. In this example, I am trying to redirect example.org to example.com. Assuming, we already have a hosted zone for example.com.

  • Create an S3 bucket with the name of domain “example.org”
  • Please note that S3 bucket names must be globally unique. If the bucket name you need is already taken, you can’t use S3 for redirection and this documentation won’t be applicable for you. You may use other work arounds like redirection using a webserver in backend.
  • Go to properties and select “Static web hosting”
  • From the dropdown, select Redirect all requests to another host name.
  • Enter example.com here and protocol (HTTP or HTTPS) and save it
  • Go to Route53 and select the hosted zone for example.org
  • Create a record for example.org with the below values

That’s it. You might need to wait for some time for the DNS propagation. Normally, the redirect will be enabled quickly. If your bucket endpoint is not populating while creating the record, Please wait for some more minutes, refresh the page and try again.

Find out which role is used when an AWS CLI command is called

This is very useful if you are running an AWS command on an ec2 instance which is using an IAM role or instance profile and you would like to verify if it is using the intended role.  

aws sts get-caller-identity

Access denied when using GRANT ALL ON *.* in AWS RDS Mysql

I was totally unaware about the fact that even a master account doesn’t have all the privileges in an RDS database(MySQL) until I got stuck with this issue. Today, I was asked to create a secondary admin user in one of our production DB with all privileges. The MySQL DB instance was running in AWS RDS. I tried the following command

I got the above error while trying to grant all privileges. I was sure about the command because the same command was working fine for non-RDS mysql instances. Few minutes of googling has given me the fix.

 

In order to protect the instance itself, RDS doesn’t allow even the master account to access to the mysql database. The mysql.* tables are considered off-limits here since I don’t have access to the mysql.* tables which are restricted by Amazon.  I can’t grant permissions on *.* since that would match MySQL, and %.* appears to not match those system tables.

So, the quick fix is to use %.* instead of *.*. 

The _ and % wildcards are permitted when specifying DB names in GRANT statements that grant privileges at the global or database levels.

 

References

https://dev.mysql.com/doc/refman/8.0/en/grant.html

http://www.fidian.com/problems-only-tyler-has/using-grant-all-with-amazons-mysql-rds

© 2019 Devopslife

Theme by Anders NorenUp ↑