Category Archives: aws

assume role mit aws cli

title: “assume role mit aws cli”
date: 2023-05-10T08:13:41
slug: assume-role-mit-aws-cli

Die Role die man anziehen will: arn:aws:iam::224945782113:role/SystemsSquad

aws sts assume-role --role-arn arn:aws:iam::224945782113:role/SystemsSquad --role-session-name tasanger-test

Output:

{
"Credentials": {
"AccessKeyId": "ASIATIX6QHVQ6M4KNHHD",
"SecretAccessKey": "Gg6aYXn1Z0MGUmdewe/niVAy/Y6m6uI8pGZEkSbD",
"SessionToken": "IQoJb3JpZ2luX2VjEHAaDGV1LWNlbnRyYWwtMSJHMEUCIGHsS/akNvXCeB4474tbe1zzvPkxVV33HNyyR9RS8bbPAiEAyj/g8Y4UprtqsTllv1xMK+aikB75CFiNFzWzUxExT5YqowIIif//////////ARADGgwyMjQ5NDU3ODIxMTMiDMQW2hW9h8TCzhzwbCr3ASMdjECSqBaBtDW/kk4RAMM3EC9EExhMa1KlP5+gk5Xh3si7J3shISRp95sMQM8m3xX3R6k1n/84V7LS4HtcnHlPa3piJp6vVL5mPFkGeT9k3hr66ueP1j8olD5khiZRAaMZP36FVk9/cgFXl00jPjIRTl0ZMj0VlFJHNCur8cwSH7y0Xs6cNhPFHBCu0rBQJHCOElphkDiQqaBMwNHTPUXnXL7YgFGnAaf7AwkyjAuQRrJ3/yruuJe2bb8XBlwYuL097m08IRdCcnJ5V3uNxfiGO2pJaizXKWcnAZJSg1gCtXZkTWpgd264rm+tOOQPj0MWyhWDIWQwuqPtogY6nQHZwRbTptHIsl/SnGWfRd+P0sBsyr2noRx//9S/UwrXNUh2wqzG2hX9LuPr9kXhj+pQRcWN8wSkWQAeCSOUUi8pD9gtfmbCNQopkZhly89IDBXq19UYFVCMRlKjC+yHcQBM6mpH++aNuRI5630EyzKFOYR6FNJ5OCiNrXHx2DAbfkXTIDObZa656j8wHLQJ4I2+ugUubgCkPbbALJfX",
"Expiration": "2023-05-10T09:11:38+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROATIX6QHVQXONL4U6E2:tasanger-test",
"Arn": "arn:aws:sts::224945782113:assumed-role/SystemsSquad/tasanger-test"
}
}

In ~/.aws/credentials eintragen:

[tasanger-test]
aws\_access\_key\_id=ASIATIX6QHVQ6M4KNHHD
aws\_secret\_access\_key=Gg6aYXn1Z0MGUmdewe/niVAy/Y6m6uI8pGZEkSbD
aws\_session\_token=IQoJb3JpZ2luX2VjEHAaDGV1LWNlbnRyYWwtMSJHMEUCIGHsS/akNvXCeB4474tbe1zzvPkxVV33HNyyR9RS8bbPAiEAyj/g8Y4UprtqsTllv1xMK+aikB75CFiNFzWzUxExT5YqowIIif//////////ARADGgwyMjQ5NDU3ODIxMTMiDMQW2hW9h8TCzhzwbCr3ASMdjECSqBaBtDW/kk4RAMM3EC9EExhMa1KlP5+gk5Xh3si7J3shISRp95sMQM8m3xX3R6k1n/84V7LS4HtcnHlPa3piJp6vVL5mPFkGeT9k3hr66ueP1j8olD5khiZRAaMZP36FVk9/cgFXl00jPjIRTl0ZMj0VlFJHNCur8cwSH7y0Xs6cNhPFHBCu0rBQJHCOElphkDiQqaBMwNHTPUXnXL7YgFGnAaf7AwkyjAuQRrJ3/yruuJe2bb8XBlwYuL097m08IRdCcnJ5V3uNxfiGO2pJaizXKWcnAZJSg1gCtXZkTWpgd264rm+tOOQPj0MWyhWDIWQwuqPtogY6nQHZwRbTptHIsl/SnGWfRd+P0sBsyr2noRx//9S/UwrXNUh2wqzG2hX9LuPr9kXhj+pQRcWN8wSkWQAeCSOUUi8pD9gtfmbCNQopkZhly89IDBXq19UYFVCMRlKjC+yHcQBM6mpH++aNuRI5630EyzKFOYR6FNJ5OCiNrXHx2DAbfkXTIDObZa656j8wHLQJ4I2+ugUubgCkPbbALJfX
aws\_expiration=2023-05-10T17:05:00.000Z

Temporäres Profil in ~/.aws/config anlegen:

[profile tasanger-test]
region=eu-central-1

aws cli mit temporären Profil aufrufen:

aws --profile tasanger-test cloudwatch list-metrics --namespace AWS/WAFV2

aws cloudwatch get-metric-statistics

title: “aws cloudwatch get-metric-statistics”
date: 2023-05-09T11:31:10
slug: aws-cloudwatch-get-metric-statistics

aws cloudwatch get-metric-statistics --namespace AWS/RDS --metric-name ACUUtilization --start-time 2023-05-09T00:00:00Z --end-time 2023-05-09T12:00:00Z --period 3600  --statistics Maximum

Mit Dimensions:

ws cloudwatch get-metric-statistics --namespace AWS/RDS --metric-name ACUUtilization --start-time 2023-05-09T00:00:00Z --end-time 2023-05-09T12:00:00Z --period 36
00  --statistics Average --dimensions Name=DBClusterIdentifier,Value=podcast-serverless-db-dev

Generate a CLI skeleton:

aws cloudwatch get-metric-statistics --generate-cli-skeleton

Get K8S Api Certificate with aws cli

title: “Get K8S Api Certificate with aws cli”
date: 2023-02-14T15:34:35
slug: get-k8s-api-certificate-with-aws-cli

aws eks describe-cluster --name r5s-sandbox | jq -r .cluster.certificateAuthority.data

AWS Gitlab Runner Launch Template

title: “AWS Gitlab Runner Launch Template”
date: 2022-11-24T09:36:52
slug: aws-gitlab-runner-launch-template

#!/bin/bash
# export environment variables from JSON
# these can be used by all subsequent programs
apt-get update
apt-get -y install jq
for s in $(echo '{}' | jq -r "to\_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ); do
export $s
done
echo "10.98.195.195 gitlab.netrtl.com" >> /etc/hosts
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh | bash
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb\_release -cs) stable"
apt-get update
apt-get -y install docker-ce=5:19.03.14~3-0~ubuntu-bionic docker-ce-cli=5:19.03.14~3-0~ubuntu-bionic gitlab-runner python3-pip
pip3 install awscli==1.16.59
usermod -aG docker gitlab-runner
usermod -aG docker ubuntu
echo '#!/bin/sh' > /etc/cron.daily/docker
echo 'docker system prune --all --volumes --force' >> /etc/cron.daily/docker
chmod +x /etc/cron.daily/docker
echo '#!/bin/sh' > /etc/cron.hourly/refresh-ecr-tokens
# The central registry which sits in eu-west-1.
echo "/usr/local/bin/aws ecr get-login --no-include-email --region eu-west-1 --registry-ids 922307086101 | sh -" >> /etc/cron.hourly/refresh-ecr-tokens
# Extra registries in eu-central-1.
chmod +x /etc/cron.hourly/refresh-ecr-tokens
DOCKER\_LOGIN=''
if [ -n "${DOCKER\_LOGIN}" ]; then
IFS=',' read -r -a DOCKER\_LOGIN\_ARR <<< "${DOCKER\_LOGIN}"
for DOCKER\_LOGIN\_ITEM in "${DOCKER\_LOGIN\_ARR[@]}"; do
echo LOGIN ITEM: "${DOCKER\_LOGIN\_ITEM}"
IFS='|' read -r -a LOGIN\_ARR <<< "${DOCKER\_LOGIN\_ITEM}"
if [ ${#LOGIN\_ARR[@]} -eq "3" ]; then
USER="${LOGIN\_ARR[0]}"
PASS="${LOGIN\_ARR[1]}"
REGISTRY="${LOGIN\_ARR[2]}"
docker login --username "${USER}" --password "${PASS}" "${REGISTRY}"
else
echo "could not parse login: ${DOCKER\_LOGIN\_ITEM}"
echo "expected \"{USER}|{PASS}|{REGISTRY}\""
fi
done
fi
# Login to registries.
bash /etc/cron.hourly/refresh-ecr-tokens
gitlab-runner register --non-interactive --locked=false --url "https://gitlab.netrtl.com/" \
--registration-token "z3gsKxs4\_-e79bV4keyX" --description "runner podcast-squad-embed-player-$(hostname)" --executor docker \
--tag-list "env-preprod,podcast-squad-embed-player" --docker-image "ubuntu:18.04" \
--access-level="not\_protected" \
--docker-volumes /var/run/docker.sock:/var/run/docker.sock \
--docker-pull-policy always --docker-extra-hosts "gitlab.netrtl.com:10.98.195.195" \
--limit 0
if false
then
sed -i -e 's/privileged = false/privileged = true/' /etc/gitlab-runner/config.toml
fi
if false
then
sed -i -e '/\[session\_server\]/a\ \ listen\_address = "0.0.0.0:8093"' /etc/gitlab-runner/config.toml
fi
systemctl restart gitlab-runner
systemctl enable gitlab-runner
docker run -d --restart='always' --name=node\_exporter --net='host' --pid='host' -v '/:/host:ro,rslave' quay.io/prometheus/node-exporter:v0.16.0 --path.procfs /host/proc --path.sysfs /host/sys
docker run -d --restart='always' --name=cadvisor -v '/:/rootfs:ro' -v '/var/run:/var/run:ro' -v '/sys:/sys:ro' -v '/var/lib/docker/:/var/lib/docker:ro' -v '/dev/disk/:/dev/disk:ro' -p 8080:8080 google/cadvisor:v0.32.0

gvisor under eks

title: “gvisor under eks”
date: 2022-02-09T16:22:29
slug: gvisor-under-eks

ssh -i $eks\_key ec2-user@$gVisor\_node\_EIP

cat kubelet.service

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service iptables-restore.service
Requires=docker.service
[Service]
ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5
ExecStart=/usr/bin/kubelet --cloud-provider aws \
--config /etc/kubernetes/kubelet/kubelet-config.json \
--kubeconfig /var/lib/kubelet/kubeconfig \
--container-runtime remote \
--network-plugin cni $KUBELET\_ARGS $KUBELET\_EXTRA\_ARGS
Restart=always
RestartSec=5
KillMode=process
[Install]
WantedBy=multi-user.target

$ sudo systemctl daemon-reload
$ sudo systemctl restart kubelet

Install latest gvisor release

(
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
wget ${URL}/runsc ${URL}/runsc.sha512 \
${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 \
-c containerd-shim-runsc-v1.sha512
rm -f \*.sha512
chmod a+rx runsc containerd-shim-runsc-v1
sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)

Install gvisor-containerd-shim

$ git clone https://github.com/google/gvisor-containerd-shim.git
$ cd gvisor-containerd-shim
$ make
$ sudo make install

cat kubelet.service.d/10-kubelet-args.conf

[Service]
Environment='KUBELET\_ARGS=--node-ip=10.0.1.14 --pod-infra-container-image=602401143452.dkr.ecr.eu-central-1.amazonaws.com/eks/pause:3.1-eksbuild.1 --v=2 --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock'

mkdir /etc/containerd/
cat <
kubectl label node $gVisor\_node\_name runtime=gvisor
cat <
cat <

What are the default usernames for Amazon EC2 Linux instances

title: “What are the default usernames for Amazon EC2 Linux instances”
date: 2022-02-09T08:55:56
slug: what-are-the-default-usernames-for-amazon-ec2-linux-instances

For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user.
For a CentOS AMI, the user name is centos.
For a Debian AMI, the user name is admin.
For a Fedora AMI, the user name is ec2-user or fedora.
For a RHEL AMI, the user name is ec2-user or root.
For a SUSE AMI, the user name is ec2-user or root.
For an Ubuntu AMI, the user name is ubuntu.

aws cli cheatsheet

title: “aws cli cheatsheet”
date: 2022-02-07T14:05:59
slug: aws-cli-cheatsheet

List Images younger than 2016-04-01

aws ec2 describe-images --query 'Images[?CreationDate>=`2016-04-01`][]'

List Instances

aws ec2 describe-instances --output table