AWS Notes

---

This page contains a collection of unrelated notes pertaining to AWS.

Assume-role script

Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or the AWS_PROFILE environment variables to the user that should assume a role. Set ROLE_ARN to the Arn of the role being assumed. Finally, create a "command line" build step.

export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
    $(aws sts assume-role \
        --role-arn "${ROLE_ARN}" \
        --role-session-name "${USER}" \
        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
        --output text))

Bulk log retention update in Powershell

This sets log retention to 1 day for all Airship lambdas.

$logGroups=(aws logs describe-log-groups --log-group-name-prefix "/aws/lambda" --query "logGroups[*].logGroupName" --output=text).Split() `
    | where {$_ -match 'lambda-lookup'} 
foreach ($logGroupName in $logGroups) {
    aws logs put-retention-policy --log-group-name $logGroupName --retention-in-days 1
}

ECS on spot instances

• Docker, Amazon ECS, and Spot Fleets: A Great Fit Together
• Auto Scaling Groups with Multiple Instance Types and Purchase Options
• Launching Spot Instances in Your Auto Scaling Group
• Terraform mixed_instances_policy for aws_autoscaling_group
• ECS Spot Fleet Demo (with drain script userdata)

Teamcity AWS assume role

Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables to the user that should assume a role. Set ROLE_ARN to the Arn of the role being assumed. Finally, create a "command line" build step that runs in the "alpine:latest" Docker container.

apk add jq
CREDENTIALS=$(aws sts assume-role --role-arn $ROLE_ARN --role-session-name teamcity  --duration-seconds 900)
mkdir - ~/.aws
echo "##teamcity[setParameter name='AWS_ACCESS_KEY_ID' value='$(echo $CREDENTIALS | jq -r .Credentials.AccessKeyId)']"
echo "##teamcity[setParameter name='AWS_SECRET_ACCESS_KEY' value='$(echo $CREDENTIALS | jq -r .Credentials.SecretAccessKey)']"
echo "##teamcity[setParameter name='AWS_SESSION_TOKEN' value='$(echo $CREDENTIALS | jq -r .Credentials.SessionToken)']"

Cross account roles

Example: https://jackiechen.org/2015/11/03/ec2-instance-cannot-assume-role-in-other-accounts/

EC2 instance metadata

Get metadata list:

$ wget -q -O- http://169.254.169.254/latest/meta-data
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-keys/
reservation-id
security-groups
services/

Get specific metadata, e.g instance-id:

$ wget -q -O- http://169.254.169.254/latest/meta-data/instance-id
i-08820e8f284ffa01a

Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Lambda

• Deployment management: Apex