Using aws-cli to set IP rules.

The Problem

I have been trying out AWS free tier for about 4 months, running up AMI's in my spare time and getting a really nice 1GB Debian image. Anyway, I was always annoyed at having to set the remote source IP for ssh or have an open cidr-ip. So after being told about aws cli I git cloned and tried out the options.

What I did.

The aws ec2 authorize-security-group-ingress help, documented requirements as being JSON format, this just didn't work. It turned out that the older 0.44 deprecated options worked, how long these deprecated options work for is anyones guess.

With these options I wrote the following script and placed other options in an ~/.aws config file.

#!/bin/bash

IP=$(wget -qO -  http://checkip.dyndns.com/ | \
 cut -d' ' -f6 | cut -d'<' -f1 )
REGION="ap-southeast-2"

echo $IP
export AWS_CONFIG_FILE=~/.aws
export AWS_DEFAULT_REGION=$REGION
Broken
aws ec2 authorize-security-group-ingress --group-id GROUP_TO_ACCESS \
  --ip-protocol tcp --from-port 22 --to-port 22 --cidr-ip "$IP"/32
Broken
exit 0

Edit. Of course AWS had changed their API and broken the previous version. The changed code is below.


#!/bin/bash

IP=$(wget -qO -  http://checkip.dyndns.com/ | \
  cut -d' ' -f6 | cut -d'<' -f1 )

echo "Opening port 22 $IP/32"
AWS_CONFIG_FILE=~/.aws
aws ec2 authorize-security-group-ingress --group-id sg-d79809ed --protocol tcp --port 22 --cidr "$IP"/32

exit 0

I've also included my .aws file.


##~/.aws

[default]
aws_access_key_id=YourPublicKey
aws_secret_access_key=YourRallyLongSecretKeyFromTheAWSAccountConsole
availability_zone=ap-southeast-2a
region=ap-southeast-2

#[testing]
#aws_access_key_id=<testing access key>
#aws_secret_access_key=<testing secret key>
#region=us-west-2

What I didn't like

I didn't like the unhelpful help. I got the ever-helpful A client error (UnknownParameter) occurred: The parameter Item is not recognized when I used the JSON syntax from Github Readme.

Also there is a "wettness" to aws-cli. For example there are 3 different ways to specify the same access-key/secret-key pair. A bash export, a config file and a IAM assessment. Depending on what you want to do a different method must be used. I had 2-4 hours of unhelpful 'NoneType' object has no attribute 'access_key' until I uncovered that even when you have exported credentials, the IAM previleges on your instance will override the exported values. Some commands will expect export AWS_CONFIG_FILE=/home/$USER/.aws to be declared, the direct export of values or just lookup thr IAM of your EC2. This means there are 3 places to change everything whenever you change users (for example testing or devopment billing).

Sometimes a command will just miss. So the request or response just goes nowhere. There appears to be no timeout that gets invoked in these occurances.

Overall the command line interface is MUCH faster than the GUI way of doing things, and for this reason I will be using aws-cli.

Michael Tomkins 20130212