Using aws-cli to set IP rules.
I have been trying out AWS free tier for about 4 months, running up AMI's
in my spare time and getting a really nice
1GB Debian image.
Anyway, I was always annoyed at having to set the remote source IP for ssh
or have an open cidr-ip. So after being told about aws cli I
cloned and tried out the options.
What I did.
aws ec2 authorize-security-group-ingress help, documented
requirements as being JSON format, this just didn't work. It
turned out that the older 0.44 deprecated options worked, how long these
deprecated options work for is anyones guess.
With these options I wrote the following script and placed other
options in an
~/.aws config file.
Edit. Of course AWS had changed their API and broken the previous version. The changed code is below.
#!/bin/bash IP=$(wget -qO - http://checkip.dyndns.com/ | \ cut -d' ' -f6 | cut -d'<' -f1 ) REGION="ap-southeast-2" echo $IP export AWS_CONFIG_FILE=~/.aws export AWS_DEFAULT_REGION=$REGION Broken aws ec2 authorize-security-group-ingress --group-id GROUP_TO_ACCESS \ --ip-protocol tcp --from-port 22 --to-port 22 --cidr-ip "$IP"/32 Broken exit 0
#!/bin/bash IP=$(wget -qO - http://checkip.dyndns.com/ | \ cut -d' ' -f6 | cut -d'<' -f1 ) echo "Opening port 22 $IP/32" AWS_CONFIG_FILE=~/.aws aws ec2 authorize-security-group-ingress --group-id sg-d79809ed --protocol tcp --port 22 --cidr "$IP"/32 exit 0
I've also included my .aws file.
##~/.aws [default] aws_access_key_id=YourPublicKey aws_secret_access_key=YourRallyLongSecretKeyFromTheAWSAccountConsole availability_zone=ap-southeast-2a region=ap-southeast-2 #[testing] #aws_access_key_id=<testing access key> #aws_secret_access_key=<testing secret key> #region=us-west-2
What I didn't like
I didn't like the unhelpful help. I got the
A client error (UnknownParameter) occurred: The parameter
Item is not recognized when I used the JSON syntax from Github Readme.
Also there is a "wettness" to aws-cli. For example there are 3 different
ways to specify the same access-key/secret-key pair. A bash export, a config
file and a IAM assessment. Depending on what you want to do a different
method must be used. I had 2-4 hours of unhelpful
has no attribute 'access_key' until I uncovered that even when you
have exported credentials, the IAM previleges on your instance will override
the exported values. Some commands will expect
AWS_CONFIG_FILE=/home/$USER/.aws to be declared, the direct export
of values or just lookup thr IAM of your EC2. This means there are 3 places
to change everything whenever you change users (for example testing or
Sometimes a command will just miss. So the request or response just goes nowhere. There appears to be no timeout that gets invoked in these occurances.
Overall the command line interface is MUCH faster than the GUI way of doing things, and for this reason I will be using aws-cli.
Michael Tomkins 20130212