search

kislyuk / aegea

Amazon Web Services Operator Interface
Apache License 2.0
68 stars 17 forks source link

How to send AWS_ACCESS_KEY/.aws and public key to instance? #40

Closed olgabot closed 5 years ago

olgabot commented 6 years ago

Hi @kislyuk! I'm running Reflow on aegea-launched EC2 instances and am having trouble getting Reflow to recognize the AWS credentials. I know they're there because I'm able to aws s3 sync to the buckets I have access to.

 Tue 19 Jun - 03:49  ~ 
 ubuntu@olgabot-reflow-v5  reflow setup-ec2
reflow: error reading SSH key: open /home/ubuntu/.ssh/id_rsa.pub: no such file or directory
failed to retrieve AWS credentials: NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment
SharedCredsLoad: failed to load shared credentials file
caused by: open /home/ubuntu/.aws/credentials: no such file or directory

In the end, I scp-d over the credentials to get it to work:

(base) 
 Mon 18 Jun - 13:56  ~/code/sourmash   origin ☊ master ✔ ☗v2.0.0a6  
  scp -r -i ~/.ssh/aegea.launch.olgabot.Olgas-MacBook-Pro.pem ~/.aws ubuntu@ec2-34-217-83-165.us-west-2.compute.amazonaws.com:~
config                                                                                                                                                                                                    100%   43     1.2KB/s   00:00    
credentials                                                                                                                                                                                               100%  116     2.8KB/s   00:00    
olga-czirna1.pem                                                                                                                                                                                          100% 1692    42.1KB/s   00:00    
(base) 
 Mon 18 Jun - 20:55  ~/code/sourmash   origin ☊ master ✔ ☗v2.0.0a6  
  scp -r -i ~/.ssh/aegea.launch.olgabot.Olgas-MacBook-Pro.pem ~/.ssh/id_rsa.pub ubuntu@ec2-34-217-83-165.us-west-2.compute.amazonaws.com:~/.ssh/
id_rsa.pub

But I'm wondering if I'm missing something and it's easier to do this already with Aegea.

Here's my home directory and environment variables:

```zsh Tue 19 Jun - 03:49  ~  ubuntu@olgabot-reflow-v5  ls -lha total 204K drwxr-xr-x 15 ubuntu ubuntu 4.0K Jun 19 03:49 . drwxr-xr-x 3 root root 4.0K Jan 30 21:24 .. drwxrwxr-x 4 ubuntu ubuntu 4.0K Jun 19 03:43 agnosterzak-ohmyzsh-theme drwxrwxr-x 13 ubuntu ubuntu 4.0K Feb 8 22:24 anaconda -rw-r--r-- 1 ubuntu ubuntu 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 ubuntu ubuntu 4.3K Jun 18 22:59 .bashrc drwx------ 3 ubuntu ubuntu 4.0K Jun 18 22:58 .cache drwxrwxr-x 3 ubuntu ubuntu 4.0K Jun 19 03:43 code drwxrwxr-x 3 ubuntu ubuntu 4.0K Feb 8 22:24 .conda -rw-rw-r-- 1 ubuntu ubuntu 92 Feb 8 22:23 .condarc -rw-rw-r-- 1 ubuntu ubuntu 1.8K Jun 19 03:41 .emacs drwx------ 5 ubuntu ubuntu 4.0K Jun 19 03:42 .emacs.d -rw-rw-r-- 1 ubuntu ubuntu 344 Jun 19 03:44 .gitconfig -rw-rw-r-- 1 ubuntu ubuntu 1.5K Jun 19 03:44 .gitignore drwxrwxr-x 5 ubuntu ubuntu 4.0K Jun 18 22:59 gocode drwxrwxr-x 3 ubuntu ubuntu 4.0K Jun 19 03:44 hc-zenburn-emacs drwxrwxr-x 5 ubuntu ubuntu 4.0K Jun 19 03:45 kmer-hashing -rw-rw-r-- 1 ubuntu ubuntu 917 Jun 19 03:41 .macbook_bash_profile -rw-rw-r-- 1 ubuntu ubuntu 694 Jun 19 03:44 Makefile drwxr-xr-x 11 ubuntu ubuntu 4.0K Jun 19 03:40 .oh-my-zsh -rw-r--r-- 1 ubuntu ubuntu 655 May 16 2017 .profile drwxrwxr-x 4 ubuntu ubuntu 4.0K Jun 19 03:44 rcfiles drwxrwxr-x 3 ubuntu ubuntu 4.0K Jun 19 03:46 reflow-workflows -rwxrwxr-x 1 ubuntu ubuntu 256 Jun 19 03:44 .screenrc drwx------ 2 ubuntu ubuntu 4.0K Jan 30 21:24 .ssh -rw-r--r-- 1 ubuntu ubuntu 0 Jan 30 21:25 .sudo_as_admin_successful -rw-rw-r-- 1 ubuntu ubuntu 3.2K Jun 19 03:41 .ucsd_bashrc -rw-rw-r-- 1 ubuntu ubuntu 217 Jun 19 03:44 .wget-hsts -rw-rw-r-- 1 ubuntu ubuntu 39K Jun 19 03:41 .zcompdump -rw-rw-r-- 1 ubuntu ubuntu 39K Jun 19 03:41 .zcompdump-olgabot-reflow-v5-5.1.1 -rw------- 1 ubuntu ubuntu 1.3K Jun 19 03:49 .zsh_history -rw-r--r-- 1 ubuntu ubuntu 4.4K Jun 19 03:44 .zshrc Tue 19 Jun - 03:49  ~  ubuntu@olgabot-reflow-v5  env XDG_SESSION_ID=7 SHELL=/bin/bash TERM=xterm-256color SSH_CLIENT=24.6.75.181 53191 22 SSH_TTY=/dev/pts/1 ZSH=/home/ubuntu/.oh-my-zsh USER=ubuntu LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36: TERMCAP=SC|xterm-256color|VT 100/ANSI X3.64 virtual terminal:\ :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\ :cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:\ :do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:\ :le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:\ :li#64:co#236:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:\ :cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:\ :im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:\ :ke=\E[?1l\E>:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:\ :ti=\E[?1049h:te=\E[?1049l:us=\E[4m:ue=\E[24m:so=\E[3m:\ :se=\E[23m:mb=\E[5m:md=\E[1m:mh=\E[2m:mr=\E[7m:\ :me=\E[m:ms:\ :Co#8:pa#64:AF=\E[3%dm:AB=\E[4%dm:op=\E[39;49m:AX:\ :vb=\Eg:G0:as=\E(0:ae=\E(B:\ :ac=\140\140aaffggjjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..--++,,hhII00:\ :po=\E[5i:pf=\E[4i:Km=\E[M:k0=\E[10~:k1=\EOP:k2=\EOQ:\ :k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:\ :k8=\E[19~:k9=\E[20~:k;=\E[21~:F1=\E[23~:F2=\E[24~:\ :F3=\E[1;2P:F4=\E[1;2Q:F5=\E[1;2R:F6=\E[1;2S:\ :F7=\E[15;2~:F8=\E[17;2~:F9=\E[18;2~:FA=\E[19;2~:kb=:\ :K2=\EOE:kB=\E[Z:kF=\E[1;2B:kR=\E[1;2A:*4=\E[3;2~:\ :*7=\E[1;2F:#2=\E[1;2H:#3=\E[2;2~:#4=\E[1;2D:%c=\E[6;2~:\ :%e=\E[5;2~:%i=\E[1;2C:kh=\E[1~:@1=\E[1~:kH=\E[4~:\ :@7=\E[4~:kN=\E[6~:kP=\E[5~:kI=\E[2~:kD=\E[3~:ku=\EOA:\ :kd=\EOB:kr=\EOC:kl=\EOD:km: PAGER=less LSCOLORS=Gxfxcxdxbxegedabagacad PATH=/home/ubuntu/anaconda/bin:/usr/lib/go-1.10/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/ubuntu/gocode/bin:/home/ubuntu/gocode/bin MAIL=/var/mail/ubuntu STY=5811.pts-1.olgabot-reflow-v5 PWD=/home/ubuntu EDITOR=emacs LANG=en_US.UTF-8 SSH_KEY_PATH=~/.ssh/rsa_id HOME=/home/ubuntu SHLVL=5 LESS=-R LOGNAME=ubuntu WINDOW=2 SSH_CONNECTION=24.6.75.181 53191 172.31.34.0 22 XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop LESSOPEN=| /usr/bin/lesspipe %s GOPATH=/home/ubuntu/gocode XDG_RUNTIME_DIR=/run/user/1000 LESSCLOSE=/usr/bin/lesspipe %s %s _=/usr/bin/env OLDPWD=/home/ubuntu LC_CTYPE=en_US.UTF-8 ```
kislyuk commented 6 years ago

@olgabot sorry I just saw this. Did you sort this out according to our discussion in Slack? In general, apps on EC2 instances are supposed to get their credentials from instance metadata (container hosts also provide this)

olgabot commented 6 years ago

thanks for your response! I haven't figured out how to deal with this yet, since the information I received was that aegea uses profiles but I don't know how to push the ~/.ssh/id_rsa.pub and ~/.aws/config files for every instance, outside of simply scping them

kislyuk commented 6 years ago

OK so you're dealing with two different sets of credentials here.

  1. AWS credentials. When running on an EC2 instance, your application (reflow) should get its AWS credentials from EC2 instance metadata. I know Reflow is capable of ingesting these, but you may need to configure it properly to do so. I think @ryanking mentioned something in Slack about how Reflow fixed something about this recently. (Also, you need to launch the instance with an IAM role - if you don't specify an IAM role, the instance won't have AWS credentials in its metadata. But if you're launching with aegea, your instance should always have an IAM role.)

  2. SSH credentials. What is reflow trying to use the credentials for? I'm not certain that they're required, but if you're sure they are, then my guess is that you'd want to use the AWS Secrets Manager to store the SSH keys and then retrieve them using the AWS credentials in step 1. Something like: cat ~/.ssh/id_rsa.pub | aegea secrets put reflow-ssh-pubkey (on the computer where you've generated the ssh key) followed by aws secretsmanager get-secret-value --secret-id reflow-ssh-pubkey > ~/.ssh/id_rsa.pub (on the instance that wants to use the key).

olgabot commented 5 years ago

Wow 4 months later and I'm still having the same problems... such is programming!

Here is how I launched my instance:

 aegea launch --iam-role S3fromEC2 --ami-tags Name=czbiohub-reflow -t t2.micro  olgabot-reflow

  1. For AWS credentials, there's an option to export AWS_SDK_LOAD_CONFIG=1, but that still looks for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

  2. The credentials are added to the EC2 instances created by Reflow so you can the log onto them and inspect the outputs. The aegea secrets command worked just fine but aws secretsmanager doesn't seem to be an option for me (details below)... How did the aws in /usr/bin/aws get there? Was that added by aegea?

``` ubuntu@olgabot-reflow:~$ which -a aws /usr/bin/aws ubuntu@olgabot-reflow:~$ aws --version aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-1049-aws botocore/1.4.70 ubuntu@olgabot-reflow:~$ aws secretsmanager usage: aws [options] [ ...] [parameters] To see help text, you can run: aws help aws help aws help aws: error: argument command: Invalid choice, valid choices are: acm | apigateway application-autoscaling | autoscaling budgets | cloudformation cloudfront | cloudhsm cloudsearch | cloudsearchdomain cloudtrail | cloudwatch codecommit | codepipeline cognito-identity | cognito-idp cognito-sync | datapipeline devicefarm | directconnect discovery | dms ds | dynamodb dynamodbstreams | ec2 ecr | ecs efs | elasticache elasticbeanstalk | elastictranscoder elb | elbv2 emr | es events | firehose gamelift | glacier iam | importexport inspector | iot iot-data | kinesis kinesisanalytics | kms lambda | logs machinelearning | marketplacecommerceanalytics meteringmarketplace | opsworks rds | redshift route53 | route53domains sdb | servicecatalog ses | sms snowball | sns sqs | ssm storagegateway | sts support | swf waf | workspaces s3api | s3 configure | deploy configservice | help ```
olgabot commented 5 years ago

Here's the IAM role info:

 Wed 21 Nov - 18:32  ~ 
  aws iam get-role --role-name S3fromEC2
{
    "Role": {
        "Path": "/",
        "RoleName": "S3fromEC2",
        "RoleId": "redacted",
        "Arn": "arn:aws:iam::redacted:role/S3fromEC2",
        "CreateDate": "2017-12-06T00:22:48Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Description": "Provides access to S3 buckets from an EC2 instance.",
        "MaxSessionDuration": 3600
    }
}
kislyuk commented 5 years ago

@olgabot It sounds like perhaps reflow is unable to understand how to fetch credentials from instance metadata according to AWS conventions, or it's not being configured to do so.

For AWS credentials, there's an option to export AWS_SDK_LOAD_CONFIG=1, but that still looks for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

Requiring these variables to be present is generally incorrect behavior. In the absence of these environment variables, reflow should check the instance metadata (https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#id1).

Regarding the version of the AWS CLI in your AMI: how did you build the czbiohub-reflow AMI? Did you use aegea image or something else? In either case, you are right to suspect that it's out of date.

kislyuk commented 5 years ago

@olgabot reading through the reflow docs, it appears reflow is basically not smart enough to integrate with AWS IAM roles, and instead requires long-lived static credentials (an AWS access key associated with an IAM user).

In this situation, you do need to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. I advise using aegea secrets to manage those, if you have to.