AWS - Amazon Web Services

From Noah.org
Revision as of 16:30, 4 January 2016 by Root (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


ERROR: "client error (AuthFailure) ... AWS was not able to validate the provided access credentials"

If you see an error like this and you have confirmed that your credentials are good then the next thing to check is your clock. Even AWS instances somehow seem to get clocks askew.

$ aws ec2 --region=us-west-1 describe-security-groups --query 'SecurityGroups[*].GroupId' --output table

A client error (AuthFailure) occurred when calling the DescribeSecurityGroups operation: AWS was not able to validate the provided access credentials

Try running this on the instance to correct clock drift:

sudo ntpdate time.nist.gov

The minimum Route53 stuff that I actually use or care about

Route53 stuff

Notes

  1. Examples show the CLI prompt, "$ ", at the beginning of each line. Anything that does not begin with a "$ " or a "#" is stdout or stderr output, not counting quoted strings that span multiple lines. Maybe I'm making it sound too complicated. You'll figure out.
  2. The Hosted Zone ID for zephyrhealth.com is "Z35CNAMBBVZ957".
  3. All names are specified with the FQDN even though the domain name is implied with the Hosted Zone ID.
  4. Route53 automatically creates Reverses (PTR records) for A records. This is a beautiful thing.
# This lists the zones and Hosted Zone IDs necessary for later commands.
$ aws route53 list-hosted-zones

# This lists all DNS info for a given Hosted Zone ID.
# This lists every DNS record.
$ aws route53 list-resource-record-sets --hosted-zone-id Z35CNAMBBVZ957

# This will give you a JSON outline that you will use later.
# To do anything useful with records you have to use JSON because
# there are no CLI options for most DNS operations.
# Note that this JSON contains fields that need to be deleted
# or are not necessary for most operations. The examples after this
# one will probably be more useful. This is best just for reference.
$ aws route53 change-resource-record-sets --generate-cli-skeleton
{
    "HostedZoneId": "", 
    "ChangeBatch": {
        "Comment": "", 
        "Changes": [
            {
                "Action": "", 
                "ResourceRecordSet": {
                    "Name": "", 
                    "Type": "", 
                    "SetIdentifier": "", 
                    "Weight": 0, 
                    "Region": "", 
                    "GeoLocation": {
                        "ContinentCode": "", 
                        "CountryCode": "", 
                        "SubdivisionCode": ""
                    }, 
                    "Failover": "", 
                    "TTL": 0, 
                    "ResourceRecords": [
                        {
                            "Value": ""
                        }
                    ], 
                    "AliasTarget": {
                        "HostedZoneId": "", 
                        "DNSName": "", 
                        "EvaluateTargetHealth": true
                    }, 
                    "HealthCheckId": ""
                }
            }
        ]
    }
}

# Now for the useful, practical operations...

# This is an example that creates an A record.
$ aws route53 change-resourc-record-sets --cli-input-json '{
    "HostedZoneId": "Z35CNAMBBVZ957",
    "ChangeBatch": {
        "Comment": "This is a test and may be deleted.",
        "Changes": [
            {
                "Action": "CREATE",
                "ResourceRecordSet": {
                    "Name": "noah-test.zephyrhealth.com",
                    "Type": "A",
                    "TTL": 600,
                  "ResourceRecords": [
                    {
                      "Value": "192.168.0.1"
                    }
                  ]
                }
            }
        ]
    }
}'

# You may want to test your new A record using `host`:
$ host noah-test.zephyrhealth.com
noah-test.zephyrhealth.com has address 192.168.0.1

# This updates an existin A record.
$ aws route53 change-resource-record-sets --cli-input-json '{
    "HostedZoneId": "Z35CNAMBBVZ957",
    "ChangeBatch": {
        "Comment": "This is a test A and may be deleted.",
        "Changes": [
            {
                "Action": "UPSERT",
                "ResourceRecordSet": {
                    "Name": "noah-test.zephyrhealth.com",
                    "Type": "A",
                    "TTL": 600,
                  "ResourceRecords": [
                    {
                      "Value": "192.168.1.2"
                    }
                  ]
                }
            }
        ]
    }
}'

# This creates an alias (CNAME) to an A record.
$ aws route53 change-resource-record-sets --cli-input-json '{
    "HostedZoneId": "Z35CNAMBBVZ957",
    "ChangeBatch": {
        "Comment": "This is a test CNAME and may be deleted.",
        "Changes": [
            {
                "Action": "CREATE",
                "ResourceRecordSet": {
                    "Name": "noah-test-cname.zephyrhealth.com",
                    "Type": "CNAME",
                    "TTL": 600,
                  "ResourceRecords": [
                    {
                      "Value": "noah-test.zephyrhealth.com"
                    }
                  ]
                }
            }
        ]
    }
}'

# This tests if a resource record set exists or not in DNS.
# This is kind of lame, but it's the only way I've been able to figure out
# how to do it. I suppose you could assume it does not exist and do a CREATE
# and check if that fails due to the record already existing then fall-back
# to doing an update (UPSERT) if it does. This is how dickheads in Java would
# do it, probably by abusing exceptions.
# At any rate, this command will not generate output, but it will return
# an exit code of 0 (exists) or 1 (does not exist). Bweare of the
# weird quoting, but you shouldn't have to change anything except the
# variable, DOMAIN_TO_TEST..
$ DOMAIN_TO_TEST="noah-test.zephyrhealth.com"
$ aws route53 list-resource-record-sets --hosted-zone-id Z35CNAMBBVZ957 | grep -q '"Value": "'${DOMAIN_TO_TEST}'"'
$ echo $?
0