Configure AWS LightSail CLI
# Summary
1. environment: win10, aws-cli-v2
2. currently, IAM permission boundary is not useful for litmitting the use of LightSail cli.
3. currently, aws-cli-v2 `aws configure` command just overwrite the claimed para in `credential` file and this may cause problem when you didn't remove your previous credential before configuration.
4. `ca-central-1a`, the `a` is the `availability zone`.
5. command for testing: aws lightsail get-instance-metric-data --instance-name [OMMITTED] --period 60 --metric-name CPUUtilization --start-time 1603584900 --unit Percent --end-time 1603600522 --statistics Average
6. To Migrate LightSail Instance, coping the snapshot to the target region
2
3
4
5
6
# 1. Install CLI client
I already installed cli tools before. The upper one is the recent package I used and the lower one is the old package from 2018.
# 2. Create IAM programmatic user for CLI
Then cli needs an account to access LightSail resources. I was following this document: AWS LightSail DOCS - set up access keys to use sdk api cli. So go to IAM to create one and the steps were as following.
What I care here is the permission boundary setting. If it is not set then you will have a notice in the review section of creating user. So... what they have as permission boundaries? Let's see......
Permission Boundary - LightSail Full Access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lightsail:*",
"Resource": "*"
}
]
}
2
3
4
5
6
7
8
9
10
11
Permission Boundary - LightSail Export
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DescribeSnapshots",
"ec2:CopyImage",
"ec2:DescribeImages"
],
"Resource": "*"
}
]
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
As you can see, the first one is merely usable and the second one is not applicable. If I want to have a permission boundary, so the option given is to confirm the IAM have a full access? Hmmmm.... funny 😦.... So at the end I didn't set a permission boundary.
At the end, the access key will be provided at an one-time page. Just take that csv file.
# 3. Configuate AWS CLI
Then open up a "prompt" and call configure command: aws configure.
But I had made 2 mistakes when configuring. One was putting a wrong region name. Second was not putting a default output format. The correct region in my case is ca-central-1 without that "a". (so when to specify the availability zone?). If putting an availability zone to region para, an error will happen when using cli, which is Could not connect to the endpoint URL: "https://lightsail.ca-central-1a.amazonaws.com/".
And I didn't have the chance to see what exceptions second one will cause since I realized the problem when solving the first one.
AWS has multiple resources having availability zone settings.
And the way to migrate LightSail accross different regions is basically to copy snapshots.
Ref: Copying snapshots from one AWS Region to another in Amazon Lightsail
But even I corrently input those para, there's still an error: The security token included in the request is invalid. So I first searched online, but everyone is telling you need to set up security token when having MFA settings. But I didn't enable MFA for this account. Then I checked credential file and fount out there is an redundant para 😦..... guess what? Cli configure command is too lazy to delete redundant para from my previous default credential para when configuring but it just want to use all para when being called.
# 4. Test
The command I use to test availability of cli is:
