I am trying to connect to ec2 (AWS) from my powershell (windows7)
I added the following lines to the knife.rb file:
knife[:aws_access_key_id] = ENV['XXXXXX']
knife[:aws_secret_access_key] = ENV['xxxxxxxxxxxxxxxxxxxxxxxxxx']
I run for example
knife ec2 server list --region eu-west-1
but get the following:
knife : ERROR: You did not provide a valid 'AWS Access Key Id' value. At line:1 char:1
ERROR: You did ... Key Id' value.:String) [], RemoteException
ERROR: You did not provide a valid 'AWS Secret Access Key' value.
do I need to upload the knife.rb file to the server after I saved it? (how?)
where should I save my pem file and how should I use it in the commands? i tried for example:
knife ec2 server create -I ami-6e7bd919 -N MyEc2Instance -x ec2-user -r "role[webserver]" -i C:\Users\MyName\Documents\openvoip.pem --region eu-west-1
Thanks!
The knife.rb file should have the following and not as described in the question:
knife[:aws_access_key_id] = "XXXXXXXXXXXXXX"
knife[:aws_secret_access_key] = "XXXXXXXXXXXXXXXXXXXX"
I had no such ENV variables, so I set the credentials directly.
To use environment variables you have to put them first in you ~/.bashrc file:
vi ~/.bashrc
export AWS_ACCESS_KEY_ID=/home/yourname/.ec2/prodaccess
export AWS_SECRET_ACCESS_KEY=/home/yourname/.ec2/prodsecret
Save. then Source .bashrc file:
. ~/.bashrc
Run: env # to see if your new variables are propagated to environment. Then you may run your knife ec2 command
If you plan on sharing your knife.rb, you might want to keep the environment variables and setup as described under 'Many Users, Same Repo' in the docs, https://docs.getchef.com/config_rb_knife.html.
In order to use the ENV vars, use something like below as opposed to the key values that you appear to use:
knife[:aws_access_key_id] = ENV['AWS_ACCESS_KEY_ID']
knife[:aws_secret_access_key] = ENV['AWS_SECRET_ACCESS_KEY']
Then, when running knife, ensure your local environment variables are set.
Related
I have an Azure CLI task which references a PowerShell script (via build artifact) running az commands. Most of these commands work successfully, but when attempting to execute the following command:
az appconfig kv import --name $resourceName -s file --path appconfig.json --format json
I've noticed that the information was not present against the Azure resource and the log file has "File is not available".
I must be referencing the file incorrectly from the build artifact but if anyone could provide some clarity around this that would be great.
I must be referencing the file incorrectly from the build artifact
You can try to add $(System.ArtifactsDirectory) to the json file path. For example: --path $(System.ArtifactsDirectory)/appconfig.json.
System.ArtifactsDirectory: The directory to which artifacts are downloaded during deployment of a release. Example: C:\agent\_work\r1\a
For details ,please refer to predefined variables .
This can be a little tricky to figure out.
System.ArtifactsDirectory is the default variable that indicates the directory to which artifacts are downloaded during deployment of a release.
However, to use a default variable in your script, you must first replace the . in the default variable names with _. For example, to print the value of artifact variable System.ArtifactsDirectory in a PowerShell script, you would have to use $env:SYSTEM_ARTIFACTSDIRECTORY.
I have a similar setup and do it this way within my PowerShell script:
# Define the path to the file
$appSettingsFile="$env:SYSTEM_ARTIFACTSDIRECTORY\<rest_of_the_path>\appconfig.json"
# Pass it to the Azure CLI command
az appconfig kv import -n $appConfigName -s file --path $appSettingsFile --format json --separator . --yes
It is also helpful to view the current values of all variables to see what they contain before using them.
References:
Default variables - System
Using default variables
I'm running cloud build using remote builder, able to copy all file in the workspace to my own VM but, unable to copy hidden files
Command used to copy files
gcloud compute scp --compress --recurse '/workspace/*' [username]#[instance_name]:/home/myfolder --ssh-key-file=my-key --zone=us-central1-a
so, this copies only non-hidden files.
Also used dot operator to copy hidden files
gcloud compute scp --compress --recurse '/workspace/.' [username]#[instance_name]:/home/myfolder --ssh-key-file=my-key --zone=us-central1-a
Still not able to copy and got below error
scp: error: unexpected filename: .
Can anyone suggest to me how to copy hidden files to VM using gcloud scp.
Thanks in advance
If you remove the trailing character after the slash, it may work. For example, this worked for me:
gcloud compute scp --compress --recurse 'test/' [username]#[instance_name]:/home/myfolder
I'm trying to access the value of SECRETs sent to a GitHub Action, but I'm struggling. The values are returned as [FILTERED] every time, no matter what the key or the original value is.
I can access ENVIRONMENT VARIABLES without a problem, so I must be screwing up somewhere else.
Essentially, what I'm trying to do is send an ssh key to my action/container, but I get the same issue when sending any other key/value as a secret.
My (simplified) GitHub Action is as follows:
action "Test" {
uses = "./.github/actions/test"
secrets = [
"SSH_PRIVATE_KEY",
"SSH_PUBLIC_KEY",
]
env = {
SSH_PUBLIC_KEY_TEST = "thisisatestpublickey"
}
}
Dockerfile:
FROM ubuntu:latest
# Args
ARG SSH_PRIVATE_KEY
ARG SSH_PUBLIC_KEY
ARG SSH_PUBLIC_KEY_TEST
# Copy entrypoint
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
entrypoint.sh:
#! /bin/sh
SSH_PATH="$HOME/.ssh"
mkdir "$SSH_PATH"
touch "$SSH_PATH/known_hosts"
echo "$SSH_PRIVATE_KEY" > "$SSH_PATH/id_rsa"
echo "$SSH_PUBLIC_KEY" > "$SSH_PATH/id_rsa.pub"
echo "$SSH_PUBLIC_KEY_TEST" > "$SSH_PATH/id_rsa_test.pub"
cat "$SSH_PATH/id_rsa"
cat "$SSH_PATH/id_rsa.pub"
cat "$SSH_PATH/id_rsa_test.pub"
The output of those three cat commands is:
[FILTERED]
[FILTERED]
thisisatestpublickey
As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.
Anyone got any clues?
Just to update this, I've also simply tried echoing out both the secrets without quotes in entrypoint.sh:
echo $SSH_PRIVATE_KEY
echo $SSH_PUBLIC_KEY
...and in the log, I see the full decrypted content of $SSH_PRIVATE_KEY (ie, the actual contents of my ssh key) while $SSH_PUBLIC_KEY still returns [FILTERED].
So, I can assume that we are able to see the contents of secrets inside of an action, but I don't know why I can see just one of them, while the other returns [FILTERED].
Is it a caching thing, maybe?
I'm just trying to figure out a predictable way to work with this.
As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.
That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.
The file contents still contain the secret contents.
So I run the following:
gsutil -m cp -R file.png gs://bucket/file.png
And I get the following error message:
Copying file://file.png [Content-Type=application/pdf]...
Uploading file.png: 42.59 KiB/42.59 KiB
AccessDeniedException: 401 Login Required
CommandException: 1 files/objects could not be transferred.
I'm not sure what the problem is since I ran config and I can see all my buckets. Does anyone know what I need to do?
Note: I do not have gcloud, I just installed gsutil and ran the config.
Login to Google Cloud is needed for accessing any Cloud service. You need to use below command which will guide you through login steps like typing verification code you generate by opening browser link given in console.
gcloud auth login
I was getting a similar response, and was able to solve this problem by looking at the read permissions on the .boto file. In my case, I was using a service account and the .boto file that was created by
gsutil config -e
only had read permissions set for user. Since it was being read by a service running as a different user, it wasn't able to read the file and yielding a 401 Login Required error. I fixed it by adding read permissions for the service's group.
In the least sophisticated case, you could fix it by giving any user read permission with
chmod a+r .boto
A more detailed explanation for troubleshooting
To get more information, run the same command with a -D flag, like:
gsutil -m -D cp ....
In the debug output, look at:
Command being run: /path/to/gsutil
config_file_list: /path/to/boto/config
Create your login credentials using the executable at /path/to/gsutil, not gcloud auth or any other gsutil executable on the machine, using:
/path/to/gsutil config
For a service account, use:
/path/to/gsutil config -e
These should create a .boto config file in your home directory, $HOME/.boto. If you are running the gsutil command this file should be referenced in the config_file_list variable in the debug output. If not, see below to change it.
Running gsutil under a service account or as another user
If you are running as another user, and need to reference a newly-created config file, set the environment variable BOTO_CONFIG (don't forget to export it):
BOTO_CONFIG=/path/to/$HOME/.boto
export BOTO_CONFIG
By setting this variable, when you execute gsutil, it will reference the config file you have placed in BOTO_CONFIG. You can confirm that you are referencing the correct config file by looking at the config_file_list variable in the gsutil -D command's output.
make sure the referenced .boto file is readable by the user who is executing the gsutil command
Running the /path/to/gsutil with the BOTO_CONFIG variable set allowed me to execute gsutil as another user, referencing an arbitrary BOTO_CONFIG file that was set up with a service-account's credentials.
To set up the service account:
https://console.cloud.google.com/permissions/serviceaccounts
The key file from the service account set-up process needs to be downloaded, and the path to it is requested during the gsutil config -e step.
This may be an issue with how gsutil/boto handles the OS path separators on Windows, as referenced here. This should eventually get merged into the sdk tools, but until then the following should work:
Go to
google-cloud-sdk\platform\gsutil\third_party\boto\boto\pyami\config.py
and replace the line:
for path in os.environ['BOTO_PATH'].split(':'):
with:
for path in os.environ['BOTO_PATH'].split(os.path.pathsep):
Next, go to
google-cloud-sdk\bin\bootstrapping\gsutil.py
replace the lines that use ':'
if boto_config:
boto_path = ':'.join([boto_config, gsutil_path])
elif boto_path:
# this is ':' for windows as well, hardcoded into the boto source.
boto_path = ':'.join([boto_path, gsutil_path])
else:
path_parts = ['/etc/boto.cfg',
os.path.expanduser(os.path.join('~', '.boto')),
gsutil_path]
boto_path = ':'.join(path_parts)
with
if boto_config:
boto_path = os.path.pathsep.join([boto_config, gsutil_path])
elif boto_path:
# this is ':' for windows as well, hardcoded into the boto source.
boto_path = os.path.pathsep.join([boto_path, gsutil_path])
else:
path_parts = ['/etc/boto.cfg',
os.path.expanduser(os.path.join('~', '.boto')),
gsutil_path]
boto_path = os.path.pathsep.join(path_parts)
Restart cmd and now the error should go away.
I am trying to set Boto to work with GCS with Oauth2 authentication. Gsutil config -e begins the authentication process, but when it asks "What is the full path to your private key file?" I get OSError: No such file or directory.
Why would this happen? It doesn't work with the .json version of the private key file either. I wish Boto for GCS didn't need a path to the private key file.
I made it work by skipping gsutil config -e . I went to my Windows computer where Boto was authenticated, and copied the .boto file to my home directory in Ubuntu.
In the .boto file under [Credentials] the un-commented lines with authentication keys had to be updated for this machine. Everything works now. The relevant part of the .boto file:
[Credentials]
# Google OAuth2 service account credentials (for "gs://" URIs):
gs_service_client_id = ...80o98m552#developer.gserviceaccount.com
gs_service_key_file = /home/edmund_spenser/Downloads/myproj-14002ffcc31.p12
gs_service_key_file_password = notasecret
If you are having trouble getting Boto set up with service account credentials you can paste the above into your .boto file and change the values to your credentials. There were four other lines in the file that were un-commented:
https_validate_certificates = True
default_api_version = 2
content_language = en
default_project_id = myproject
I include them here just in case. Hopefully your terminal works and you can just use gsutil config -e to set up Boto.