AWS – Email – SES – Send Email – Thunderbird Configuration

January 10, 2019January 10, 2019 Daniel Adeniji Amazon Web Services ( AWS ), Mozilla, Mozilla.Org, Simple Email Service [ SES ] ( Amazon - AWS ), Technical, Thunderbird

Background

Now that I have received and responded back to AWS/SES email validation, it is time to go back and validate my Outgoing SMTP Server.

Earlier Notes

Here are some earlier notes :-

AWS – Email – “Error Sending Mail – Message Reject : Email address is not verified. The following identities failed the check in region
Link

Thunderbird

Configuration

Here is how to configure Mozilla’s Thunderbird to use an AWS/SES SMTP Server to send email.

Outline

Review Validation Email for Sender
- Note exact email address
- Click on validation link
Access the Account Settings panel
- Account Settings panel
  - Email Address
    - Please use the exact email address that was verified
    - Remember it is Linux and case-sensitive
- Outgoing Server ( SMTP )
  - Server Name
    - Region Specific SMTP Server Name
      - US West 2
        
        email-smtp.us-west-2.amazonaws.com
  - Port Number
    - 587
  - Connection Security
    - STARTTLS
  - Authentication Method
    - Normal Password
  - Username
    - Enter the username assigned to you by AWS/SES

Sender Email Address Validation

Sample Emails

Here are sample validation emails :-

Dear Amazon Web Services Customer,

We have received a request to authorize this email address for use with Amazon SES and Amazon Pinpoint in region US West (Oregon). If you requested this verification, please go to the following URL to confirm that you are authorized to use this email address:

https://email-verification.us-west-2.amazonaws.com/?Context=78&X-Amz-Date=20190110T212440Z&
Identity.IdentityName=daniel.adeniji%40mylabdomain.com&X-Amz-Algorithm=AWS4-HMAC-SHA256&Identity.IdentityType=EmailAddress&X-Amz-SignedHeaders=host&X-Amz-Credential=AKI%2Fus-west-2%2Fses%2Faws4_request&Operation=ConfirmVerification&Namespace=Bacon&X-Amz-Signature=189

Explanation

Email’s body
- Please not Identity.IdentityName
  - This is the name that will be specified as your sender

Account Settings

AWS.SES.Mozilla.Thunderbird.Configuration.AccountSettings.20190110.0208PM.PNG

Outgoing – Mail – Configuration

SMTP Server

AWS.SES.Mozilla.Thunderbird.Configuration.Outgoing.20190110.0209PM.PNG

References

Amazon
- AWS
  - SES
    - AWS Documentation » Amazon SES Documentation » Developer Guide » Sending Email with Amazon SES » Sending Your Email with Amazon SES » Using the Amazon SES SMTP Interface to Send Email » Configuring Email Clients to Send Through Amazon SES
      Configuring Email Clients to Send Through Amazon SES
      Link
    - AWS Documentation » Amazon SES Documentation » Developer Guide » Regions and Amazon SES
      Link

AWS – Email – “Error Sending Mail – Message Reject : Email address is not verified. The following identities failed the check in region”

January 9, 2019January 9, 2019 Daniel Adeniji Amazon, Amazon Web Services ( AWS ), Email, Simple Email Service [ SES ] ( Amazon - AWS ), Technical

Background

Trying to send out an email email over an SMTP Server residing in AWS.

Error

Image

Textual

An error occurred while sending mail.
The mail server responded : Message rejected: Email address is not verified.
The following identities failed the check in region

Remediation

Outline

Launch web browser
Enter Region Specific URL
- Syntax
  - https://console.aws.amazon.com/ses/home?region=%5Bregion-name%5D
- Sample
  - US West 2
    - https://us-west-2.console.aws.amazon.com/ses/home?region=us-west-2#
SES
- Domain Identities
  - Listing
    - All Domain Identities are listed
  - Add Domain
    - If your domain is not listed, please prepare to register it by clicking on the “Verify A New Domain” button
- Email Addresses
  - Listing
    - All Email Addresses are listed
  - Verify a new email address
    - If your email address is not listed, please prepare to register it by clicking on the “Verify A New Email Address” button
  - Registration
    - In the “Verify New Email Address” window
      - Enter the Email Address
      - Click the “Verify this Email Address” button
  - Validation Email
    - Wait for the validation email
    - Read, Review, and Click in registration link

Steps

SES Home Page

Enter URL to the SES Home Page.

The generic URL to the SES Home Page is https://console.aws.amazon.com/ses/home.

For us, we are in US-WEST-2, and we can connect to the region specific URL by going here ( https://console.aws.amazon.com/ses/home ( https://us-west-2.console.aws.amazon.com/ses/home?region=us-west-2 ).

Domain Identities

From the left frame, please click the “Domains” link.

Please review the registered Domain Identities.

If your Domain is not listed, please click the “Verify a New Domain” button.

Listing

domainidentities.20190109.0102pm

Verify New Domain Identity

AmazonSimpleEmailService.verifyANewDomain.20190109.0106PM.PNG

Email Address Identities

From the left frame, please click the “Email Addresses” link.

Please review the registered “Email Addresses Identities“.

If the “Email Addresses Identifiers” is not listed, please click the “Verify a New Email Address” button.

Listing

Registered “Email Address Identifiers” are listed.

emailAddressIdentities.listing.20190109.0115PM.PNG

Verify New Email Address

In the “Verify a New Email Address” window, please enter the email Address that you will be using as the “Sending Address”.

Click the “Verify this Email Address” to confirm.

verifyanewemailaddress.20190109.0118pm

Validation Email

You will receive an email in email address you entered earlier.

Within 24 hours, please review the email and click on the Link.

Samples

Here are sample emails :-

Image

validation.email.20190109.0148PM.PNG

Textual


Dear Amazon Web Services Customer,

We have received a request to authorize this email address for use with Amazon SES and Amazon Pinpoint in region US West (Oregon). If you requested this verification, please go to the following URL to confirm that you are authorized to use this email address:

https://email-verification.us-west-2.amazonaws.com/?Context=458828384081&X-Amz-Date=20180913T234020Z&Identity.IdentityName=daniel.adeniji%40edriving.com&X-Amz-Algorithm=AWS4-HMAC-SHA256&Identity.IdentityType=EmailAddress&X-Amz-SignedHeaders=host&X-Amz-Credential=AKIAJJHD5MBOFZDF5APA%2F20180913%2Fus-west-2%2Fses%2Faws4_request&Operation=ConfirmVerification&Namespace=Bacon&X-Amz-Signature=7cccbc70dddc08dc9d93c91cb1febb2a6792ce4f86083d26d3fa1668b2155063

Your request will not be processed unless you confirm the address using this URL. This link expires 24 hours after your original verification request.

If you did NOT request to verify this email address, do not click on the link. Please note that many times, the situation isn't a phishing attempt, but either a misunderstanding of how to use our service, or someone setting up email-sending capabilities on your behalf as part of a legitimate service, but without having fully communicated the procedure first. If you are still concerned, please forward this notification to aws-email-domain-verification@amazon.com and let us know in the forward that you did not request the verification.

To learn more about sending email from Amazon Web Services, please refer to the Amazon SES Developer Guide at http://docs.aws.amazon.com/ses/latest/DeveloperGuide/Welcome.html and Amazon Pinpoint Developer Guide at http://docs.aws.amazon.com/pinpoint/latest/userguide/welcome.html.

Sincerely,

References

Amazon
- Amazon Simple Email Service
  - AWS Documentation » Amazon SES Documentation » Developer Guide » Sending Email with Amazon SES » Setting up Email with Amazon SES » Verifying Identities in Amazon SES » Verifying Email Addresses in Amazon SES
    Link
  - AWS Documentation » Amazon SES Documentation » Developer Guide » Sending Email with Amazon SES » Setting up Email with Amazon SES » Verifying Identities in Amazon SES » Verifying Email Addresses in Amazon SES » Verifying an Email Address
    Link

SQL Server Installation Error – “The RPC server is unavailable”

December 6, 2018December 6, 2018 Daniel Adeniji Amazon, Amazon Elastic Compute Cloud ( EC2 ), Amazon Web Services ( AWS ), Applets ( Control Panel ), Control Panel, DNS, DNS - Settings, Installation ( SQL Server ), Microsoft, Network ( Control Panel - Applets ), Network Adapter, SQL Server, Technical 0x800706BA, Attempting to check if container 'WinNT://' of user account exists, ErrorCode : 1 (0001), FacilityCode : 1211 (4bb), Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry, System.DirectoryServices.DirectoryEntries.Find, System.Runtime.InteropServices.COMException, The RPC server is unavailable

Background

Trying to install Microsoft SQL Server v2017, but no go.

Error Message

Here is the error message :-

TITLE: Microsoft SQL Server 2017 Setup.

The following error has occurred:

The RPC server is unavailable.

Click ‘Retry’ to retry the failed action, or click ‘Cancel’ to cancel this action and continue setup.

Error Image

error.TheRPCServerIsUnavailable.20181205.0448PM

Troubleshooting

Looked everywhere on this one.

SysInternals

Process Monitor

Tried SysInternals’ Process Monitor, but no help today.

SQL Server

Setup Log

Reached for Microsoft’s SQL Server Setup Log available here ( C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Log\ ).

The specific file that we want to track on is details.txt

Error Text

Slp: Sco: Attempting to open root DirectoryEntry object for local computer

Slp: Sco: Attempting to check if container ‘WinNT://LABSQL01,computer’ of group exists

Slp: Sco: User group Distributed COM Users exists

Slp: Sco: Attempting to get account sid for user account AD\dadeniji

Slp: Sco: Attempting to get sid for user account AD\dadeniji

Slp: Sco: Attempting to get account sid for user account AD

Slp: Sco: Attempting to get sid for user account AD

Slp: Sco: Attempting to see if user AD\dadeniji exists

Slp: Sco.User.OpenRoot – Attempting to get root DirectoryEntry for domain/computer ‘AD’

Slp: Sco: Attempting to check if user account LABDOMAIN\dadeniji exists

Slp: Sco: Attempting to look up AD entry for user LABDOMAIN\dadeniji

Slp: Sco.User.OpenRoot – root DirectoryEntry object already opened for this computer for this object

Slp: Sco.User.LookupADEntry – Attempting to find user account LABDOMAIN\dadeniji

Slp: Sco: Attempting to check if container ‘WinNT://LABDOMAIN’ of user account exists

Slp: Prompting user if they want to retry this action due to the following failure:

Slp: The following is an exception stack listing the exceptions in outermost to innermost order

Slp: Inner exceptions are being indented

Slp:

Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.ScoException

Slp: Message:

Slp: The RPC server is unavailable.

Slp:

Slp: HResult : 0x84bb0001

Slp: FacilityCode : 1211 (4bb)

Slp: ErrorCode : 1 (0001)

Slp: Data:

Slp: WatsonData = Domain

Slp: DisableRetry = true

Slp: Inner exception type: System.Runtime.InteropServices.COMException

Slp: Message:

Slp: The RPC server is unavailable.

Slp:

Slp: HResult : 0x800706ba

Slp: Stack:

Slp: at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)

Slp: at Microsoft.SqlServer.Configuration.Sco.User.LookupADEntry()

Remediation

Network Configuration Setting

TCP/IP DNS Suffix

The problem ended up being an incomplete DNS Suffixes listing.

You see our server is hosted on AWS and it is an EC2 Instance.

Outline

Access Advanced TCP/IP Settings
- Launch Control Panel
- Access Network Applet
- Access “Advanced TCP/IP Settings”
- Access DNS Tab
- Review “Append DNS Suffixes” group
  - Add corporate DNS suffices

Images

Original Setting

network.dns.20181205.0521PM.PNG

AWS/IAM – CLI :- Multi-Factor Authentication

November 15, 2018November 21, 2018 Daniel Adeniji Amazon Web Services ( AWS ), Identity and Access Management ( IAM ) - AWS, Security Credentials ( AWS - IAM )

Background

If you happen to secure AWS Resources with Multi-Factor authentication, and you are working within the Command Line Interface, you do have bit of jumping on a trampoline to do.

Outline

Multi-Factor Device – Review Settings
- Check MFA Status
  - Is it MFA hardware device or is it Virtual
- Get Device’s ARN
Get Current Identity
Issue and capture of “aws sts get-session-token“
Set Environment Variables based on Session Token
Issue and capture results of “aws sts assume-role”
Set Environment Variables based on Assumed Role
Attempt to access resource

Processing

Multi-Factor Device – Review Settings

Outline

Access IAM Console ( Link )
Search for user
- Enter username
Select sought user
User Summary Screen comes up
Access “Security Credentials” Tab
The “Security Credentials” tab appears
- Note the following
  - Assigned MFA Device
  - Assign MFA Type
    - Virtual in our case

Images

Search for user

IAM.Users.searchUser.20181115.0421PM.PNG

User Summary

IAM.Users.user.Summary.20181115.0423PM.PNG

User – Security Credentials

IAM.Users.user.SecurityCredentials.20181115.0426PM.PNG

Data Set

Assigned MFA device
- arn:aws:iam::[ID]:mfa/[account-id] (Virtual) | Manage
  - id
  - Virtual

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

sts.getCallerIdentity.20181120.0743PM

Output – Textual


>aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:iam::22:user/dadeniji"
}

Issue & Capture Output of “sts get-session-token“

Outline

Issue sts get-session-token
Capture output

Code


setlocal

REM How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
REM https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

REM Assigned MFA device
REM Is it an MFA hardware device or is it Virtual
rem set _ARNUser = arn:aws:iam::userid:user/awsauth/dadeniji
set _userid=11101
set _ARNmfa=arn:aws:iam::%_userid%:mfa/dadeniji

set _durationInSeconds=129600

REM **********************************************************************************
REAM Read token from device -- cellphone etc
REM **********************************************************************************
set _codeFromToken=506694

rem aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

aws sts get-session-token --serial-number %_ARNmfa% --duration-seconds %_durationInSeconds% --token-code %_codeFromToken% 

endlocal

Output

sts.get-session-token.20181115.0439PM.PNG

Explanation

Please capture the output :-

Credentials
- AccessKeyId
- SecretAccessKey
- SessionToken

Set Session Token – Self

Outline

Set Environment Variables for Self Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Assume Role

Outline

aws sts assume-role

Code

Syntax


aws sts assume-role --role-arn=[iam-role] --role-session-name [rolename]

Sample


setlocal

set "_IAMrole=arn:aws:iam::061711:role/housekeeper"
set "_rolename=housekeeper"

aws sts assume-role --role-arn=%_IAMrole% --role-session-name %_rolename%

endlocal

Output

image_assumeRole.01.20181120.0548PM

Set Session Token – Assumed Role

Outline

Set Environment Variables for Role Token

Code


set AWS_ACCESS_KEY_ID=ANTELOPE
set AWS_SECRET_ACCESS_KEY=SAK
set AWS_SESSION_TOKEN=Patti

Get Current Identity

Outline

Code


aws sts get-caller-identity

Output

Output – Image

image_getCallerIdentity.AssumeRole.Post.01.brushedup.20181120.0552PM.png

Output – Textual


aws sts get-caller-identity
{
"UserId": "AID",
"Account": "22",
"Arn": "arn:aws:sts::22:assumed-role/dba"
}

Access Resource

Outline

Access Resource
- Access S3 bucket
- Access RDS DB Resource

Sample

Sample – S3 Bucket

Code

aws s3 ls --profile savanna

Output

request.S3.20181115.0452PM.PNG

References

Amazon
- AWS
  - CLI
    - MFA
      - How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI?
        Link
  - Directory Services
    - To establish a trust relationship for an existing role to AWS Directory Service
      Link
  - Granting a User Permissions to Switch Roles
    - id_roles_use_permissions-to-switchLink

AWS – Identity and Access Management ( IAM ) – Switching Roles

November 10, 2018November 28, 2018 Daniel Adeniji Identity and Access Management ( IAM ) - AWS

Background

To better safe ground the system, it is best not to grant sensitive permissions to user accounts. And, only grant those permissions to roles. Users can then be granted membership to the roles.

To perform those sensitive actions, users will have to switch over to the provisioned roles. Perform the actions. And, revert to their user account.

Administrative Function

The system administrator will have to do the following :-

Role
- Create
  - Create Role
Permissions
- Grant
  - Grant permissions to Role
Membership
- Add principals to the Role
Relationship
- Trust Relationship
  - The role must have a trust relationship with the source profile to allow itself to be assumed.
- Assume Role
  - Grant Principals permission to assume the role
  - The source profile must have permission to call sts:assume-role against the role

Sample Policies

AWS ( AWS Documentation » AWS Command Line Interface » User Guide » Configuring the AWS CLI » Assuming a Role ) has a good write-up here.

Role – Trust Relationship with User

sts.AssumeRole.20181110.0242PM

User – Permission to Assume Role

sts.AssumeRole.iamUserPermission.20181110.0249PM.PNG

GUI

Outline

Access Switch Role ( Link )
Enter Role’s Information
- account_id_number–The 12-digit account identifier provided to you by your administrator.
- role_name–The name of the role that you want to assume.
- (Optional) text_to_display–The text that you want to appear on the navigation bar in place of your user name when this role is active.
- Click on the “Switch Role” button
Perform the activities that need the elevated permissions
Revert from role to self

Images

Switch Role

role.SwitchRole.20181110.0452PM

Switched Role

role.Switched.20181110.0451PM.PNG

Command Line Interface ( CLI )

Client Preparation

Let us go over what it takes to prepare a client

Outline

Configure Client’s Credential
Configure Role via Profile Registration

Configure Client’s Credential

Upon installing AWS’s Command Line Interface, one needs to register his\her credentials.

This is done via launching a terminal or command console and issuing the register command.

Validate

Please validate whether you have already done so.

One pathway is through looking for the configure file.

Its location is OS Specific:

Windows
- Syntax :- C:\Users\[username]\.aws\credentials
- Sample :- C:\Users\dadeniji\.aws\credentials

Syntax


aws configure

Steps

Please fill out the details such as :-

AWS Access Key ID
AWS Secret Access Key
Default Region Name
Default output format

Output

aws.configuration.20181109.1117AM.cleanedup.PNG

Effect

Once done the entries are saved in the credentials file.

OS
- Windows
  - Syntax :- C:\Users\[username]\.aws\credentials
  - Sample :- C:\Users\dadeniji\.aws\credentials

Configure Role via Profile Registration

Next create \ edit the configure file.

File Location

It’s location is OS Specific:

Windows
- Syntax :- C:\Users\[username]\.aws\configue
- Sample :- C:\Users\dadeniji\.aws\configure

Nomenclature

account_id_number
- The 12-digit account identifier provided to you by your administrator
role_name
- The name of the role that you want to assume. You can get this from the end of the role’s ARN.
  - If the ARN is arn:aws:iam::403299380220:role/TestRole
    - The role’s name is TestRole
      - As role does not have a path
  - If the ARN is arn:aws:iam::403299380220:role/restaurant/TestRole
    - The role’s name is /restaurant/TestRole
      - As role has a path ( restaurant )

Syntax

[default]

[profile dba]
role_arn = arn:aws:iam::[account-id]:role/[role-name]
source_profile = default
region=[region]

Sample

[default]

[profile dba]
role_arn = arn:aws:iam::0611271771:role/dba
source_profile = default
region=us-west-2

Request

Let us request role processing

Outline

Interactively
Ongoing

Interactive

Overview

We are able to request role switching on each command that needs the designated privileges.

Sample Requests

List IAM Users
- aws iam list-users –profile adminMarketing
List RDS Instances
- aws rds describe-db-instances –profile adminMarketing

Actual Request ( as current user )


aws s3 ls

Textual


An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Actual Request – Assume Role


aws s3 ls --profile dba

Textual


An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Textual

Unable to assume role.

Actual Request – Assume Role in debug mode


aws s3 ls --profile dba --debug

Textual


    return self._get_cached_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 698, in _get_credentials
    return client.assume_role(**kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
2018-11-10 14:31:35,342 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Image

withSwitchRoleRequestedInteractivelyInDebugMode.20181110.0443PM

Textual

Stack Trace that shows the functions called
Return Code ( rc ) is 255

Summary

Will have to work with our AWS Administrators and review the permissions we have on the role.

I need to have the ability to assume the role.

Again, the specific areas that need scrutiny are:

The role must have a trust relationship with the source profile to allow itself to be assumed
And, each of us must have permission to call sts:assume-role against the role

AWS/CLI – AWS Identity and Access Management (IAM) – Basic Commands

November 10, 2018November 20, 2018 Daniel Adeniji Amazon, Amazon Web Services ( AWS ), Identity Access management, Identity and Access Management ( IAM ) - AWS

What is ” Identity and Access Management (IAM)” ?

AWS Identity and Access Management (IAM) is a web service that you can use to manage users and user permissions under your AWS account.

Commands

Full

The current list of all IAM Commands is available here.

Covered

Here are the ones we will cover :-

Command	Explanation	Link
get-account-password-policy	Retrieves the password policy for the AWS account.	Link
get-group	Returns a list of IAM users that are in the specified IAM group	Link
get-role	Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.	Link
get-user	Retrieves information about the specified IAM user, including the user’s creation date, path, unique ID, and ARN. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID used to sign the request to this API.	Link
list-groups	Lists the IAM groups that have the specified path prefix.	Link
list-groups-for-user	Lists the IAM groups that the specified IAM user belongs to.	Link
list-group-policies	Lists the names of the inline policies that are embedded in the specified IAM group.	Link
list-roles	Lists the IAM roles that have the specified path prefix.	Link
list-users	Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account. If there are none, the operation returns an empty list.	Link

get-account-password-policy

Link

Link
Link

Syntax

get-account-password-policy

Sample

get-account-password-policy

Output

get-account-password-policy.20181109.0726PM

Explanation

Policy
- MinimumPasswordLength :- 8
- RequireSymbols :- true
- RequireNumbers :- true
- RequireUppercaseCharacters :- true
- RequireLowercaseCharacters :- true
- ExpirePasswords :- true
- MaxPasswordAge :- 180
  - Passwords have to be changed within 6 months
- PasswordReusePrevention :- 6
  - Specifies the number of previous passwords that IAM users are prevented from reusing.

get-group

Link

Link
Link

Syntax

aws iam get-group --group-name [group-name]

Sample

aws iam get-group --group-name dba

Output

get-group.20181109.0739PM

Explanation

Group Members are listed
Group’s full path, Group Name, Group ID, and Arn

get-role

Link

Link
Link

Syntax

aws iam get-role --role-name [role-name]

Sample

aws iam get-role --role-name prod

Output

Output – Image

get-role.20181120.0405PM

Output – Textual


An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::229191711:user/dadeniji is not authorized to perform: iam:GetRole on resource: role prod

Explanation

Retrieves information about the specified role, including the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role.

get-user

Link

Link
Link

get-user ( Self )

Syntax

aws iam get-user

Sample

aws iam get-user

Output

Output – Image

get-user.20181110.0713PM.PNG

Output – Textual


An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::2291711919:user/dadeniji is not authorized to perform: iam:GetUser on resource: user dadeniji

get-user ( Specified User )

Syntax

aws iam get-user --username [username]

Sample

aws iam get-user --username dadeniji

Output

Output – Image

get-user.20181120.0211PM.PNG

Output – Textual


An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::2291711919:user/dadeniji is not authorized to perform: iam:GetUser on resource: user dadeniji

Explanation

List User’s information

list-groups

Link

Link
Link

Syntax

aws iam list-groups

Sample

aws iam list-groups

Output

list-groups.20181110.0744AM.PNG

Explanation

List groups

list-groups-for-user

Link

Link
Link

Syntax

aws iam list-groups-for-user [username]

Sample

aws iam list-groups-for-user --user-name dadeniji

Output

list-groups-for-users.20181110.0719AM.PNG

Explanation

List User’s Group

list-group-policies

Link

Link
Link

Syntax

aws iam list-group-policies --group-name [group-name]

Sample

aws iam list-group-policies --group-name dba

Output

list-group-policies.20181109.0749PM.PNG

Explanation

List policies granted to the specified group

list-roles

Link

Link
Link

Syntax

aws iam list-roles

Sample

aws iam list-roles --path-prefix /aws

Output

Output – Textual


An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:iam::22:user/awsauth/dadeniji is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::22:role/aws/

Output – Image

list-roles.20181110.1152AM.PNG

Explanation

Permission denied
- In our case we do not have permissions to list roles

list-users

Link

Link
Link

Syntax

aws iam list-users

Sample

aws iam list-users

Output

list-users.20181110.0729AM.PNG

Explanation

List Users
- Path
- UserName
- UserId
- Arn
- CreateDate
- PasswordLastUsed

AWS / Identity Access Management ( IAM ) – List user’s roles

November 9, 2018November 9, 2018 Daniel Adeniji Amazon, Amazon Web Services ( AWS ), Identity and Access Management ( IAM ) - AWS, Technical

Background

Having problems switching roles.

Let us review the list of roles that my principal has access to.

Command Line Interface ( CLI )

Command

Syntax

aws iam list-roles

Sample

aws iam list-roles

Output

Output – An error occurred (AccessDenied) when calling the ListRoles operation

Text


Unable to locate credentials. You can configure credentials by running "aws configure".

Image

aws.iam.listRoles.20181109.1114AM.PNG

Explanation

Please register your account on current computer.

Issue “aws configure” :-

aws.configuration.20181109.1117AM.cleanedup.PNG

Output – An error occurred (AccessDenied) when calling the ListRoles operation

Text


An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:iam::[x1]:user/awsauth/dadeniji is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::x1:role/

Image

aws.iam.listRoles.20181109.1118AM.PNG

Explanation

Insufficient permissions to list roles.

Browser

Please launch a web browser and access the URL https://console.aws.amazon.com/iam/home#/roles.

aws.roles.browser.20181109.1140AM.PNG

Summary

Need to work with our Administrators and make sure that I have sufficient permissions to list our roles.