Cloud

Logging In to AWS and GCP

January 22, 2023

Here’s my Bash script to login to both AWS and GCP. It has a little bit of intelligence. It checks if you are already logged in, and skips if you are. If not logged in, it will open up the cloud web console which is protected by Okta. The script has been redacted and replace with generic usernames and web pages for security reasons.

#!/bin/bash
## CHECK IF LOGGED IN TO GCP 
read -p "Login to GCP? (y/n) : " login_gcp
if [[ $login_gcp = "y" ]]; then
  file1="/Users/username/code/etc/auth-gcp.txt"
  gcloud auth print-identity-token 1> /dev/null 2> $file
  user=$(gcloud config list account --format "value(core.account)")
  auth=$(cat "$file" | head -n 1)
  rm -f $file1
  if [[ $auth == "Reauthentication required." ]] ||  [[ $user != "first.last@domain.com" ]]; then
    echo "Logging in to Google Cloud Platform."
    gcloud auth login
    gcloud auth application-default login
    open https://okta-login
  else
    echo "You are already logged in to Google Cloud Platform."
  fi
else
  echo "Skipping GCP ... "
fi
## CHECK IF LOGGED IN TO AWS
read -p "Login to AWS? (y/n) : " login_aws
if [[ $login_aws = "y" ]]; then  
  file2=""/Users/username/code/etc/auth-aws.txt""
  aws sts get-caller-identity 2> $file2
  expired=$(tail -n +2 "$file2")
  rm -f $file2
  if [[ $expired =~ "expired" ]] || [[ $expired =~ "Unable" ]]; then
    open https://okta-login
    echo "please wait until web page loads ... "
    read -p "Press any key to continue... " -n1 -s
    echo ""
    basecred='/Users/username/.aws/credentials.base'
    newcreds='/Users/username/Downloads/credentials'
    creds='/Users/username/.aws/credentials'
    if [ ! -f $newcreds ]; then
      echo 'No AWS credentials.'
      exit
    else
      cat $newcreds $basecred > $creds
      echo 'New AWS credentials.'
      sleep 3
      rm -f $newcreds
    fi
  else
    echo "You are already logged in to AWS."
  fi
else 
  echo "Skipping AWS ... "
fi

AWS Create Volume From Snapshot with Tags

January 19, 2023

Here’s another script that creates a volume from a snapshot, but also add the tags.

#!/bin/bash
read -p "server     : " server
read -p "volumeId   : " volume
read -p "snapshotId : " snapshot
read -p "region     : " region
read -p "zone       : " zone
read -p "profile    : " profile
# get tags
tags1=$(aws ec2 describe-volumes --volume-ids $volume --query 'Volumes[].Tags[]' --region $region --profile $profile)
# remove quotes
tags2=$(echo "$tags1" | tr -d '"')
# remove spaces
tags3=$(echo $tags2 | sed 's/ //g')
# replace : with =
tags4=$(echo $tags3 | sed 's/:/=/g')
# if empty value replace with quotes
tags5=$(echo $tags4 | sed 's/Value=}/Value=""}/g')
# create volume
aws ec2 create-volume \
--availability-zone $zone \
--encrypted \
--iops 3000 \
--volume-type gp3 \
--snapshot-id $snapshot \
--tag-specifications 'ResourceType=volume,Tags='$tags5'' \
--region $region \
--profile $profile

AWS Create Volume From Snapshot

January 18, 2023

Here’s a bash script that creates a volume from a snapshot in AWS.

#!/bin/bash
read -p "snapshotId : " snapshot
read -p "server     : " server
read -p "tag1       : " tag1
read -p "tag2       : " tag2
read -p "region     : " region
read -p "zone       : " zone
read -p "profile    : " profile
aws ec2 create-volume \
--availability-zone $zone \
--encrypted \
--iops 3000 \
--volume-type gp3 \
--snapshot-id $snapshot \
--tag-specifications "ResourceType=volume,Tags=[{Key=Name,Value="$server"},{Key=tag1,Value="$tag1"},{Key=tag2,Value="$tag2"}]" \
--region $region \
--profile $profile

CloudWatch Notifications

September 7, 2022

How to give someone access to enable/disable CloudWatch notifications.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarms",
                "cloudwatch:EnableAlarmActions",
                "cloudwatch:DisableAlarmActions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

GCP Role Policy Binding

September 6, 2022

How to display the policy binding.

gcloud compute instances get-iam-policy SERVER --project=PROJECT_ID --zone=ZONE

Result

# There is no binding policy
etag: ACAB
 
# There is a binding policy
bindings:
- members:
  - serviceAccount:SERVICEACCOUNT
  role: organizations/xxxxxxxxxxxx/roles/ROLE
etag: xxxxxxxxxxx=
version: 1

Add a role binding policy

gcloud compute instances add-iam-policy-binding SERVER \
--project=PROJECT_ID \
--zone=ZONE \
--member=serviceAccount:SERVICEACCOUNT \
--role="organizations/xxxxxxxxxxxx/roles/ROLE"

Remove a role binding policy

gcloud compute instances remove-iam-policy-binding SERVER \
--project=PROJECT_ID \
--zone=ZONE \
--member=serviceAccount:SERVICEACCOUNT \
--role="organizations/xxxxxxxxxxxx/roles/ROLE"