AWS Command Line Tool

Attention

These notes are being moved to https://www.pkimber.net/open/salt-cloud-amazon.html

From An Introduction to the AWS Command Line Tool

Tip

Also see Salt Cloud - Amazon

Install

Create your Access Keys by clicking on your user name in the web console and selecting Security Credentials

Install the command line tool and then configure:

pip install awscli
aws configure

Enter your access key and secret key:

AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: eu-west-1
Default output format [None]: table

I chose eu-west-1 and table for the output format.

The following two commands will get the command line tool running:

aws ec2 describe-regions
aws ec2 describe-availability-zones

Security Group

Find your external IP address:

curl ifconfig.me

From Using Security Groups

Create a security group:

aws ec2 create-security-group \
    --group-name MySecurityGroup \
    --description "My Security Group"
aws ec2 authorize-security-group-ingress \
    --group-name MySecurityGroup \
    --cidr 198.51.100.100/32 \
    --protocol tcp \
    --port 22
aws ec2 authorize-security-group-ingress \
    --group-name MySecurityGroup \
    --protocol tcp \
    --cidr 0.0.0.0/0 \
    --port 80
aws ec2 authorize-security-group-ingress \
    --group-name MySecurityGroup \
    --protocol tcp \
    --cidr 0.0.0.0/0 \
    --port 443

Note

Replace the IP address (198.51.100.100) above with your own!

If you want to allow ssh access from anywhere, replace the second rule with the following:

aws ec2 authorize-security-group-ingress \
    --group-name MySecurityGroup \
    --cidr 0.0.0.0/0 \
    --protocol tcp \
    --port 22

Tip

authorize-security-group-ingress can be repeated as required.

Tip

To remove a rule, use revoke-security-group-ingress with the same parameters as authorize-security-group-ingress.

To view the details for the security group:

aws ec2 describe-security-groups --group-names MySecurityGroup

To delete a security group:

aws ec2 delete-security-group --group-name MySecurityGroup

Salt Master

To allow inbound connections to a Salt master…

Create the security group:

aws ec2 create-security-group \
    --group-name SaltMaster \
    --description "Salt Master"
aws ec2 authorize-security-group-ingress \
    --group-name SaltMaster \
    --protocol tcp \
    --cidr 0.0.0.0/0 \
    --port 4505
aws ec2 authorize-security-group-ingress \
    --group-name SaltMaster \
    --protocol tcp \
    --cidr 0.0.0.0/0 \
    --port 4506

Assign the group to the Salt Master:

Find the InstanceId, current group id and the new group id:

# find the instance id (in this example, the name is 'master-ec2')
# filter by the 'Name' tag.
aws ec2 describe-instances --filter Name=tag:Name,Values=master-ec2

# find the id of the new group
aws ec2 describe-security-groups --group-names SaltMaster

Assign the old group id and the new group id to the instance:

ec2-modify-instance-attribute i-6b9cf329 --group-id sg-fd35ea98
aws ec2 modify-instance-attribute --instance-id i-6b9cf329 --groups sg-fd35ea98 sg-85d41fe0