Overview

Every once in a while you will find an organization which will not give you AWS Console access so you have to become handy using the AWS CLI for managing the infrastructure underneath BOSH. Fear not, the CLI can be used to retrieve even more information than the Console.

You will need to retrieve a set of credentials which come in two flavors:

  • AWS Access and Secret keys
  • IAM Profiles

Retrieving AWS Access and Secret

If you leverage AWS Access and Secret keys they are defined in your deployment manifest for BOSH:

cloud_provider:  
  properties:
    aws:
      access_key_id: AKIATONYANDBRUCE
      region: us-east-1
      secret_access_key: c9someReallyLongPassword4meR

Now you can use this information to configure the AWS CLI which can be installed with these instructions:

aws config  
AWS Access Key ID []: enter cloud_provider.properties.aws.access_key_id here  
AWS Secret Access Key []: enter cloud_provider.properties.aws.secret_access_key here  
Default region name []: enter cloud_provider.properties.aws.region here  
Default output format [json]: just hit enter  

Now you can discover ELB (which you would have in front of your CF Routers) information by:

aws elb describe-load-balancers  

If you also want information about your EC2 instances:

aws ec2 describe-instances  

Retrieving AWS IAM Profile

If you are using IAM profiles your deployment manifest for BOSH will be configured similar to:

cloud_provider:  
  properties:
    aws:
      credentials_source: env_or_profile
      iam_instance_profile: bosh-profile
      region: us-east-1

No access_key_id or secret_access_key here. The AWS CLI can be configured to use a Role but reguires a few additional bits of information:

  • a profile name
  • role_arn

To get the role_arn ssh onto the jumpbox or BOSH Director with the IAM Profile and run:

curl http://169.254.169.254/latest/meta-data/iam/info  

This will output something similar to the following, with InstanceProfileArn containing the value we need:

{
  "Code" : "Success",
  "LastUpdated" : "2017-10-24T17:16:15Z",
  "InstanceProfileArn" : "arn:aws:iam::12345678912:instance-profile/bosh-profile",
  "InstanceProfileId" : "AIPANOTBRUCEORTONEY"
}

For this example we'll call our profile prodaccess. Using the arn_role and profile name info you can craft an AWS config file in ~/.aws/config similar to:

[default]
output = json  
[profile prodaccess]
profile_arn = arn:aws:iam::12345678912:instance-profile/bosh-profile  
source_profile = default  
region = us-east-1  

Now the aws elb command can be executed with the addition of a --profile parameter:

aws elb describe-load-balancers --profile prodaccess  

Similarly you can retrieve ec2 instance information:

aws ec2 describe-instances --profile prodaccess  

Final Thoughts

We all deserve to have nice things. Access to the AWS CLI is a great tool when managing BOSH deployed resources whether contolled by IAM Profiles or traditional AWS Access and Secret Keys.

This tool can also be used to force a reboot of a VM which BOSH has lost control of and bosh cck isn't fixing. Happy to answer questions in the comments below!