====== jq - json parser ======
jq tutorial:- [[https://cameronnokes.com/blog/working-with-json-in-bash-using-jq/]]
====== AWS Policy - get ARN ======
$ CREATEPOLICY=`aws iam create-policy --profile sandbox --policy-name iam-key-age-test-policy --policy-document file://lambdaPolicy-iam-key-age.json`
{
"Policy": {
"PolicyName": "iam-key-age-test-policy",
"PolicyId": "ANPAYJCO7BT6GMCF63B2L",
"Arn": "arn:aws:iam::569248779516:policy/iam-key-age-test-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-09-27T11:04:21Z",
"UpdateDate": "2021-09-27T11:04:21Z"
}
}
POLICYARN=$(echo $CREATEPOLICY | jq '.Policy.Arn')
====== AWS Keys ======
{
"Version": 1,
"AccessKeyId": "ASIA6DGFDFAccessID",
"SecretAccessKey": "asdads-accesssecret",
"SessionToken": "SecretSession==",
"Expiration": "2023-09-19T11:30:06Z"
}
jq -r prints raw output, no quotes. Useful to pipe to variables etc.
$ cat aws.json | jq ".AccessKeyId"
"ASIA6DGFDFAccessID"
$ cat aws.json | jq -r ".AccessKeyId"
ASIA6DGFDFAccessID
$ cat aws.json | jq -r ".SecretAccessKey"
asdads-accesssecret
$ cat aws.json | jq -r ".SessionToken"
SecretSession==
====== Extracting multiple values in one pass ======
Use a comma to separate multiple fields to extract:-
Raw outpput for NAT gateways
$ aws ec2 describe-nat-gateways
{
"NatGateways": [
{
"CreateTime": "2024-02-10T14:30:57+00:00",
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-abcd1234987658428",
"NetworkInterfaceId": "eni-dcbaabcd12348765b",
"PrivateIp": "10.10.10.60",
"PublicIp": "32.231.232.69",
"AssociationId": "eipassoc-abcddcba123427a41",
"IsPrimary": true,
"Status": "succeeded"
}
],
"NatGatewayId": "nat-abcddcba123467dea",
"State": "available",
"SubnetId": "subnet-abcddcba12349399f",
"VpcId": "vpc-abcddcba12345b91c",
"Tags": [
{
"Key": "Name",
"Value": "poc-nat-public1-eu-west-1a-v2"
}
],
"ConnectivityType": "public"
}
]
}
Code to extract just NAT id, state and Elastic ip in use:-
$ aws ec2 describe-nat-gateways | jq ".NatGateways | .[] | .NatGatewayId, .State, .NatGatewayAddresses[].NetworkInterfaceId"
"nat-abcddcba123467dea"
"available"
"eni-abcddcba1234f5f0b"
$
====== Parameter Store ======
$ aws ssm describe-parameters --parameter-filters "Key=Name,Values=/repo/testpar,Option=Contains"
{
"Parameters": [
{
"Name": "/repo/testpar1",
"Type": "String",
"LastModifiedDate": 1701778211.029,
"LastModifiedUser": "arn:aws:iam::121235658337:user/sysadmin",
"Description": "repo_backup",
"Version": 2,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "/repo/testpar2",
"Type": "String",
"LastModifiedDate": 1701778219.313,
"LastModifiedUser": "arn:aws:iam::121235658337:user/sysadmin",
"Description": "repo_backup",
"Version": 2,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
}
]
}
$ aws ssm describe-parameters \
--parameter-filters "Key=Name,Values=/repo/testpar,Option=Contains" \
| jq '.[] | .[] | .Name'
"/repo/testpar1"
"/repo/testpar2"
Or:-
| jq '.[] | .[].Name'
| jq '.Parameters | .[].Name'
====== aws sts assume-role ======
This is different because it provides two keys:-
file1.txt
{
"Credentials": {
"AccessKeyId": "AKIATEST",
"SecretAccessKey": "r3allys3cret",
"SessionToken": "verrrrryLongTokenString",
"Expiration": "2023-02-20T12:20:30+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "interestingRole",
"Arn": "arn:aws:sts::234567890:assumed-role/IAM_FullAccess/delete-iam-stuff"
}
}
This extracts the AccessKeyId or Secret or Token as appropriate:-
$ cat file1.txt | jq --raw-output '.["Credentials"] | .SessionToken'
verrrrryLongTokenString
$