Collection of gotchas that got me
S3 bucket names
Just making sure, that we all understand this that:👇 👇
“An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. This means that after a bucket is created, the name of that bucket cannot be used by another AWS account in any AWS Region until the bucket is deleted” - From this Buckets overview
This means trial-bucket is a name you cannot create a bucket with, even if a bucket with that name does not exist in your account. trial-bucket has been used by some one, some where. Go ahead, give it a try. 🤯
This is also why, if you are trying to create a s3 bucket, you may see this error message (or a version of it):
An error occurred (IllegalLocationConstraintException) when calling the CreateBucket operation: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to.
XHTML syntax for inserting code blocks in XHTML based wikis as an example
First, insert DOCTYPE before the <head> tag of the page if it is not existing. This will ensure that the browser uses a strict formatting, and is backward compatible. Without the DOCTYPE browsers use quirks mode (before web standards). I have used “strict” DTD. You can choose to use any one of the 3 available DTDs
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<head>
....
</head>
Next, wrap your text that you want to represent within code block with <pre>... Your text ... </pre> tags. That simple. Took me a whole day trying with <code>, <samp>, <kbd>
code block code block
CSS Validation service
XHTML Validation service
Cross account access for Glue to S3
Prefer to use IAM role among the 2 available AWS Glue methods to grant cross account access. This is because IAM roles will work across cross-partition accounts (i.e., cross account access between aws and aws-cn) whereas resource based policies cannot cross partitions.
Situation:
- Account
123456789012contains a s3 bucket (say,arn:aws:s3:::source-data-bucket) from which data needs to be pulled - Account
456789012345contains a Glue crawler and catalog resources which will crawl and gather data
High level steps:
- Definitely remove the ACL from the bucket in account
123456789012 - Before setting up the Glue crawler, first prepare the cross account access role for Glue crawler in account
456789012345. Do that by first creating an IAM policy in account456789012345as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::source-data-bucket/<prefix>/*"
]
}
]
}
<prefix> is the s3 bucket prefix, if you have specified any. I have used this to pull cost & usage data from CUR, hence a prefix was set in the CUR report definition.
Then create a IAM role (e.g., CrossAccountGlueAccessForS3) which should include the policy created above plus AWSGlueServiceRole (arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) managed policy. Add Glue in the Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Then set up your Glue crawler in account
456789012345using this new role (CrossAccountGlueAccessForS3) that you have created. If unfamiliar, you can set up Glue crawler following the instructions here - Go back to account
123456789012. Create a bucket policy including the below statement for the bucket (arn:aws:s3:::source-data-bucket) in question.
{
"Sid": "CrossAccountGlueAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::456789012345:role/service-role/CrossAccountGlueAccessForS3"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::source-data-bucket",
"arn:aws:s3:::source-data-bucket/*"
]
}
I needed to only scope down the policy to using two s3 permissions - GetObject and ListBucket. It is upto you to specify what actions you will allow the role from account 456789012345 to perform.
To VSCode from PyCharm
Just to quick note for self and those wandering souls - if you change a code file in VSCode you need to save it first before it can take effect - like in your git status, cdk synth, or cdk diff (for AWS CDK) calls. In PyCharm, you don’t need to. Otherwise, ensure you enable Autosave in VSCode.
When running that TicTacToe tutorial
Say you find yourself learning React using the TicTacToe tutorial. You are at the step called Setup for the tutorial. You do not want to use CodeSandbox as stated on the tutorial and want to run the tutorial in your local development server using your favorite IDE. In Notes section of Setup for the tutorial, the missing step between 4 and 5 is npm run build. You may run into “React must be in scope when using JSX” error, follow bunch of fix steps (ESLint, importing React etc) without any avail. Run the build command to build your project and then run npm start.
Powerline-patched font
In order for the Powerline-patched font to work correctly on your iTerm2, ensure that you check the option called Use built-in Powerline glyphs in the iTerm2 settings (Preferences -> Profile -> Text). The rest of the installation is here
CDK commands when using a IAM Identity Center Profile
Most CDK commands will require you to use an additional --profile <PROFILE NAME> if you have set up SSO credentials under a non-default profile.
For e.g., your most benign CDK bootstrap command is: cdk bootstrap aws://<ACCOUNT ID>/<REGION
However, if you have setup your SSO credentials using a profile name (and not default), the command you need to issue for bootstrapping is: cdk bootstrap --profile <PROFILE NAME> aws://<ACCOUNT ID>/<REGION