AWS Dry-Run

Sometimes, we want to know if we have the necessary permissions to execute a certain command, but we don’t really want to execute it!

And let’s say that for some reason we can’t access IAM and check our permissions

For this, we have --dry-run, a parameter that is applicable to some commands that we can use in our AWS CLI.

Suppose we want to know if our user has the necessary permissions to run instances! we have a test user, teratip.

A correct example of run-instances would be something like this:

aws ec2 run-instances --image-id ami-02edf5731752693cc --instance-type t2.micro

But we don't want to run this, because if we have the correct permissions the instance will be created, and our billing will be affected!

So let’s just add --dry run to the command and see what happens

aws ec2 run-instances --dry-run  --image-id ami-02edf5731752693cc --instance-type t2.micro

The message indicates that an error occurred when calling the RunInstances operation and the request would have been successful but we have specified the --dry-run flag

This is the correct behavior when we have the proper permissions for the operation.

Now, using a user that does have access to IAM, let’s check the policy assigned to the Teratip user:

As we can see, the Teratip user has the correct permissions to execute the ec2 run-instances command.

Now, let’s do a test, and remove the assigned policy from the user, and see what happens when we execute the command:

As we can see, then the operation is executed with --dry-run, and we don’t have the necessary permissions, we get a long error like this.

This is a great way to test our API calls and without affecting your billing.

Rodrigo González

DevOps Engineer


#Teracloud #TeraTips #aws #awslatam #DevOps #dryrun #EC2 #AWSCLI #learmore #cloudcomputing

Follow us on our social networks for more TeraTips

Entradas recientes
Buscar por tags