Installing AWS CLI on EC2 ARM Ubuntu
Troubleshooting command line install
One of my stories on Ubuntu on AWS
Free Content on Jobs in Cybersecurity | Sign up for the Email List
I wrote about how I started using RDP on AWS EC2 Ubuntu here:
Today I tried to install the AWS CLI.
TLDR;
The AWS documentation doesn’t work.
Try this:
sudo apt install pip
python3 -m pip install awscliv2
~/.local/bin/awscliv2 --install
echo 'export PATH=$PATH:~/.local/bin' >>~/.bashrc
echo 'alias aws="awsv2"' >>~/.bashrc
source ~/.bashrcYou need port 80 open to the aws ubuntu server repos.
Switch the NTP servers to AWS servers.
You may need some other ports open to ubuntu security and Canonical but I’d have to do this from a fresh install using the commands above and look at the traffic to see if any other sources are actually needed.
I had to manually set a host below to a non-IPv6 address in my hosts file due to DNS only resolving to IPv6. You may or may not need that in the end.
The whole long story that took me way too long…
Initially I used these commands:
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
I got those from the documentation here for Linux Arm:
Curl worked fine.
unzip fails:
So I ran the update command first by trying to copy and paste it. I thought the keyboard shortcut from my mac worked yesterday but it doesn’t now. I have to use Copy and Paste by right clicking:
Then I had to clean up the pasted command as it had some extra characters.
Then I got this error:
So I try to install lubu2f-udev and I get:
So I try to install xdg-utils but I run into a circular dependency problem:
Then I get this error:
Ok let’s try that using root.
sudo apt --fix-broken install
At some point I realized I had to add more firewall rules to allow updates on port 80 to specific AWS IP addresses. One of those addresses was problematic because it was an IPv6 address which I do not allow on my networks just because it’s easier for me to decipher and manage. I hope IPv6 is not a requirement for updates.
What is interesting when I query security.ubuntu.com from my local network I get:
Anyway I tried running the command again after opening the network excluding IPv6 and it seemed to work.
Then I run the command to install unzip again.
Then the unzip command worked.
Then I ran the next command from the documentation and I got this:
Next I navigated into the aws/install directory and executed “install” and got this:
OK so I run that command and I get this:
OK so then I try to run the apt-update command and hitting errors on security.ubuntu.com resolving to IPv6 so I update my hosts file:
sudo cd /etc
sudo vi hosts
Save the file
:wq!
test that the domain resolves to the IP I set:
This should work:
Except that I forgot to allow that IP on port 80 through my security group rules.
Then I got this:
Hmm. OK let’s perform the upgrade.
Interesting result:
Hit enter for OK and my session got disconnected…
And now I cannot log back in. Wait for a while…
Nope. Tries to connect and immediately disconnects.
Reboot.
Nope.
Stop and restart. Well, I have to force stop.
And at this point I see that my instance is trying to connect to what tend to be sketchy networks (Digital Ocean, Hurricane, Linode, and also Cloudflare which is not usually too sketchy but can be abused).
Looks like this may be NTP traffic (port 123) but can’t know for sure without seeing the packet data. Looks like Ubuntu might not be configured to use the AWS NTP servers.
Yep, the ntp configuration points to ubuntu.pool.ntp.org instead of the AWS NTP Servers:
Fix as described here with the chrony option.
Now the traffic on port 23 goes to AWS.
After restarting my VM, I can connect to it again, but I still cannot run the AWS CLI.
…
OK …back at it later and run sudo apt update again.
I ended up with an error that four packages were being held back. Had an issue with disk space so I deleted some files and cleared the trash. Got to the last package and getting this error:
update-notifier-download.service is a disabled or a static unit not running,
not starting it.Now for some reason, that error went away. The only thing I did was run these commands (with sudo):
uname -a
lsb_release -crid
sudo dpkg --audit
apt-cache policy update-notifier-common usrmerge update-notifier update-manager
dpkg -S /bin/bin2c
dpkg -S /usr/bin/bin2c
ls -l /bin/bin2c
ls -l /usr/bin/bin2c
sudo dpkg --configure -aand I run one more update. For some reason the error with the last package went away.
Tried to run AWS again and failed. Tried to update AWS again and failed:
Tried some other commands just to see if they work and got this:
Interesting. What’s a snap?
When I try to run the snap command I get this:
OK I’ll try it. I don’t recommend this in high-security environments.
Yeah, no.
So I am stuck at this which I presume has something to do with the way the AWS CLI is compiled for arm but who knows.
Finally I searched around and found this page which has the option for python.
https://www.cyberciti.biz/faq/how-to-install-aws-cli-on-linux/
First I had to install pip using the same methods as above (…install pip)
Then I tried this method which seems to work:
That appeared to work. Next command:
Seems to work.
Well running the traditional command to test aws did not work. However, I an see that the command works above. awsv2 from my home directory did not work either. By looking closely at the information above I figured out where the executable ended up and navigated to that directory. From there I could see that somehow in all of the above I got two versions of the awscliv2 in the ~/.local/bin directory.
I exectuted the awsv2 version command and it worked as you can see below. So did the other CLI I somehow installed along the way.
Well, I’m not an ubuntu guru just yet. So how do I map that executable so I can call it from anywhere — get it in my path or whatever, and permanently. That’s what I have left to figure out. And I can see that at the bottom of the above article:
AWS really needs to update the documentation for this to make it easier.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab