How do I download credentials to use with euca2ools/API?

From CAC Documentation wiki
Jump to: navigation, search
  • You'll need euca2ools 3.4.1 to work with Eucalyptus 4.4 cloud. See here for downloading and installation instructions. Install euca2ools on your Linux or Mac client.
  • On your client, create ~/.euca/euca2ools.ini file. If you use both clouds, in your euca2ools.ini file you can have multiple regions sections, one for each cloud, as well as multiple user sections. euca2ools.ini file for Red Cloud ITH; note that since you may have the same 'user' (account name) in both regions, you'll need to name the user differently if you need both, like [user <account name>-ith] and [user <account name>-nyc]:
[global]
default-region = redcloud-ith

[region redcloud-ith]
autoscaling-url = https://autoscaling.euca44.cac.cornell.edu:8773/
bootstrap-url = https://bootstrap.euca44.cac.cornell.edu:8773/
cloudformation-url = https://cloudformation.euca44.cac.cornell.edu:8773/
ec2-url = https://compute.euca44.cac.cornell.edu:8773/
elasticloadbalancing-url = https://elasticloadbalancing.euca44.cac.cornell.edu:8773/
iam-url = https://euare.euca44.cac.cornell.edu:8773/
monitoring-url = https://monitoring.euca44.cac.cornell.edu:8773/
properties-url = https://properties.euca44.cac.cornell.edu:8773/
reporting-url = https://reporting.euca44.cac.cornell.edu:8773/
s3-url = https://objectstorage.euca44.cac.cornell.edu:8773/
sts-url = https://tokens.euca44.cac.cornell.edu:8773/
verify-ssl = true

[user <account name>]
account-id = <account ID>
#key-id = <access key>
#secret-key = <secret key>
#certificate = <path to user certificate file>
#private-key = <path to private key file matching user certificate>
or for Red Cloud NYC:
[global]
default-region = redcloud-nyc

[region redcloud-nyc]
properties-url = https://euca4-nyc.cac.cornell.edu:8773/services/Properties
ec2-url = https://euca4-nyc.cac.cornell.edu:8773/services/compute
s3-url = https://euca4-nyc.cac.cornell.edu:8773/services/objectstorage
iam-url = https://euca4-nyc.cac.cornell.edu:8773/services/Euare
sts-url = https://euca4-nyc.cac.cornell.edu:8773/services/Tokens
autoscaling-url = https://euca4-nyc.cac.cornell.edu:8773/services/AutoScaling
monitoring-url = https://euca4-nyc.cac.cornell.edu:8773/services/CloudWatch
cloudformation-url = https://euca4-nyc.cac.cornell.edu:8773/services/CloudFormation
elasticloadbalancing-url = https://euca4-nyc.cac.cornell.edu:8773/services/LoadBalancing
verify-ssl = true
certificate = ~/.euca/euca4-nyc-cert.pem

[user <account name>]
account-id = <account ID>
#key-id = <access key>
#secret-key = <secret key>
#certificate = <path to user certificate file>
#private-key = <path to private key file matching user certificate>
  • Download certificate for the cloud you want to use and install it in ~/.euca:
    • Red Cloud ITH (euca44.cac.cornell.edu): This is not needed in Eucalyptus 4.4.
    • Red Cloud NYC (euca4-nyc.cac.cornell.edu): euca4-nyc-cert.pem
  • Log into eucalyptus web console for the cloud you want to use with your CAC user name and password.
  • Select "Manage Credentials" from the <user>@<account> menu in the upper right corner:
Manage Credentials.jpg
  • On the Manage Credentials screen, note the account number listed after the account name in the Account details section.
Account Name and ID.jpg
Copy and paste the account name in <account name>, and account number/ID in account-id lines in your euca2ools.ini file like this:
[user dal160163]
account-id = 123456789012
  • Scroll down to the 'Generate Access Keys' section and click on the "Create Access Keys" button. Copy and paste the access key into the key-id line, and secret key into the secret-key line in your euca2ools.ini file (uncomment by removing # signs):
key-id = ABCDEFGHIJKLMNOP1234
secret-key = ABCDEFGHIJKLMNOP1234567890abcdefghijklmnop
Note: the access and secret keys authenticates to the cloud as your user. Keep them safe. If you think your keys have been compromised, please create a ticket to have the keys revoked.
  • Generate your X.509 certificate and matching private key like this. You can name your certificate and private key files with anything you like:
euare-usercreatecert -u <NetID> --out ~/.euca/my_certificate.pem --keyout ~/.euca/my_key.pem --region=<account name>@redcloud-ith
or
euare-usercreatecert -u <NetID> --out ~/.euca/my_certificate.pem --keyout ~/.euca/my_key.pem --region=<account name>@redcloud-nyc
  • Edit (and uncomment by removing # signs) the following 2 lines in your euca2ools.ini file:
certificate = ~/.euca/my_certificate.pem
private-key = ~/.euca/my_key.pem
  • Restrict permissions appropriately on the new directory and files
chmod 0700 ~/.euca 
chmod 0600 ~/.euca/*
  • From now on, you can use the --region <account name>@<cloud> option on euca2ool commands to specify which cloud and account to use. For example:
euca-describe-images --region=shm70003@
euca-describe-volumes --region=dal160002@redcloud-nyc
If no cloud is specified, the default cloud region specified in the [global] section is assumed.
If you see "error: missing access key ID; please supply one with -I" then confirm your spelling on the region argument and the ~/.euca/euca2ools.ini file.
  • Create a pair of ssh keys for logging into your instances (substitute <NetID> with your user name)
euca-create-keypair <NetID>-mykey --region=<account name>@redcloud-ith | tee <NetID>-mykey.pem
or
euca-create-keypair <NetID>-mykey --region=<account name>@redcloud-nyc | tee <NetID>-mykey.pem
Then
chmod 0600 <NetID>-mykey.pem
  • Test connecting to an existing Linux instance on which you have permission to access
ssh -i <NetID>-mykey.pem <username>@<public ip>
You can use this pem file to ssh to an existing Linux instance by looking up its <public ip> as the "PUBLIC ADDR" column here
https://euca44.cac.cornell.edu/instances
or
https://euca4-nyc.cac.cornell.edu/instances
This page can also be used to launch an instance using the key you created above; remember to clean up by terminating the instance if you are simply testing connection procedures. The <username> to use for login is commonly either your NetID, ubuntu, or root depending on the instance ssh configuration.
When connecting to a Windows instance you must use an RDP client.