|
dividertabs posted:DynamoDB on-demand pricing. They don't tell you this in their documentation* but it still throttles. It appears to just be a wrapper hiding Dynamo's autoscaling feature plus a different billing scheme. Mildly triggered AWS engineer here (not from the DDB team). Can you provide more detail on the circumstance under which you got throttled from your on demand table? It may throttle for a short time before it scales up, but once scaled it should subsequently be able to handle the same load in the future. You can shortcut the initial throttling by setting an appropriate provisioned capacity on the table before switching it to on demand.
|
#
?
Apr 15, 2020 07:17
|
|
|
|
| # ? Apr 26, 2024 11:25 |
|
|
Nomnom Cookie posted:Athena is managed presto and totally unsuitable for anything. Fixed.
|
|
#
?
Apr 15, 2020 07:18
|
|
|
dividertabs posted:*To rant, this kind of marketing- instead of technical- focused documentation is the main reason I roll my eyes every time I hear someone in AWS mention "customer obsession" Triggered. I take this as an affront: The poo poo that my org does, the calisthenics we pull to bend over backwards for our customers is insane. We lobby for feature requests on existing services. We advocate for new services, we take the blame when a service falls short. We issue refunds when things so sideways. We inspect your poo poo to make sure it’s well-architected. We empathize when you ignore our advice and poo poo falls over and you blame us. To base “customer obsession” on documentation is ridiculous. Yes our documentation could be better and is often out of date or incomplete. How’s yours? But to judge our customer obsession on a generalized weakness of the IT industry is to say that apples are a terrible fruit because they eventually rot if left on a bowl on the kitchen counter. Agrikk fucked around with this message at 15:07 on Apr 15, 2020 |
|
#
?
Apr 15, 2020 15:04
|
|
|
Adhemar posted:Fixed. It’s good at count queries
|
|
#
?
Apr 15, 2020 16:59
|
|
|
Agrikk posted:Triggered. I take this as an affront: The poo poo that my org does, the calisthenics we pull to bend over backwards for our customers is insane. We lobby for feature requests on existing services. We advocate for new services, we take the blame when a service falls short. We issue refunds when things so sideways. We inspect your poo poo to make sure it’s well-architected. We empathize when you ignore our advice and poo poo falls over and you blame us. Like, for example, it took like 3+ months for the route53 endpoints to get added into the aws cli after it was officially announced as being available. our TAM is incredibly responsive but a lot of issues just get bubbled up to who knows where with no timelines and then randomly get resolved or hang because of the decentralized nature and how tickets are allocated across a ton of various departments. Bhodi fucked around with this message at 19:33 on Apr 15, 2020 |
|
#
?
Apr 15, 2020 19:22
|
|
|
it's a little unfair to consider govcloud and aws china as even being the same business, IMO, but yeah they are both pretty bad my one bad experience with the docs to date, about 5 years working with aws, was when the site to site VPN docs specifically recommended you use the same BGP ASN on all of your spokes in a hub/spoke topology which ended up causing a bunch of routing issues that I was not mentally equipped to understand at the time I filed a support ticket and they got back to me instantly after having identified the problem, apologized for the documentation error, and fixed it right away
|
|
#
?
Apr 15, 2020 20:15
|
|
|
quote:Can you provide more detail on the circumstance under which you got throttled from your on demand table? Adhemar posted:Mildly triggered AWS engineer here. Agrikk posted:Triggered. Both of you might find it pertinent that I have worked as an SDE for AWS. I saw my own team's product was marketed in a way that omitted severe limitations, causing customers to waste time trying to get it to work. Agrikk posted:We empathize when you ignore our advice and poo poo falls over and you blame us. quote:But to judge our customer obsession on a generalized weakness of the IT industry is to say that apples are a terrible fruit because they eventually rot if left on a bowl on the kitchen counter. quote:Yes our documentation could be better and is often out of date or incomplete. How’s yours?
|
|
#
?
Apr 16, 2020 05:53
|
|
|
dividertabs posted:Say we want to scale from 0 to 1,000,000 reads/sec in 1 second. S3 can do it (with good P95 latency, and poor p99 latency). It was not surprising to me that Dynamo couldn't do it. It was surprising to me that Dynamo couldn't do it, and the documentation for Dynamo on-demand, which emphasizes that it 'instantly accommodates customers’ workloads as they ramp up or down', didn't mention it. Bolding my own. No judgment on whether my ideal behavior is reasonable. It should only throttle the first time you scale up that table though. Never if you use the shortcut I mentioned. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.InitialThroughput I agree our docs are generally poor.
|
|
#
?
Apr 16, 2020 07:08
|
|
|
Govcloud may as well be a separate entity from Amazon given the requirements it has to operate under to meet demands of FedRAMP and similar horrific abbreviations and acronyms. The number of times AWS has reached out to me to work on it and the horror stories I've heard from others tells me I am much happier where I am now for the foreseeable future.
|
|
#
?
Apr 16, 2020 15:33
|
|
|
Adhemar posted:It should only throttle the first time you scale up that table though. Never if you use the shortcut I mentioned. See also: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.InitialThroughput Thanks, this is really interesting and I will definitely try it out.
|
|
#
?
Apr 18, 2020 22:44
|
|
|
Somehow I never noticed we have an AWS thread so I originally posted this in the web thread so I'll repost here as it's probably a pretty trivial issue for anyone familiar with the service. I'm trying to get my Internet of poo poo device to upload stuff to S3 with the REST API but can't get the signature right. I'm not super familiar with the API but the short version seems to be that you're supposed to create a string with some hearers from your request, calculate the HMAC-SHA1 with your secret key, base-64 encode it, and send it as part of your request authorization header. I think I got the string right, it matches what the server spits back byte to byte. The problem is then probably with the hashing or encoding. Probably something very dumb but difficult to find since I don't know the correct result. I tried to test it on their example from https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html quote:PUT\n Their signature is MyyxeRY7whkBe+bq8fHCL/2kKUg= My code generates iqRxw+ileNPulfhspnRs8nOjjIBU I tried some presumably correct implementations: 530b4adc5500dced8481f18a50e7e615e307f195, 8aa473c3e8a578d3eed5f86ca6746cf273a38c80, YOvv/mr//HwVecxGLyxqoLHiN7c= At least my signature is the right length, I suppose the online tools are down to how they encode/decode the signature and key, but I can't get anything to match anything else and it's driving me nuts  . My actual IoT code is C but the following C# does does the same thing:code:
|
|
#
?
Apr 19, 2020 08:32
|
|
|
From the link you posted:quote:This topic explains authenticating requests using Signature Version 2. Amazon S3 now supports the latest Signature Version 4. This latest signature version is supported in all regions and any new regions after January 30, 2014 will support only Signature Version 4. For more information, go to Authenticating Requests (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference. Make sure you're implementing SigV4, not SigV2, which is ancient. Read this: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
|
|
#
?
Apr 21, 2020 21:10
|
|
|
Implementing the signing can be tricky - could you see how other projects do it such as https://github.com/penmanglewood/aws_sigv4 or https://github.com/sidbai/aws-sigv4-c ? That way you don't have to do it from scratch. I've had to implement the signing myself and there are a lot of edge cases and gotchas, so looking at someone else's work, licenses permitting, is probably the way to go.
|
|
#
?
Apr 22, 2020 04:50
|
|
|
This library contains the official AWS C implementation for SigV4 signing: https://github.com/awslabs/aws-c-auth. It’s Apache 2 licensed.
|
|
#
?
Apr 22, 2020 07:18
|
|
|
Having an issue with cloudformation trying to do an Fn::FindInMap inside of an Fn::Sub to generate the proper subnet value. Cloudformation is returning: "Template error: every Ref object must have a single String value." I've been banging my head against the desk for awhile trying to understand why it thinks there are either no string values or multiple string values for a Ref object. I believe there should be a single string for each Ref. Any ideas? code:code:
|
|
#
?
Apr 27, 2020 15:43
|
|
|
I am really struggling with the json syntax here instead of yaml but I would guess that CidrBlock -> Ref: "10.5.130.0/27" is not a valid usage of Ref. IIRC it's only used for referring to other logical resource ids or parameter names (ex: "subnet0c41cd3e1702cc8a8"), it can't be used for composing string values like you have here. Instead I think you can use just sub directly? code: :code:
|
|
#
?
Apr 27, 2020 19:00
|
|
|
12 rats tied together posted:I am really struggling with the json syntax here instead of yaml but I would guess that CidrBlock -> Ref: "10.5.130.0/27" is not a valid usage of Ref. IIRC it's only used for referring to other logical resource ids or parameter names (ex: "subnet0c41cd3e1702cc8a8"), it can't be used for composing string values like you have here. You are absolutely correct. The Ref: at the beginning was not required and was the issue. Can't thank you enough!
|
|
#
?
Apr 27, 2020 20:23
|
|
|
I need to run some PowerShell commands on a Windows server remotely from Lambda. What’s the best Lambda-friendly way to do this?
|
|
#
?
Apr 28, 2020 19:11
|
|
|
Install ssm agent on windows server use lambda to call ssm run command
|
|
#
?
Apr 28, 2020 19:28
|
|
|
fluppet posted:Install ssm agent on windows server use lambda to call ssm run command Oh nice it’s already on the AMI and everything. 
|
|
#
?
Apr 28, 2020 19:37
|
|
|
PierreTheMime posted:Oh nice it’s already on the AMI and everything. Your EC2 instances will need an instance profile that has the AmazonSSMManagedInstanceCore managed policy attached to register with SSM but otherwise yeah run command/association/maintenance window task are the way to go.
|
|
#
?
Apr 29, 2020 03:12
|
|
|
Does anyone know if it's possible to create SSM Distributor packages via CFN? According to the doco they are just documents so I should be able to do it via the AWS::SSM: ocument resource by selecting Package for the DocumentType. However I can't find any reference on what the document content needs to contain.If I run aws ssm get-document against a package that I created via the console I can see the document content but it doesn't include information about the S3 bucket that contains the package(s). I suspect there's some stuff that happens behind the scenes.
|
|
#
?
May 1, 2020 05:59
|
|
|
Haven’t used that feature personally but you might need to create a lambda function to do it for you.
|
|
#
?
May 1, 2020 14:34
|
|
|
Adhemar posted:From the link you posted: Skier posted:Implementing the signing can be tricky - could you see how other projects do it such as https://github.com/penmanglewood/aws_sigv4 or https://github.com/sidbai/aws-sigv4-c ? That way you don't have to do it from scratch. Adhemar posted:This library contains the official AWS C implementation for SigV4 signing: https://github.com/awslabs/aws-c-auth. It’s Apache 2 licensed. I then started implementing V4 anyway because it seemed to be the only option to sign API gateway requests. First of all, what a pain in the rear end. I really don't see what's the point of the turducken hashing and signing, if the attacker knows the secret key they can sign all the pieces just like they can sign the whole request. Anyway I got it produce the right results for the example requests and when I went to test it, discovered that I can actually just make completely unsigned POST request lol. Which makes sense that it would be possible, but it complained about missing auth tokens once so I just went straight for the nuclear option. Oops. Of course it would totally make sense to use an existing implementation/library but this is mostly DIY stuff (for now) and I'm already running into ROM issues on the micro so I wanted to keep the code to a minimum necessary to make it work.
|
|
#
?
May 1, 2020 20:18
|
|
|
mobby_6kl posted:I then started implementing V4 anyway because it seemed to be the only option to sign API gateway requests. First of all, what a pain in the rear end. I really don't see what's the point of the turducken hashing and signing, if the attacker knows the secret key they can sign all the pieces just like they can sign the whole request. The point is when an attacker doesn’t know the secret but has access to other information. Off the top of my head * canonical request signing ensures that the request can’t be meaningfully modified * as part of that, the credential scope mitigates against replay attacks at different times and to different regions/services * the signing key derivation process protects the secret key and therefore the account if a signing key is leake
|
|
#
?
May 2, 2020 21:30
|
|
|
Crypto is voodoo magic that you apply to the computer as directed by the witch doctor, without question and without fail. Otherwise evil warlocks will steal your soul, or worse your credentials.
|
|
#
?
May 2, 2020 21:45
|
|
|
JHVH-1 posted:Haven’t used that feature personally but you might need to create a lambda function to do it for you. Yeah certainly looks that way. Package creation is supported by AWS CLI and the API, the only gap appears to be CFN. From poking around it looks like there's some stuff Amazon does on the back-end where they publish some metadata which associates the SSM Document with your package manifest and content. Nomnom Cookie posted:Crypto is voodoo magic that you apply to the computer as directed by the witch doctor, without question and without fail. Otherwise evil warlocks will steal your soul, or worse your credentials. Only the math part of crypto is voodoo, IMO. The fundamentals of how crypto works, how it is applied and what risks are involved is worth learning. You don't need to be able to do AES in your head but you should be able to understand things like FamDavs good post. That said, never roll your own crypto. Doing so will prompt a lich to steal your life essence by ridiculing you online.
|
|
#
?
May 3, 2020 09:12
|
|
|
Pile Of Garbage posted:Yeah certainly looks that way. Package creation is supported by AWS CLI and the API, the only gap appears to be CFN. From poking around it looks like there's some stuff Amazon does on the back-end where they publish some metadata which associates the SSM Document with your package manifest and content. It’s one of the things I like about CDK, it will create the lambda functions in certain cases to fill in those gaps. Plus it writes the cloudformation for you.
|
|
#
?
May 3, 2020 15:02
|
|
|
I've got to move files from a Windows EC2 instance into EFS. The files range in size from KB to a couple hundred MB, and are being created infrequently but regularly. At the moment I see 2 possibilities: DataSync into EFS, or setting up a samba share on a Linux EC2 instance and connecting to that. How screwed am I?
|
|
#
?
May 14, 2020 15:27
|
|
|
You can also set up an NFS share on the windows box and then rsync the NFS share to EFS mounted on a Linux EC2 host. But back up a sec. How are the file appearing on the Windows box? Is it possible to redirect the location of those files and have them end us straight on an EFS mount point on EC2 Linux?
|
|
#
?
May 14, 2020 18:13
|
|
|
E: nope, not supported. Ignore me!
|
|
#
?
May 15, 2020 00:40
|
|
|
Will the storage be used primarily by Windows hosts? Because they also have managed SMB/CIFS if that’s a better fit for your workload. https://aws.amazon.com/fsx/windows/
|
|
#
?
May 15, 2020 13:04
|
|
|
The files are being sent in by third-parties over SFTP and I'm mandated to use a Windows-based SFTP server. However, the files will be processed by Linux instances. The Samba share route seems to be working for now.
|
|
#
?
May 19, 2020 17:20
|
|
|
Anyone found a way to use AWS Backup with instances that have RAID configured? I’m stuck using stupid expensive io1 EBS volumes for our software because we don’t get synced EBS snapshots in AWS Backup yet (and granted weren’t possible until late last year). Support gave me a meh answer but maybe one of you fine folks figured something out (planning on eithe mdraid or ZFS for disk I/O expansion)
|
|
#
?
May 20, 2020 04:38
|
|
|
necrobobsledder posted:Anyone found a way to use AWS Backup with instances that have RAID configured? I’m stuck using stupid expensive io1 EBS volumes for our software because we don’t get synced EBS snapshots in AWS Backup yet (and granted weren’t possible until late last year). Support gave me a meh answer but maybe one of you fine folks figured something out (planning on eithe mdraid or ZFS for disk I/O expansion) Have you seen this? Backup supports backing up entire EC2 instances including those with RAID. https://aws.amazon.com/blogs/aws/aws-backup-ec2-instances-efs-single-file-restore-and-cross-region-backup/ You’ll need a way to quiesce your file system and flush writes to disk.
|
|
#
?
May 21, 2020 05:40
|
|
|
sinequanon01 posted:Have you seen this? Backup supports backing up entire EC2 instances including those with RAID. quote:Note that you need to stop write activity and flush filesystem caches in case you’re using RAID volumes or any other type of technique to group your volumes. It gets a bit more awkward if you're trying to do snapshots of multi-node databases / datastores like Kafka, Elasticsearch, etc. but it's worked out enough for us so far with the stack we've setup. But we're hitting a performance wall and our EBS setup would be best served with a RAID0 of GP2 EBS volumes.
|
|
#
?
May 21, 2020 14:04
|
|
|
Could I render a simple static html page in a Lambda, and serve it through API Gateway everytime the url is visited ? I know I can serve a page stored in an S3 bucket but I'm gonna have to fetch data and stuff in JS which I'm not fond of.
|
|
#
?
May 22, 2020 20:05
|
|
|
Yes, that's how a coworker implemented their wedding's website.  Maybe you can get somewhere with an ALB instead of API Gateway too? idk.
|
|
#
?
May 22, 2020 20:25
|
|
|
You could also put stuff in lambda at the edge functions in cloudfront and use s3 for static files. I think it would be cheaper than an ALB but depends on what you want to do.
|
|
#
?
May 22, 2020 21:16
|
|
|
|
| # ? Apr 26, 2024 11:25 |
|
|
I'd like to fetch a few rows in dynamodb, build a really basic page using that data and serve it. Each request may build a different page depending on the current time. It's going to get 5 visits a day tops. I have a 3kb prototype in an s3 already but I'd rather render the whole thing programmatically somewhere else, I think.
|
|
#
?
May 22, 2020 23:04
|
|