support command enables self-service support.
reset-secret. These commands allow
you to gather diagnostic data and send it to Fugue, and to reset a user
secret on the Conductor, respectively.
fugue [global options] support [options] <report|reset-secret> [command arguments]
- Gather diagnostic data and send to Fugue.
- Reset a user secret on the Conductor.
Global options are detailed here.
- Show help text. The help flag is available throughout the CLI in both an application-level and command-level context. It enables a user to view help text for any command within the Fugue CLI.
report downloads Conductor component logs, generates a support
report, zips it up, and uploads the ZIP file to an S3 bucket belonging
to Fugue, Inc.
Note: All start and end times are provided in UTC.
The ZIP contains the following files:
conductor_policies.json, containing the IAM policy document assigned to the Conductor role
logsdirectory, containing individual log files for each Conductor component
projectdirectory, containing a copy of your Fugue project directory
vars.json, containing the Vars Conductor database (not the Vars user database)
Remove any sensitive, private, or personal information from your Fugue project directory before executing
fugue support report. The command zips up the contents of the Fugue project directory and sends it to Fugue, Inc. Note: Your Fugue user credentials are not included in the data that is sent.
fugue support report [options]
- Start time for logs. Format: “mm/dd/YYYY HH:MM” or “30m ago” or “2h ago” or “1d ago”
- End time for logs.
- Generate and send a support report without downloading and sending logs
- Generate and send a support report without downloading and sending Vars data
- Upload report to Fugue Support
reset-secret resets a user secret on the Conductor. If a user
database does not exist, it will be seeded when resetting the root
Once the Fugue CLI has returned your new secret, execute the
user set command
fugue user set <user_id> <user_secret>) to set the user and new
credentials. Note: Because the
user set command overwrites your
credentials file, any comments in it will be
deleted. If you wish to preserve comments, manually copy and paste your
new root secret into the
secret field instead of using
A user with read/write IAM permissions for KMS and S3 can subvert the RBAC system by using the
fugue support reset-secret command to create new root credentials.
fugue support reset-secret [options]
- The KMS key with which to encrypt the secret when saving to S3. You
can use a KMS key ID, alias, or ARN. Default key alias:
- The user whose secret you want to reset. Default:
- S3 bucket where user data is stored.
Using the Report Command¶
To generate a support report and send it to Fugue, you can use the
fugue support report command. For example, the following command
downloads all logs from the previous 30 minutes:
fugue support report -s "30m ago"
The CLI will produce output as it downloads logs, and at the end, you’ll be asked whether you’d like to upload the report to Fugue Support:
Copying project data Retrieving conductor IAM profile Retrieving Vars table metadata Retrieving CloudWatch logs Downloading log /fugue/conductor/commKitMan Downloading log /fugue/conductor/conductor-stats Downloading log /fugue/conductor/conductor-versions Downloading log /fugue/conductor/demarc Downloading log /fugue/conductor/dynamicdynamodb Downloading log /fugue/conductor/fugue-accounts-svc Downloading log /fugue/conductor/fugue-broker Downloading log /fugue/conductor/fugue-ludwig-validator Downloading log /fugue/conductor/fugue-notification-svc Downloading log /fugue/conductor/fugue-policy-svc Downloading log /fugue/conductor/fugue-reflector-descriptor Downloading log /fugue/conductor/fugue-reflector-descriptor-autoscaling Downloading log /fugue/conductor/fugue-reflector-descriptor-cloudformation Downloading log /fugue/conductor/fugue-reflector-descriptor-cloudfront Downloading log /fugue/conductor/fugue-reflector-descriptor-cloudwatch Downloading log /fugue/conductor/fugue-reflector-descriptor-dynamodb Downloading log /fugue/conductor/fugue-reflector-descriptor-ec2 Downloading log /fugue/conductor/fugue-reflector-descriptor-elasticache Downloading log /fugue/conductor/fugue-reflector-descriptor-elb Downloading log /fugue/conductor/fugue-reflector-descriptor-iam Downloading log /fugue/conductor/fugue-reflector-descriptor-lambda Downloading log /fugue/conductor/fugue-reflector-descriptor-rds Downloading log /fugue/conductor/fugue-reflector-descriptor-route53 Downloading log /fugue/conductor/fugue-reflector-descriptor-s3 Downloading log /fugue/conductor/fugue-reflector-descriptor-sns Downloading log /fugue/conductor/fugue-reflector-descriptor-sqs Downloading log /fugue/conductor/fugue-scheduler-signal-handler Downloading log /fugue/conductor/fugue-translate-broker Downloading log /fugue/conductor/manager Downloading log /fugue/conductor/resmon Downloading log /fugue/conductor/team-fugue Downloading log /fugue/conductor/vars-conductor Downloading log /fugue/conductor/vars-migration Downloading log /fugue/conductor/vars-system Downloading log /fugue/conductor/vars-system-compact Downloading log /fugue/conductor/vars-userland Downloading log /fugue/conductor/vars-userland-compact CloudWatch logs downloaded successfully Downloading VARS database... This can take a very long time. Vars is ready, saving to /var/folders/mj/j5mrqxjx4t94x91c206cqgk00000gn/T/tmpqrmf2g4d/fugue_report-2017-05-24-20-32-42/vars.json Packaging report Diagnostics package written to '/Users/main-user/projects/fugue_report-2017-05-24-20-32-42.zip' [ WARN ] Would you like to upload the report to Fugue Support? [y/N]:
If you enter
y, you’ll see this confirmation, where
is replaced by your 12-digit AWS account ID:
Uploading report to Fugue Support as xxxxxxxxxxxx/fugue_report-2017-05-24-20-32-42.zip
Using the Reset-Secret Command¶
If you need to reset your user secret – for example, if you’ve
lost access to your root credentials – you may use the
fugue support reset-secret command.
Without arguments, the command resets the user secret for the
fugue support reset-secret
You’ll see output like this:
If you wish to use root as the profile name: ==================== User Credential Details: [root] user = root secret = YooDwGZa1WKx93feRxDnQHiEW2OGREEXAMPLEEXAMPLE [ HELP ] You can copy/paste these values into your credentials file /Users/main-user/projects/credentials ==================== If you wish to use the default profile name: ==================== User Credential Details: [default-xxxxxxxxxxxx-us-east-1] user = root secret = YooDwGZa1WKx93feRxDnQHiEW2OGREEXAMPLEEXAMPLE [ HELP ] You can copy/paste these values into your credentials file /Users/main-user/projects/credentials ==================== [ DONE ] Secret successfully reset.
For convenience, the CLI displays text you can copy and paste into your
credentials file. The first set of Fugue
credentials is for a profile named
root and the second set is for a
default-<account-id>-<region> (the default profile).
default-<account-id>-<region> is your default profile, so
use that one unless you’ve specifically created a Fugue credentials
root (or intend to create it).
You must then execute the user set command to associate the specified user with the new credentials:
fugue user set root YooDwGZa1WKx93feRxDnQHiEW2OGREEXAMPLEEXAMPLE
If you want to execute the
user set command for a user under a
different Fugue profile (such as a
root profile), use the following:
fugue user set root YooDwGZa1WKx93feRxDnQHiEW2OGREEXAMPLEEXAMPLE --profile root
If the given profile doesn’t exist, Fugue will create it. Note that executing the above will also add the following lines to your fugue.yaml file, if the file is present:
user: profile: root
Using the Reset-Secret Command On A Non-Root User¶
To reset a secret for a different user, utilize the
fugue support reset-secret --user-id alice
Don’t forget to execute the
user set command afterward!
Changing the KMS Key for Encrypting Secrets¶
When the CLI generates a secret, it encrypts it and saves it to S3. By
default, the KMS customer master
used for encryption is
alias/fugue/rbac/secrets (which appears in
the AWS Management Console as “fugue/rbac/secrets”).
If you want the generated secret to be encrypted with a different key,
you can use the
--kms-key option with
fugue support reset-secret. You can specify the key by its key ID,
alias, or ARN. If the specified key does not exist, it will be created
for you. If you provide an alias, be sure to prepend it with
For example, if the AWS console lists a key named
myAlias, then you
must format it as
fugue support reset-secret --kms-key alias/myAlias
Two other supported ways of changing the key:
conductor: ami: ami-5800e125 region: us-east-1 secretsKeyId: 96b8bb05-42e8-49e5-aae9-d69fbc57a940
- Set the environment value
FUGUE_CONDUCTOR_SECRETSKEYIDto your KMS key ID, alias, or ARN. For example:
The order of precedence is the
--kms-key argument, the
FUGUE_CONDUCTOR_SECRETSKEYID environment value, and the
secretsKeyId field in