CLI

info

If installed with Brew, the "examples" directory is at /usr/local/share/awscli/examples.

https://aws.amazon.com/cli

https://github.com/aws/aws-cli

Command reference:

V1 reference: https://docs.aws.amazon.com/cli/latest/reference

Use --dry-run to check if you have the required permissions.

tip

Use CloudShell which is automatically configured with your credentials. This video shows many things you can do on it

AWS CLI Builder - https://awsclibuilder.com

Command structure

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-commandstructure.html

aws <command> <subcommand> [options and parameters]
aws <service> <action> [--name value...]

The command typically corresponds to an AWS service, and the subcommand is an action or operation, eg:

aws s3 ls
aws ec2 describe-instances

tip

In shell scripts, you can also wait for a command to finish. See https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-commandstructure.html#cli-usage-commandstructure-wait

Help

aws help # Shows all services
aws <service> help # Shows all actions of the service
aws <service> <action> help # Shows all options of the action

Auto-completion

Use tab to auto-complete commands, parameters and options - see how to use it at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html#cli-command-completion-about

It uses the tool aws_completer. Check it's location with which aws_completer (I got /usr/local/bin/aws_completer).

If the CLI is installed with Brew, auto-completion should work with no extra configuration. To verify that it works write aws s and press tab. You should get a list of commands like 's3 s3api s3control...'. If it doesn't work, you need to configure it - see how at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html#cli-command-completion-linux. It seems that you need to add complete -C '/usr/local/bin/aws_completer' aws to .zshrc. The book 'AWS for System Administrators' also explains this (page 9).

Don't use the root user

do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself source

Best practices for managing AWS access keys

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#securing_access-keys

https://docs.aws.amazon.com/accounts/latest/reference/credentials-access-keys-best-practices.html

Remove (or don't generate) an account access key
Use temporary security credentials (IAM roles) instead of long-term access keys

Create Access keys using the web console

Go to the IAM console → Users and select your Admin user (not the root user).
Click the 'Security credentials' tab.
Scroll down to 'Access keys'.
Click 'Create access key'.
Select 'Command Line Interface (CLI)'.
Check 'I understand the above recommendation and want to proceed to create an access key'.
Click 'Next'.
On the 'Set description tag' set a tag like 'MBP2016'.
Click 'Create access key'.

Once the access key is shown on the 'Retrieve access keys' page, on the terminal run aws configure.

Paste the 'Access Key ID' and then the 'Secret Access Key' from the website.
Set 'Default region name' to us-east-1, eu-west-3 or else.
Leave 'Default output format' to 'json'.

Doing aws s3 ls should give a response (will be empty if there are no buckets, but no credentials error will appear).

Access keys configuration

~/.aws/credentials

[default]
aws_access_key_id = XYZ
aws_secret_access_key = ABC

[bootcamp]
aws_access_key_id = XYZ
aws_secret_access_key = ABC

~/.aws/config

[default]
region = eu-west-3
output = json

[profile bootcamp]
region = us-east-1
output = json

Note that we only add "profile" at the config file, not the credentials file, see this and this.

Comments are written with #.

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/index.html

aws configure help

aws configure is the fastest way to set up your AWS CLI installation. It will ask for the 'Access Key ID' and the 'Secret Access Key'.

aws sts get-caller-identity → Returns details about the IAM user or role whose credentials are used to call the operation - docs. To get the account ID do aws sts get-caller-identity --query Account --output text.

aws configure list-profiles

aws configure list

aws configure list --profile <profile-name>

Configure: aws configure --profile <profile-name> → Asks for AWS Access Key ID, AWS Secret Access Key, Default region name and Default output format.

You can create access keys for a user with: aws iam create-access-key --user-name MyUser

Set value: aws configure set <varname> <value> [--profile profile-name], eg aws configure set region us-east-1 --profile default

Multiple accounts

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

https://stackoverflow.com/questions/593334/how-to-use-multiple-aws-accounts-from-the-command-line

Important: on the config file we need to add "profile" ([profile user1]), but not on credentials.

Filtering AWS CLI output

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html#cli-usage-filter-client-side

Use --query <key> to select. See https://jmespath.org/tutorial.html for how to query.

Use --output text/json/yaml/yaml-stream to change the output format. Use --output text to pass the output to grep, sed or awk.

Shell scripts

https://github.com/AWSinAction/code3/blob/main/chapter04/virtualmachine.sh

ModuleNotFoundError: No module named 'docutils'

To fix it run brew reinstall docutils. Solution from https://github.com/aws/aws-cli/issues/7479.

Command structure​

Help​

Auto-completion​

Don't use the root user​

Best practices for managing AWS access keys​

Create Access keys using the web console​

Access keys configuration​

Multiple accounts​

Filtering AWS CLI output​

Shell scripts​

ModuleNotFoundError: No module named 'docutils'​