AWS/CLI
Quick Reference | AWS CLI | CloudFormation
Contents |
Installation (CentOS7) with AWS zip
https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html
~$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" ~$ unzip awscliv2.zip ~$ sudo ./aws/install ~$ aws --version aws-cli/2.2.4 Python/3.8.8 Linux/3.10.0-957.el7.x86_64 exe/x86_64.centos.7 prompt/off
Installation (CentOS7) with pip
Install EPEL
~$ sudo yum install -y epel-release sudo yum makecache
Find and install PIP
~$ sudo yum install -y python3 python3-libs python3-setuptools python3-pip ~$ sudo yum search python3 | grep "pip\|setuptools\|libs" python3-pip.noarch : A tool for installing and managing Python3 packages python34-pip.noarch : A tool for installing and managing Python3 packages libselinux-python3.x86_64 : SELinux python 3 bindings for libselinux python3-apipkg.noarch : A Python namespace control and lazy-import mechanism python3-libs.i686 : Python runtime libraries python3-libs.x86_64 : Python runtime libraries python3-setuptools.noarch : Easily build and distribute Python 3 packages python34-libs.x86_64 : Python 3 runtime libraries python34-setuptools.noarch : Easily build and distribute Python 3.4 packages ~$ sudo yum install -y python3 python3-libs python3-setuptools python3-pip
Verify PIP
~$ python3 -m pip -V pip 8.1.2 from/usr/lib/python3.6/site-packages (python 3.6)
Upgrade PIP
~$ python3 -m pip install --upgrade pip --user Collecting pip Downloading https://files.pythonhosted.org/packages/a4/6d/6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b/pip-21.3.1-py3-none-any.whl (1.7MB) 100% |████████████████████████████████| 1.7MB 404kB/s Installing collected packages: pip Successfully installed pip-21.3.1 ~$ python3 -m pip -V pip 21.3.1 from /home/fgiuliani/.local/lib/python3.6/site-packages/pip (python 3.6)
Grep AWS CLI
~$ pip search awscli | grep "awscli (" okta-awscli (0.4.0) - Provides a wrapper for Okta authentication to awscli awscli (1.16.145) - Universal Command Line Environment for AWS.
UPDATE: pip search no longer works and there is no replacement because the python devs are trash.
~$ python3 -m pip search awscli ERROR: XMLRPC request failed [code: -32500] RuntimeError: PyPI's XMLRPC API is currently disabled due to unmanageable load and will be deprecated in the near future. See https://status.python.org/ for more information.
Install aws cli
~$ python3 -m pip install awscli --upgrade --user
Verify AWS CLI
~$ aws --version aws-cli/2.2.4 Python/3.8.8 Linux/3.10.0-957.el7.x86_64 exe/x86_64.centos.7 prompt/off
Installation (MacOSX)
Make sure you have python 2.65+
~$ python --version Python 2.7.10
If you don't, install it with brew and then make the proper alias.
~$ brew install python ~$ echo "alias python=/usr/local/bin/python3" >> ~/.zshrc ~$ source ~/.zshrc ~$ python --version Python 3.12.2
Download, unzip, and install via script.
~$ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" ~$ unzip awscli-bundle.zip ~$ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
Updated method with brew
~$ brew install awscli ~$ aws --version aws-cli/2.15.25 Python/3.11.8 Darwin/23.1.0 source/x86_64 prompt/off
Credentials
Get your access and secret keys from:
- AWS Management Console > [click] username > [click] My Security Credentials
- [click] Create access key > [copy] Access Key ID > [click] Show secret access key > [copy] secret access key
- NOTE: you will never be able to access the secret access key again. Make sure you copy it, otherwise you'll have to create a new key.
Credentials for role user
Say you want to get an access and secret key for a role user that you can switch to:
- AWS Management Console > [click] services > [click] IAM under Security, Identity, & Compliance > [click] Users
- Add User > give them a user name > select "Programmatic access" for the Access type > for permissions I assigned "AdministratorAccess".
- [click] on the new user under Users > [click] Security Credentials tab > create access key > copy access and secret keys.
- NOTE: you will never be able to access the secret access key again. Make sure you copy it, otherwise you'll have to create a new key.
Setup Credentials AWS CLI
reference: https://blog.gruntwork.io/authenticating-to-aws-with-the-credentials-file-d16c0fbcbf9e
reference: https://blog.gruntwork.io/authenticating-to-aws-with-environment-variables-e793d6f6d02e
~$ aws configure AWS Access Key ID [none]: {access key} AWS Secret Access Key [none]: {secret key} Default region name [none]: {preferred region} Default output format [none]: {preferred output} ie. ~$ aws configure AWS Access Key ID [none]: ODH1748RKHR48892743 AWS Secret Access Key [none]: 48RJHJHD39739DHJHDUOHOI3719457DVMBNH Default region name [none]: us-east-1 Default output format [none]: json
This will save the info in:
- Credentials -
~/.aws/credentials
- Configuration -
~/.aws/config
Test your credentials by using a simple query to look at users in IAM.
~$ aws iam list-users
Assume Role
You will probably need to assume a role through the AWS CLI. Below is a script I wrote to help ease this process.
MAC OSX
#!/bin/bash #NOTE: on mac-osx use "source" to execute script instead of directly #make sure you configure $HOME/.aws/credentials with all of the aws_roles you list in the array below #ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa #EXAMPLE: #[profile role-with-mfa] #region = us-west-2 #role_arn= arn:aws:iam::128716708097:role/cli-role #source_profile = cli-user #mfa_serial = arn:aws:iam::128716708097:mfa/cli-user tempjson="$HOME/assume-role-output.json" #aws_roles could be parsed from $HOME/.aws/credentials rather than hardcoded like is below. aws_roles=( roledisplayname\|arn:aws:iam::############:role/role-permission \ sandbox\|arn:aws:iam::123456789123:role/power-user ) function assume_role { echo "" echo "Select the role to impersonate, followed by [ENTER]:" for ((i=0;i<=(${#aws_roles[@]});i++)) do if (($i >= 1)); then echo $(echo -n "$i) "${aws_roles[i]} | awk -F '|' '{ print$1 }') fi done echo -n "Role #: " read role description=$(printf ${aws_roles[$role]} | awk -F '|' '{ print$1 }') arn=$(printf ${aws_roles[$role]} | awk -F '|' '{ print$2 }') echo "Backing up aws config and credential files" cp -f $HOME/.aws/config $HOME/.aws/config_backup && cp -f $HOME/.aws/credentials $HOME/.aws/credentials_backup #a temp file is used because each time you query aws it resets the keys. So when we tried to query aws for each variable, authentication failed because by the last variable, the first variable value had changed. echo "Assuming role: $description and getting the session" touch $tempjson aws sts assume-role --role-arn "$arn" --role-session-name "$description-session" --profile $description > $tempjson echo "Setting the AWS_ACCESS_KEY_ID to env var" export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' $tempjson) echo "Setting the AWS_SECRET_ACCESS_KEY to env var" export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' $tempjson) echo "Setting the AWS_SESSION_TOKEN to env var" export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' $tempjson) export AWS_PROFILE="$description" } function remove_role { echo "" printf "Currently to remove the assumed role, you must exit the shell session.\nConfirm if you want to close your shell session [y/n]: " read close if [ $close = "y" ]; then echo "Unsetting environment variables to remove assumed role" unset AWS_ACCESS_KEY_ID && unset AWS_SECRET_ACCESS_KEY && unset AWS_SESSION_TOKEN echo "Assumed role removed" echo "Exitting shell" exit elif [ $close = "n" ]; then echo "Cancelling, current role will be maintained." else echo "Invalid selection. Try again." remove_role fi } function start { echo "" printf "1) Assume Role\n2) Remove Assumed Role\nSelect your choice, followed by [ENTER]: " read choice if (($choice == 1)); then assume_role elif (($choice == 2)); then remove_role else echo "Not a valid selection, try again" start fi } start