AWS Command Line Interface (AWS CLI) provides programmatic access to manage AWS Services using terminal or a command line. In order to gain programmatic access using AWS CLI, we’ll first need to configure it.
Install aws-cli using brew install awscli on Mac. On Debian/Ubuntu Linux use sudo apt install awscli.
IAM users is a common way of managing users who need programmatic access to interact with AWS services. IAM users can have IAM roles attached to manage the permission for the AWS services they could interact with.
In order to configure AWS CLI, we’ll need the AWS Access Key ID and AWS Secret Access Key for the IAM User.
The easiest way to configure AWS CLI is using the command aws configure. This command will ask for access key id, secret access key, default AWS region and output format.
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: jsonThis will configure the AWS CLI with default configuration. You can interact with your AWS Service using the AWS CLI commands.
We can view the AWS CLI credentials profile in ~/.aws/credential file and the config profile in ~/.aws/config file.
We can view these files using the cat command. cat ~/.aws/credentials and cat ~/.aws/config
# ~/.aws/credemtials
[default]
aws_access_key_id=dfdhdfhdhfAEDHDHFd
aws_secret_access_key=dfdfdfwJalrXUdfdftnFEMI/K7dfdfMDENG/bPxRfiCYEXAMdfdPLEKEY# ~/.aws/config
[default]
region=us-west-2
output=jsonThere may be instances where we’d want to configure more than one AWS CLI configuration. Some common use cases include managing multiple IAM users with different access controls or when there are multiple AWS accounts and IAM users depending on the environment. For example, when there are different AWS accounts for staging environment and production environment, we’d want to configure AWS CLI to interact with both of these AWS accounts.
In such cases, we can configure AWS CLI using a named profile.
In addition to the default profile, additional profiles can be configured using the --profile flag.
e.g. We can use aws configure --profile staging command and use the IAM keys associated with the staging account’s IAM user to configure the staging profile. We can similarly add another profile for production environment using aws configure --profile production
Now that we have multiple profiles setup, our ~/.aws/credentials and ~/.aws/config files will have additional entries.
# ~/.aws/credemtials
[default]
aws_access_key_id=dfdhdfhdhfAEDHDHFd
aws_secret_access_key=dfdfdfwJalrXUdfdftnFEMI/K7dfdfMDENG/bPxRfiCYEXAMdfdPLEKEY
[staging]
aws_access_key_id=staging-access-key-id-yqujdfljhafoygdfjka
aws_secret_access_key=staging-secret-access-key-yejrnbf843jkf;ajhtpue
[production]
aws_access_key_id=production-access-key-id-0fdadfjdkfjd
aws_secret_access_key=production-secret-access-key-jdfkjhdfhdfjd# ~/.aws/config
[default]
region=us-west-2
output=json
[staging]
region=us-east-1
output=json
[production]
region=us-east-2
output=jsonNow that we have configured AWS CLI with multiple profiles, we need a mechanism to make sure that we execute AWS CLI commands using the intended credentials.
If we do not specify any profile, then it’ll use the default configuration.
e.g. aws s3 ls command will use the default configuration.
We can pass a --profile flag to any AWS CLI command and it’ll use the credentials from the named profile.
aws s3 ls --profile staging will use the credentials from the staging profile configuration.
If you want to execute multiple commands using a given profile, it’d get tedious to append --profile flag on each and every command. In order to default the current shell to a given profile we can export an environment variable called AWS_PROFILE. For example, if we set staging as AWS_PROFILE using export AWS_PROFILE=staging command, then all subsequent AWS CLI commands from that shell will use the staging profile credentials even without specifying the --profile flag.