AWS Command Line Interface (AWS CLI) provides programmatic access to manage AWS Services using terminal or a command line. In order to gain programmatic access using AWS CLI, we’ll first need to configure it.
brew install awscli on Mac. On Debian/Ubuntu Linux use
sudo apt install awscli.
IAM users is a common way of managing users who need programmatic access to interact with AWS services. IAM users can have IAM roles attached to manage the permission for the AWS services they could interact with.
In order to configure AWS CLI, we’ll need the
AWS Access Key ID and
AWS Secret Access Key for the IAM User.
The easiest way to configure AWS CLI is using the command
aws configure. This command will ask for
access key id,
secret access key,
default AWS region and
aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json
This will configure the AWS CLI with
default configuration. You can interact with your AWS Service using the AWS CLI commands.
We can view the AWS CLI credentials profile in
~/.aws/credential file and the config profile in
We can view these files using the
cat ~/.aws/credentials and
# ~/.aws/credemtials [default] aws_access_key_id=dfdhdfhdhfAEDHDHFd aws_secret_access_key=dfdfdfwJalrXUdfdftnFEMI/K7dfdfMDENG/bPxRfiCYEXAMdfdPLEKEY
# ~/.aws/config [default] region=us-west-2 output=json
There may be instances where we’d want to configure more than one AWS CLI configuration. Some common use cases include managing multiple IAM users with different access controls or when there are multiple AWS accounts and IAM users depending on the environment. For example, when there are different AWS accounts for staging environment and production environment, we’d want to configure AWS CLI to interact with both of these AWS accounts.
In such cases, we can configure AWS CLI using a
In addition to the default profile, additional profiles can be configured using the
e.g. We can use
aws configure --profile staging command and use the IAM keys associated with the staging account’s IAM user to configure the
staging profile. We can similarly add another profile for production environment using
aws configure --profile production
Now that we have multiple profiles setup, our
~/.aws/config files will have additional entries.
# ~/.aws/credemtials [default] aws_access_key_id=dfdhdfhdhfAEDHDHFd aws_secret_access_key=dfdfdfwJalrXUdfdftnFEMI/K7dfdfMDENG/bPxRfiCYEXAMdfdPLEKEY [staging] aws_access_key_id=staging-access-key-id-yqujdfljhafoygdfjka aws_secret_access_key=staging-secret-access-key-yejrnbf843jkf;ajhtpue [production] aws_access_key_id=production-access-key-id-0fdadfjdkfjd aws_secret_access_key=production-secret-access-key-jdfkjhdfhdfjd
# ~/.aws/config [default] region=us-west-2 output=json [staging] region=us-east-1 output=json [production] region=us-east-2 output=json
Now that we have configured AWS CLI with multiple profiles, we need a mechanism to make sure that we execute AWS CLI commands using the intended credentials.
If we do not specify any profile, then it’ll use the
aws s3 ls command will use the
We can pass a
--profile flag to any AWS CLI command and it’ll use the credentials from the named profile.
aws s3 ls --profile staging will use the credentials from the
staging profile configuration.
If you want to execute multiple commands using a given profile, it’d get tedious to append
--profile flag on each and every command. In order to default the current shell to a given profile we can export an environment variable called
AWS_PROFILE. For example, if we set staging as
export AWS_PROFILE=staging command, then all subsequent AWS CLI commands from that shell will use the
staging profile credentials even without specifying the