oam/knowledge base/cloud computing/aws/cli.md

AWS CLI

Table of contents

1. TL;DR
2. Profiles
3. Configuration
4. Session Manager integration
5. Further readings
   1. Sources

TL;DR

Do not use '--max-items' with '--query': the items limit is applied before the query filter, and could lead to no results.

Installation and configuration

# Install the CLI.
brew install 'awscli'

# Configure profiles.
aws configure
aws configure --profile 'work'

# Use specific profiles for the rest of the shell session.
export AWS_PROFILE='work'

# Enable auto-prompt mode (like `aws-shell` does).
aws configure set 'cli_auto_prompt' 'on-partial'
export AWS_CLI_AUTO_PROMPT='on'

# Check the current configuration.
aws configure list

# Clear cached credentials.
rm -r ~'/.aws/cli/cache'

Usage

# List applications in CodeDeploy.
aws deploy list-applications

# List deployment groups defined for applications.
aws deploy list-deployment-groups --application-name 'batman'

# Show details of deployment groups.
aws deploy get-deployment-group --application-name 'batman' \
  --deployment-group-name 'production'


# Get information about the current user.
aws sts get-caller-identity

# List IAM users.
aws iam list-users
aws iam list-users --max-items '1'
aws iam list-users --query "Users[?(UserName=='mario')]"
aws iam list-users --query "Users[?(UserId=='AIDA…')].UserName"

# Create IAM users.
aws iam create-user --user-name 'luigi'

# Create access keys.
# Defaults to the current user if no user name is specified.
aws iam create-access-key
aws iam create-access-key --user-name 'luigi'

# List access keys.
# Defaults to the current user if no user name is specified.
aws iam list-access-keys
aws iam list-access-keys --user-name 'mario'

# List configured OIDC providers.
aws iam list-open-id-connect-providers

# Create policies.
aws iam create-policy \
  --policy-name 'ro-access-bucket' --policy-document 'file://bucket.ro-access.policy.json'

# Delete policies.
aws iam delete-policy --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'

# Attach policies.
aws iam attach-user-policy --user-name 'me-user' \
  --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'

# Detach policies.
aws iam detach-user-policy --user-name 'me-user' \
  --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'

# Delete user policies.
aws iam delete-user-policy --user-name 'me-user' --policy-name 'user-ro-access-bucket'


# Show RDS instances.
aws rds describe-db-instances
aws rds describe-db-instances --output 'json' --query "DBInstances[?(DBInstanceIdentifier=='master-prod')]"


# List hosted zones.
aws route53 list-hosted-zones


# List all SageMaker EndpointConfigurations' names.
aws sagemaker list-endpoint-configs --output 'yaml-stream' | yq -r '.[].EndpointConfigs[].EndpointConfigName' -
aws sagemaker list-endpoint-configs --output 'yaml-stream' --query 'EndpointConfigs[].EndpointConfigName' | yq -r '.[].[]' -
aws sagemaker list-endpoint-configs --output 'json' --query 'EndpointConfigs[].EndpointConfigName' | jq -r '.[]' -

# Describe all SageMaker EndpointConfigurations.
aws sagemaker list-endpoint-configs … \
| xargs -n '1' aws sagemaker describe-endpoint-config --endpoint-config-name


# List secrets stored in Secret Manager.
aws secretsmanager list-secrets

# Get information about secrets stored in Secret Manager.
aws secretsmanager describe-secret --secret-id 'ecr-pullthroughcache/docker-hub'

# Get secrets from Secret Manager.
aws secretsmanager get-secret-value --secret-id 'ecr-pullthroughcache/github'


# List SNS queues (a.k.a. 'topics').
aws sns list-topics

Subcommands not listed here are in their own service-specific article:

ebs | ec2 | ecr | eks | s3 | ssm

Real world use cases

# Get roles' ARN from their name.
aws iam list-roles --query "Roles[?RoleName == 'EKSRole'].[RoleName, Arn]"

# Assume roles given their name.
aws iam list-roles --query "Roles[?RoleName == 'EKSRole'].Arn" --output 'text' \
| xargs -I {} \
  aws sts assume-role \
    --role-arn "{}" \
    --role-session-name "AWSCLI-Session"

Profiles

# Initialize the default profile.
# Not specifying a profile means to configure the default profile.
$ aws configure
AWS Access Key ID [None]: AKIA…
AWS Secret Access Key [None]: je7MtG…
Default region name [None]: us-east-1
Default output format [None]: text

# Initialize a specific profile.
$ aws configure --profile work
AWS Access Key ID [None]: AKIA…
AWS Secret Access Key [None]: LB88Mt…
Default region name [None]: us-west-1
Default output format [None]: json

# Use a specific profile for the rest of this session.
$ export AWS_PROFILE="work"

Configuration

File	Description
~/.aws/config	Configuration
~/.aws/credentials	Credentials

See CLI config files for examples.

Session Manager integration

The instance's IAM role must have at least the required permissions to allow to login.
The bare minimum is for it to have the SSM Minimum role attached:

$ aws iam list-attached-role-policies --role-name 'whatevah'
AttachedPolicies:
  - PolicyName: SSMMinimum
    PolicyArn: arn:aws:iam::111122223333:policy/SSMMinimum

Install the Session Manager plugin:

# Install the signed package.
curl -O "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/session-manager-plugin.pkg"
sudo installer -pkg 'session-manager-plugin.pkg' -target '/'

# Make the binary available to users.
# Pick one.
sudo ln -s '/usr/local/sessionmanagerplugin/bin/session-manager-plugin' '/usr/local/bin/session-manager-plugin'
ln -s '/usr/local/sessionmanagerplugin/bin/session-manager-plugin' "${HOME}/bin/session-manager-plugin"

# Verify it installed correctly.
session-manager-plugin

Then use it to get a session on the instance:

# Start sessions via Session Manager.
aws ssm start-session --target 'i-0123456789abcdef0'

Further readings

• Amazon Web Services
• CLI quickstart
• Configure profiles in the CLI
• How do I assume an IAM role using the AWS CLI?

Sources

• Improved CLI auto-prompt mode
• Install the Session Manager plugin for the AWS CLI
• Use an IAM role in the AWS CLI