How to configure AWS CLI
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to install AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
In this blog post, we will discuss how to configure AWS CLI.
How to configure AWS CLI:
AWS CLI requires three mandatory parameters (access_key, secret_key and region) to access a resource in your AWS account. You get the access_key and secret_key when you create an IAM user with programmatic access or assume a role. The region parameter defines the region where AWS CLI will interact with the resources.
AWS CLI Configuration Parameters:
There are several configuration parameters available for AWS CLI that can be passed along with AWS CLI commands.
- access_key: Specifies an AWS access key associated with an IAM user or role.
- secret_key: Specifies the secret key associated with the access key. This is essentially the “password” for the access key.
- region: Specifies the AWS Region to send the request to.
- output: Specifies the output format to use. Output can be in text, json or table format.
- profile: Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in credentials and config file
- session_token: Specifies an AWS session token. Used when you assume an IAM role.
- ca_bundle: Specifies a CA certificate bundle (a file with the .pem extension) that is used to verify SSL certificates.
AWS CLI Configuration Options:
There are several ways you can configure AWS CLI. The AWS CLI uses a set of credential providers to look for AWS credentials. Each credential provider looks for credentials in a different place, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Below is the precedence order for configuration settings.
- Command-line options: Value that is passed directly (for example –region) with aws cli has the highest precedence.
- Environment variables: Value that is set as an environment variable (for example AWS_DEFAULT_REGION) has the second-highest precedence.
- Configuration Files: Values that are defined in configuration files (for example region in config file) has the lowest precedence.
Using Configuration Files: You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI. The files are divided into sections that can be referenced by name. These are called “profiles”. Unless you specify otherwise, the CLI uses the settings found in the profile named default. To use alternate settings, you can create and reference additional profiles.
Using Environment Variables: Environment variables provide another way to specify configuration options and credentials and can be useful for scripting or temporarily setting a named profile as the default.
Using Instance Profile: When you run the AWS CLI from within an Amazon EC2 instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials. To provide these, create an AWS Identity and Access Management (IAM) role that has access to the resources needed, and attach that role to the AWS EC2 instance when you launch it.
Next, we will explain each configuration options through a demo.
Prerequisite for this demo:
- Two IAM users (one admin and one non-admin) with programmatic access.
- One EC2 instance with IAM role (admin) attached to it.
You can refer below blog posts to create IAM users and role.
https://cloudaffaire.com/iam-users/
https://cloudaffaire.com/iam-roles/
Demo:
Using Configuration Files:
Step 1: Setup AWS CLI using aws configure command.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
## Using Configuration Files ## ## Open command prompt and execute aws configure command ## Provide IAM admin user secret key and access key when prompted aws configure --profile admin #AWS Access Key ID [None]: #AWS Secret Access Key [None]: #Default region name [None]: #Default output format [None]: ##config file content #[profile admin] #region = ap-south-1 ##credential file content #[admin] #aws_access_key_id = #aws_secret_access_key = ## Check if aws cli properly configured aws sts get-caller-identity --profile admin |
Note: In Windows, the configuration files will be created in C:\Users\<USERNAME>\.aws\config location and in Linux, the config files will be created in ~/.aws/ location. We have configured AWS CLI using profile parameter, hence you need to pass an additional parameter –profile whenever you execute an AWS CLI command. If we had not passed –profile parameter in aws configure, aws would have created default entry in your config files and no additional parameters would have been required.
Next, we will configure AWS CLI using non-admin IAM user and query VPC resource.
Step 2: Configure AWS CLI using non-admin profile.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
## Create the non-admin profile and pass non-admin IAM user access-key and secret-key aws configure --profile nonadmin ##config file content #[profile admin] #region = #[profile nonadmin] #region = ##credential file content #[admin] #aws_access_key_id = #aws_secret_access_key = #[nonadmin] #aws_access_key_id = #aws_secret_access_key = ## Execute AWS CLI commands using both the profile. aws ec2 describe-vpcs --profile admin --output text --query "Vpcs[*].[VpcId]" aws ec2 describe-vpcs --profile nonadmin --output text --query "Vpcs[*].[VpcId]" #An error occurred (UnauthorizedOperation) |
Using Instance Profile And Environment Variables:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
## Using Instance Profile And Environment Variables ## ## Create an EC2 instance with AWS Linux 2 AMI ## Create a role with admin access and attach to your instance ## Install JQ package sudo yum Install jq -y ## Create a script to configure AWS cli using instance metadata and environment variable vi assume_role.sh ----------------------- ## Replace #!/bin/bash curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ export AWS_ACCESS_KEY_ID=$(cat cred.json| jq .AccessKeyId | xargs) export AWS_SECRET_ACCESS_KEY=$(cat cred.json| jq .SecretAccessKey| xargs) export AWS_SESSION_TOKEN=$(cat cred.json| jq .Token| xargs) export AWS_EXPIRATION=$(cat cred.json| jq .Credentials.Expiration| xargs) rm -f cred.json ------------------------ :wq ## Execute the script to configure AWS CLI chmod +x assume_role.sh sh assume_role.sh ## Check if aws cli properly configured aws sts get-caller-identity |
Hope you have enjoyed this article. In the next blog post, we will discuss AWS CLI commands for EC2.
To get more details on AWS CLI, please refer below AWS documentation
https://docs.aws.amazon.com/cli/index.html