A quick guide to getting started with AWS CLI from your Linux machine. Amazon provide some good documentation (see links below), but I’ve summerised the key steps here for brevity.
Install or Update the AWS CLI
Firstly install the AWS CLI package with:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/installOnce installed, we now need to get the AWS CLI configured.
Quick Configuration of AWS CLI
You can create the credentials file (which will be stored in ~/.aws/credentials), just make sure you’re running as your user (and not root for example) when you perform this, or the credentials file is created in the wrong location.
In my case I’m using an Federated Access IAM account, i.e. i’m logging in with our IDaaS solution and assuming a role to perform these tasks. Via the AWS web interface I’ve gone in and got hold of the Access Key ID and Secret Access Key. You should change the region name to whatever you are using.
To get these keys you need to use the “Command line or programmatic access” link against the particular role of a particular account you are using. If you have a specific IAM account you’ll find this information within the AWS IAM application (I think).
$ aws configure
AWS Access Key ID [None]: BLAHBLAHBLAH7EXAMPLE
AWS Secret Access Key [None]: /K7MDENwJalrXUtnFRfiCYEXAMPLEKEY
Default region name [None]: eu-west-2
Default output format [None]: jsonYou should now find the ~/.aws/credentials file has been created with a “default” profile, the default profile is used when you run the aws command and don’t specify any particular named profile.
What about Federated IAM, i.e. an AWS SSO User?
So in my environment we have SSO Users (federated IAM), what this means is that if you attempt the above by finding the Access Key ID and Secret Access Key, you’ll have issue like the below when trying to access your EC2 instances:
$ aws ec2 describe-instances
An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentialsWhat it appears to be missing is the aws_session_token, so if you edit the ~/.aws/credentials file and add to the bottom the aws_session_token that you can get from the AWS “Command line or programmatic access” link along side where you got the Access Key ID and Secret Access Key.
You can obtain the Session Token and paste it into your credentials file such as the below, but this isn’t a long term solution, so see the section “Using a Federated IAM (SSO User)”
[default]
aws_access_key_id = <accesskeyID>
aws_secret_access_key = <secretaccesskey>
aws_session_token = <sessiontokenkey>Using a Federated IAM (SSO User)
So a quick way to get started with this is to create the ~/.aws/config file and add the following configuration to the file. You’ll need to swap the various entries for your environment. Don’t include the pointy brackets these are just for clarity of the variables you need to substitute.
Otherwise you can use the following command that will take you through:
aws configure sso [--profile myproject]MYPROFILE – An identifier you wish to use to identify this configuration when you’re either using it in environment variables (see later in the article) or including it with the –profile argument when running commands.
NAME – The part of the SSO Start URL you may need to substitute, your URL may be completely different, either way this is the SSO URL that you’ll be redirected to as you attempt to authenticate.
REGIONNAME – e.g. “eu-west-2” You can have a different SSO Region to the Region where your resources are located.
ACCOUNTID – Your Account ID that you can find from your AWS account you wish to login to.
AWSROLE – The name of the AWS Role you wish to utilise during your logged in session:
[profile <MYPROFILE>]
sso_start_url = https://<NAME>.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 409901950218
sso_role_name = AWSAdministratorAccess
region = eu-west-2So with some example values we would have something like the following in the file:
[profile londonaws]
sso_start_url = https://turnip.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 450218014560
sso_role_name = AWSAdministratorAccess
region = eu-west-2Now that is all in order you can attempt to logon with the following command:
aws sso login --profile londonawsAll being well your web browser will open and take you to the AWS SSO URL, you authenticate yourself as you normally would, then if it works, you’ll see your browser show a message saying authenticated and your command window will then show success and return you to the command prompt.
You’re then logged in as your SSO User (Federated IAM).
Of course it can be a pain to have to enter the “profile” you wish to use on the end of each command, you have a couple of option here:
1. instead of calling the profile a specific name add it into the “default” profile, this means any command run without specifying the profile argument will use this.
2. Or the recommended approach is to add an environment variable that specifies the profile you wish to use, so you don’t have to specify it on the end of each command:
export AWS_PROFILE=londonawsUsing this method can be helpful when running scripts, although you can specify such variables within the script if you so wish.
Testing it Out!
Irrespective of if you have used the Federated IAM or just plain AWS authentication, let’s list the EC2 instances:
aws ec2 describe-instancesAnd now we find its working fine:
$ aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-00785cf48356acf64",
"InstanceId": "i-08b13909e5343c167",
.....Useful Links
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
2 thoughts on “AWS CLI Quick Start (Linux)”