AWS Command Line Interface
AWS Command Line Interface is very useful because, with just that, you can monitor multiple AWS services from the CLI, and automate many time-consuming tasks. In this post, I will explain how to install and configure the AWS CLI on Windows, Linux, Mac, or Unix OS.
What is AWS CLI?
The AWS CLI is an open source tool built on top of the AWS SDK for Python that provides commands for interacting with AWS services. Once set up, you can use the CLI to access all the functionality provided on the AWS Management Console to access AWS services and configure resources.
You can use one of the following terminal programs for CLI:
- Linux shells: Use common shell programs such as Bash, Zsh, and Tsch to run commands in Linux, Mac OS, or Unix.
- Windows command line: On Microsoft Windows, run commands in either PowerShell or the Windows Command Processor.
- Remotely: Run commands on Amazon EC2 instances through a remote terminal such as PuTTY or SSH, or with Amazon EC2 systems manager.
With AWS CLI you can simplify many multi-step processes using one command, and also automate repetitive tasks. For example, you can accomplish the following very easily and quickly using the AWS CLI versus using the AWS Management Console.
- Sync all files from one s3 bucket to another s3 bucket, while also removing the ones that are deleted.
- Get the list of all IAM users in your AWS account who access a specific bucket prefix.
- Terminate all EC2 instances in your AWS account that are launched with a specific key pair.
Key Features of AWS CLI:
- Manage all AWS resources using a single tool.
- Simple Configuration.
- Easy to use, and can combine with other scripting languages.
How to install AWS CLI?
How to install AWS CLI on Windows:
To install on Windows, download one of the appropriate installers:
AWS CLI MSI Installer for Windows 64-bit
AWS CLI MSI Installer for Windows 32-bit
Follow the prompts on the installer to complete the installation.
As an alternative, run this installer batch script in an Administrator command prompt to download and run the installer.
How to install AWS CLI on Linux/Unix/MacOS:
It installs as a python package. So, you will need to install some pre-requisites, in the following order.
- Install Python (skip this step, if python is already installed). Python Version 2.6.5 or later is required.
- Install pip (skip this step, if pip is already installed)
You can download and install pip using following commands:
curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py –user3. Install AWS CLI using pip
With python and pip installed, you can install AWS CLI using the following command:
pip install awscli --upgrade --userOnce AWS CLI is installed, you need to configure it. The configuration enables the CLI to authenticate with AWS as a user with a fixed set of permissions.
If you are trying to use the CLI on your machine or AWS EC2 instance, then you can follow the below instructions:
First, you will need a pair of Access Key ID and Secret Access Key. If you don’t already have one, you will need to generate it by going to IAM->Users and select the user you want to create the pair for (see the screenshot below).
You will only be able to view the secret access key on the console while creating, and then you won’t be able to view it again anytime in the future. So, make sure you write it down and save it somewhere.
Note: In case you lose your secret access key, or if someone steals it(for security concerns), you will have to generate a new one and then configure on all the machines that you use the AWS CLI on.
Once you have the keys, then run the command “aws configure” on the command line, and enter the keys as shown below. Region and Output format values are optional and can be left blank.
With this setup done, you can now access/query the AWS resources from your command line.
If you want to save multiple user profiles, then you can create user profiles using the command:
aws configure --user fakeuserUsing multiple profiles allows you to test different roles or authorization to ensure that you are not allowing or restricting more or less than what you should. You can then easily configure the CLI to use the profile of your choice.
How to make it more secure? Use IAM Roles
You can use the same method to access the AWS CLI on EC2 instances that you have deployed in your AWS environment but it is not very secure.
Let’s say, a hacker hacks and get access to your EC2 instance and reads the Access Key ID and Secret Access Key values. Then, that person can use these from any machine with public internet access to change or break your environment against your will. This could become a big security concern.
To avoid situations like these, a better alternative is to create an IAM role with all the necessary permissions and attach those permissions to your EC2 instance. With this type of setup, if your instance gets compromised, you may kill your instance or update the role authorizations.
For example, you want your EC2 web server instance to access your RDS instances and the S3 bucket in your AWS account. You can use the following steps to enable AWS CLI to be able to access those resources:
- Create IAM role ‘CustomAccess_S3_RDS’ with permissions: ‘AmazonS3FullAccess’, ‘AmazonRDSFullAccess’.
2. When launching the EC2 instance, assign IAM role ‘CustomAccess_S3_RDS’.
Now, if you have AWS CLI installed on your EC2 instance, then you do not need to run the ‘aws configure’ command to access S3 and RDS. Your EC2 instance is already attached to a role with the necessary permissions, and so you can start accessing your resources directly.
If you want to access more resources from your EC2, then you can still go and update the role’s permissions to add/remove access rights or privileges as needed.
AWS CLI cheat sheet:
Basic AWS command structure:
aws [command] [subcommand] [options and parameters*]Command Help:
aws [service] helpHere, I will go over some examples for a few services to give you an idea.
AWS S3 (Simple Storage Service):
Print a list of all buckets in your AWS account:
aws s3 lsSync all the files from your s3 bucket to the local path:
aws s3 sync --delete s3://my-test-bucket C:\Users\amolk\my_test_folderThe — delete tag will also remove a file/object from the local path if it has been deleted from the s3 bucket.
aws s3 sync --delete s3://my-test-bucket C:\Users\amolk\my_test_folderSimilarly, changing the location of the paths/URLs will change the direction of file transfer.
Sync all the files from your local path to s3 bucket:
aws s3 sync C:\Users\amolk\my_test_folder s3://my-test-bucketThe — delete tag will also remove a file/object from the local path if it has been deleted from the s3 bucket.
aws s3 sync --delete C:\Users\amolk\my_test_folder s3://my-test-bucketAWS EC2 (Elastic Cloud Compute):
Get the description of all EC2 instances:
aws ec2 describe-instancesGet the description of a specific EC2 instance:
aws ec2 describe-instances --instance-ids i-1234567890###AWS IAM (Identity and Access Management):
List all the IAM users in the current AWS account:
aws iam list-usersGet information about am IAM user in the AWS account:
aws iam get-user fakeuserConclusion
I hope with this, the basics of AWS CLI are clear. You can play more with the examples to learn more. If you have any questions, please feel free to reach out to me, or post a comment here, and I will get back to you.
