Install AWS cli (command line)

curl -O https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install awscli

or

sudo apt-get install awscli  #it will update a lot of packages to Python3 but will leave 2.7 as default

Configure AWS cli credentials

When you run aws configure and enter credentials, they are stored in a file at ~/.aws/credentials. Additionally, some configuration settings—such as the default region—are stored at ~/.aws/config.

$ aws configure                 #sets up default profile
$ aws configure --profile dev   #configure named 'dev' profile
$ aws configure --profile piotr #configure named 'piotr' profile
$ aws ec2 describe-regions      #to get a list all available regions

The /.aws/config profile sections must have the format of [profile profile-name], except for the default profile. For example:

Example ~/.aws/credentials file

[default]
aws_access_key_id=111xxxxxxxxxxxxxxxxx
aws_secret_access_key=111xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[profile dev]
aws_access_key_id=222xxxxxxxxxxxxxxxxx
aws_secret_access_key=222xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[profile piotr]
aws_access_key_id=333xxxxxxxxxxxxxxxxx
aws_secret_access_key=333xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can also use environment variables described here

Configure AWS cli with Cross-Account Roles & MFA

Let’s assume that we have 4 AWS accounts:

One identity-account (acc_no: 000xxxxxxxxx) where we provision IAM users, create their API Credentials and assign MFA -
- user 'piotr' mfa_arn: arn:aws:iam::000xxxxxxxxx:mfa/user.name
3 for our different environments
- development (acc_no: 111xxxxxxxxx)
  - role: CrossAccountSignin_Admin: role_arn:aws:iam::111xxxxxxxxx:role/CrossAccountSignin_Admin
  - Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent
- staging (acc_no: 222xxxxxxxxx)
  - role: CrossAccountSignin_Admin: role_arn:aws:iam::222xxxxxxxxx:role/CrossAccountSignin_Admin
  - Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent
- production (acc_no: 333xxxxxxxxx)
  - role: CrossAccountSignin_Admin: role_arn:aws:iam::333xxxxxxxxx:role/CrossAccountSignin_Admin
  - Trusted entities: acc_no: 000xxxxxxxxx (identity-account) and Conditions: aws:MultiFactorAuthPresent

Let’s also assume that the proper roles and policies have already been put in place, allowing us to switch between accounts using the management console. We can create CLI profiles for each of these accounts.

Credentials file ~/.aws/credentials

[piotr-identity-account]
aws_access_key_id=333xxxxxxxxxxxxxxxxx
aws_secret_access_key=333xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Config file ~/.aws/config

[profile piotr-identity-account]
region = eu-west-1

[profile development]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::111xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr

[profile staging]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::222xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr

[profile production]
region = eu-west-1
source_profile = piotr-identity-account
role_arn   = arn:aws:iam::333xxxxxxxxx:role/CrossAccountSignin_Admin
mfa_serial = arn:aws:iam::000xxxxxxxxx:mfa/piotr

Test

$ aws ec2 describe-instances --profile development
Enter MFA code for arn:aws:iam::000xxxxxxxxx:mfa/piotr: ***

By default the temporary API token is valid for 1 hour, once expired you will be prompted for MFA again.

References

Cli Assume Roles Aws docs
Roles Terms and Concepts Aws docs!
Configure AWS cli with Cross-Account Roles & MFA

Examples

Create a reusable delegation set with a unique string '20170409'

aws route53 create-reusable-delegation-set --caller-reference 20170409

List the reusable-delegation-set created in ~/.aws/credentials profile

aws route53 list-reusable-delegation-sets --profile terraform-profile

IAM server certificates

List IAM server certificates, delete a certificate

aws iam list-server-certificates  --output text  --query 'ServerCertificateMetadataList[*].[Expiration,ServerCertificateName]'  | sort
aws iam list-server-certificates | grep <ServerCertificateName>
aws iam delete-server-certificate --server-certificate-name <ServerCertificateName>

Upload a certificate to IAM

aws iam upload-server-certificate --server-certificate-name cert_name --certificate-body file://cert_name.crt \
                                  --certificate-chain file://cert_name.pem --private-key file://cert_name.key

Check expiry date

certificate_name=<ServerCertificateName>
aws iam get-server-certificate --server-certificate-name $certificate_name --output text --query 'ServerCertificate.CertificateBody' | openssl x509 -text | less

List all instances and their status

aws ec2 describe-instances --query 'Reservations[*].Instances[*].[State.Name,InstanceId,Tags[?Key==`Name`].Value]' --output text

References

AWScli config files
[create-reusable-delegation-set http://docs.aws.amazon.com/cli/latest/reference/route53/create-reusable-delegation-set.html] aws . route53 cli
[Configuring White Label Name Servers http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/white-label-name-servers.html] AWS docs

AWS/CLI

Contents

Install AWS cli (command line)

Configure AWS cli credentials

Configure AWS cli with Cross-Account Roles & MFA

References

Examples

IAM server certificates

List all instances and their status

References

Navigation menu

AWS/CLI

Install AWS cli (command line)

Configure AWS cli credentials

Configure AWS cli with Cross-Account Roles & MFA

References

Examples

IAM server certificates

List all instances and their status

References

Navigation menu

Search