Module 3: Set Up the AWS CLI
TUTORIAL
Set Up the AWS CLI
In this module, you will configure the AWS Command Line Interface (CLI)
What you will accomplish
- Install the AWS Command Line Interface (AWS CLI) for your operating system
- Configure the credentials to access your AWS account
- Configure multiple profiles to access different AWS accounts
Implementation
The AWS CLI is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
To interact with AWS using the CLI, we need to configure credentials for it to use when making API calls. We will also show how you can set up multiple profiles to access more than one AWS account, either with additional credentials, or through IAM role switching.
Time to complete
10 minutes
Module requirements
- An internet browser
- An AWS account
Install the AWS CLI
There are different ways to install the AWS CLI, depending on your operating system or preference to use containers. To install the AWS CLI v2, see lnstalling or updating the latest version of the AWS CLI.
Once the AWS CLI is installed, you can run aws --version in your command line and see the following output (version may be different):
aws --version
For example, the response when installing the AW CLI on Windows 10 is as follows:
aws-cli/2.12.1 Python/3.11.3 Windows/10 exe/AMD64 prompt/off
The AWS CLI is now installed and you are ready to configure your credentials.
Configure AWS CLI credentials
To configure the credentials, use the command aws configure sso to include the credentials of the user created in the previous module of this tutorial.
When you use the aws configure sso command, you will be asked for:
- SSO session name: Provides a name for the session that is included in the AWS CloudTrail logs for entries associated with this session. If you don't enter a name, one is generated automatically. For this tutorial, use Test1.
- SSO start URL: The AWS Access portal URL you were provided when you configured IAM Identity Center.
- SSO region: For this tutorial use us-east-1. For a list of Region names and codes, see this table.
- SSO registration scopes: Scopes authorize access to different endpoints. In this tutorial we will use the minimum scope of sso:account:access to get a refresh token back from the IAM Identity Center service.
You will be prompted for each of these items in the terminal after you enter the aws configure sso command.
Note: If you don't know the start URL or region for your account, sign-in to the console as your root user and go to the IAM Identity Center Dashboard. The region and AWS Access portal URL are displayed in the Settings summary.
The following snippet shows the CLI content at this stage:
$ aws configure sso
SSO session name (Recommended): Test1
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access
The CLI attempts to automatically open the SSO authorization page in your default browser and begins the sign in process for your IAM Identity Center account.
After providing your password (and MFA credential, if enabled) you are asked to allow access to your data. This gives permissions to the AWS CLI to retrieve and display the AWS accounts and roles that you are authorized to use with IAM Identity Center.
Since the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of the botocore name, such as botocore-client-Test1. Select Allow. After authentication, you will be told that you can close the window.
The CLI will update and show you the AWS accounts and roles that are available to you. Because you have only set up one AWS account with the AdministratorAccess role at this point that is the account and role you are signed in with. Your CLI window should now have these lines displayed:
The only AWS account available to you is: 111122223333
Using the account ID 111122223333
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
You are then asked to Specify the default output format, the default AWS Region to send commands to, and to provide a name for the profile so you can reference this profile when running commands in the CLI.
The suggested profile name is the account ID number followed by an underscore followed by the role name, however for this tutorial, we are going to use a shorter profile name, admin-1. Your CLI window should now have these lines displayed:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile admin-1
Now, run the aws ec2 describe-vpcs command to check if the configuration is correct. Each new AWS account has default VPCs configured so you can run this command without having any other services configured on your AWS account.
Your CLI window should now have these lines displayed:
aws ec2 describe-vpcs –-profile admin-1
{
"Vpcs": [
{
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-d12345",
"State": "available",
"VpcId": "vpc-0123456789abcdef",
"OwnerId": "111122223333",
"InstanceTenancy": "default",
............"CidrBlockAssociationSet": [
................{
....................."AssociationId": "vpc-cidr-assoc-38b060a751a39af8e",
....................."CidrBlock": "10.24.34.0/23",
....................."CidrBlockState": {
........................."State": "associated"
......................}
................}
............],
............"IsDefault": true
.........}
]
}
This confirms that your AWS CLI has now been set up correctly.
By performing this procedure, you have updated your AWS config file with an sso-session section and named profile.
The config file is located at ~/.aws/config on computers running Linux or macOS, or at C:\Users\ USERNAME \.aws\config on computers running Windows. If you open your config file, you will see these two sections:
[profile admin-1]
sso_session = Test1
sso_account_id = 111122223333
sso_role_name = AdministratorAccess
region = us-east-1
output = json
[sso-session Test1]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
You can now use this sso-session and profile to request credentials using the aws sso login command. When you do this, your CLI window will display the following lines:
aws sso login -–profile admin-1
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east1.amazonaws.com/
Then enter the code:
XXXX-XXXX
Go to the browser window and allow access to your data. When you return to the CLI windows the following message has this line displayed:
Successfully logged into Start URL: https://my-sso-portal.awsapps.com/start
Configure multiple profiles (optional)
As you add roles to your AWS account and add additional AWS accounts to your organization, repeat the procedure above to create a profile for those roles and accounts.
As you add complexity having a profile naming strategy that associates AWS account IDs and role names is recommended so that you can distinguish between the profiles.
Conclusion
Congratulations! You have learned how to set up the AWS CLI and configure a named profile. In the next module, you will learn how to set up AWS Cloud9, a cloud-based IDE.