AWS CLI

Learn how to set up AWS CLI for your AWS account in a few easy steps! This comprehensive guide walks you through enabling IAM Identity Center, adding a user to your AWS account, installing and configuring AWS CLI V2, and setting AWS environment variables. You’ll even get to test your AWS CLI skills by creating a role using AWS CLI V2. Follow along and become an AWS CLI pro!

Enable IAM identity center

  1. Sign in as root user
  2. Go to IAM Identity Center console.
  3. Under Enable IAM Identity Center, click Enable.
  4. Click Create AWS organization in the popup window.

Add User in IAM Identity Center

  1. Click Add user in “IAM Identity Center > Users”.
  2. Fill the required information.
  3. Review the information and click Add user in the bottom right. You can also create a group for this user if you like.
  4. Hooray! The user “buildwebapp2023” was successfully added!
  5. Finally, navigate to your mail and click Accept invitation.

Add User to an AWS account

  1. In “IAM Identity Center > AWS Organizations: AWS accounts”, click one of the organization then click Assign users or groups.
  2. Select the newly added user and “AdministratorAccess” permission sets (We’ll need to create a role programmatically it later).
  3. Review and click Submit. Wait a second…
  4. The user with selected permission sets is assigned to this AWS account!

Install and Configure AWS CLI V2

  1. Install AWS CLI via Homebrew

    brew install awscli

  2. Specify an alternate location to store AWS config and credentials following the XDG Base Directory. I use zsh, so I’ll do

    echo 'export AWS_CONFIG_FILE=$HOME/.config/aws/config
export AWS_SHARED_CREDENTIALS_FILE=$HOME/.config/aws/credentials' > ~/.config/zsh/init/aws.zshrc

  3. Generate the config file for sso-session and profile by grabbing the information in “IAM Identity Center > Dashboard”, clicking the AWS access portal URL under Settings summary, and copying and pasting the SSO Start URL and SSO Region to proper fields. Alternatively, use the aws configure sso wizard.

    AWS_ACCOUNT_ID=123456789012
echo '[sso-session my-sso]
sso_start_url = https://d-9067911059.awsapps.com/start#
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[profile admin-access]
sso_session = my-sso
sso_account_id = '${AWS_ACCOUNT_ID}'
sso_role_name = AdministratorAccess
region = us-east-1
output = yaml' > ~/.config/aws/config

Set AWS environment variables

To set AWS environment variables, copy the export statements from the same place as above.

echo 'export AWS_ACCESS_KEY_ID="XXX"
export AWS_SECRET_ACCESS_KEY="YYY"
export AWS_SESSION_TOKEN="ZZZ"' >> ~/.config/zsh/init/aws.zshrc

Test your AWS CLI

To test your AWS CLI, you can create a role and attach a policy for it programmatically. The command is:

AWS_ACCOUNT_ID=123456789012
echo '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::'${AWS_ACCOUNT_ID}':oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        },
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:walkccc/go-boilerplate:*"
        }
      }
    }
  ]
}' > GitHubActionsRole.json
aws iam create-role --role-name GitHubActionsRole --assume-role-policy-document file://GitHubActionsRole.json
aws iam attach-role-policy --role-name GitHubActionsRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
rm GitHubActionsRole.json

Congrats, you’ve succesfully created a role via AWS CLI V2! 🙂

Finally, when you’re done, clean up the resources you created:

aws iam detach-role-policy --role-name GitHubActionsRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
aws iam delete-role --role-name GitHubActionsRole

References