AWS CLI
Learn how to set up AWS CLI for your AWS account in a few easy steps! This comprehensive guide walks you through enabling IAM Identity Center, adding a user to your AWS account, installing and configuring AWS CLI V2, and setting AWS environment variables. You’ll even get to test your AWS CLI skills by creating a role using AWS CLI V2. Follow along and become an AWS CLI pro!
Enable IAM identity center
- Sign in as root user
- Go to IAM Identity Center console.
- Under Enable IAM Identity Center, click Enable.
- Click Create AWS organization in the popup window.
Add User in IAM Identity Center
- Click Add user in “IAM Identity Center > Users”.
- Fill the required information.
- Review the information and click Add user in the bottom right. You can also create a group for this user if you like.
- Hooray! The user “buildwebapp2023” was successfully added!
- Finally, navigate to your mail and click Accept invitation.
Add User to an AWS account
- In “IAM Identity Center > AWS Organizations: AWS accounts”, click one of the organization then click Assign users or groups.
- Select the newly added user and “AdministratorAccess” permission sets (We’ll need to create a role programmatically it later).
- Review and click Submit. Wait a second…
- The user with selected permission sets is assigned to this AWS account!
Install and Configure AWS CLI V2
Install AWS CLI via Homebrew
brew install awscli
Specify an alternate location to store AWS config and credentials following the XDG Base Directory. I use zsh, so I’ll do
echo 'export AWS_CONFIG_FILE=$HOME/.config/aws/config export AWS_SHARED_CREDENTIALS_FILE=$HOME/.config/aws/credentials' > ~/.config/zsh/init/aws.zshrc
Generate the config file for
sso-session
andprofile
by grabbing the information in “IAM Identity Center > Dashboard”, clicking the AWS access portal URL under Settings summary, and copying and pasting the SSO Start URL and SSO Region to proper fields. Alternatively, use theaws configure sso
wizard.AWS_ACCOUNT_ID=123456789012 echo '[sso-session my-sso] sso_start_url = https://d-9067911059.awsapps.com/start# sso_region = us-east-1 sso_registration_scopes = sso:account:access [profile admin-access] sso_session = my-sso sso_account_id = '${AWS_ACCOUNT_ID}' sso_role_name = AdministratorAccess region = us-east-1 output = yaml' > ~/.config/aws/config
Set AWS environment variables
To set AWS environment variables, copy the export statements from the same place as above.
echo 'export AWS_ACCESS_KEY_ID="XXX"
export AWS_SECRET_ACCESS_KEY="YYY"
export AWS_SESSION_TOKEN="ZZZ"' >> ~/.config/zsh/init/aws.zshrc
Test your AWS CLI
To test your AWS CLI, you can create a role and attach a policy for it programmatically. The command is:
AWS_ACCOUNT_ID=123456789012
echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::'${AWS_ACCOUNT_ID}':oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:walkccc/go-boilerplate:*"
}
}
}
]
}' > GitHubActionsRole.json
aws iam create-role --role-name GitHubActionsRole --assume-role-policy-document file://GitHubActionsRole.json
aws iam attach-role-policy --role-name GitHubActionsRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
rm GitHubActionsRole.json
Congrats, you’ve succesfully created a role via AWS CLI V2! 🙂
Finally, when you’re done, clean up the resources you created:
aws iam detach-role-policy --role-name GitHubActionsRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
aws iam delete-role --role-name GitHubActionsRole