aws

AWS CLI

AWS Command Line Interface.

Table of contents

• AWS CLI
  • Table of contents
  • Manual configuration
    • Scenario 1: AWS SSO profile (recommended)
    • Scenario 2: Source profile and MFA authentication
    • Scenario 3: IAM roles with a source profile and MFA authentication
  • Usage
    • Get Session Token
    • SSO (Single Sign-On)
    • AWS CLI
  • Refs

Manual configuration

You can set the ~/.aws/config and ~/.aws/credentials files manually.

Scenario 1: AWS SSO profile (recommended)

Configuration in ~/.aws/config:

[profile my-sso-profile]
sso_start_url = https://yourcompany.awsapps.com/start
sso_region = sa-east-1
sso_account_id = 1234567890
sso_role_name = RoleName
region = sa-east-1
output = json

AWS SSO do not need ~/.aws/credentials file.

Scenario 2: Source profile and MFA authentication

Source profile credentials in ~/.aws/credentials:

[my-profile-with-mfa]
aws_access_key_id = ...
aws_secret_access_key = ...

[my-working-profile]
aws_access_key_id =
aws_secret_access_key =

Configuration in ~/.aws/config:

[profile my-profile-with-mfa]
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
region = sa-east-1
output = json

[profile my-working-profile]
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
source_profile = my-profile-with-mfa
region = sa-east-1
output = json

Scenario 3: IAM roles with a source profile and MFA authentication

Source profile credentials in ~/.aws/credentials:

[my-profile-with-mfa]
aws_access_key_id = ...
aws_secret_access_key = ...

Configuration in ~/.aws/config:

[profile my-profile-with-mfa]
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
region = sa-east-1
output = json

[profile my-working-profile]
mfa_serial = arn:aws:iam::111111111111:mfa/myuser
role_arn = arn:aws:iam::9999999999999:role/myrole
source_profile = my-profile-with-mfa
region = sa-east-1
output = json

Usage

Get Session Token

Only when MFA is activated.

1. Create the dotenv file: cp .env.example .env
2. Update the .env file based on your ~/.aws/ files
3. Set AWS profile to your MFA profile: export AWS_PROFILE=my-profile-with-mfa
4. Get the session credentials: aws-get-session-token <MFA_DIGITS>
5. Update the credentials of your working profile based on the response
6. Set AWS profile to your working profile: export AWS_PROFILE=my-working-profile

SSO (Single Sign-On)

1. Create the dotenv file: cp .env.example .env
2. Update AWS_SSO_DEFAULT_PROFILE=your-default-sso-profile env var in .env file
3. Run aws-sso and choose 1) configure to setup a new AWS profile (account + role)
4. Run aws_sso and choose 2) login to login into an existent profile

AWS CLI

After the log in, just execute the AWS CLI commands normally.

Example:

aws help
aws s3 ls --profile my-profile

Hint: set the env var AWS_PROFILE in your ZShell config file.

echo "" >> ~/.zshrc
echo "export AWS_PROFILE=my-working-profile" >> ~/.zshrc

Refs

• AWS CLI configuration
• AWS CLI Config and credential file settings
• AWS CLI SSO configuration