Ultimate Beginner's Guide to Mastering AWS CLI
AWS CLI Tutorial
The AWS Command Line Interface (CLI) is a powerful tool for managing your AWS services from a terminal session. This tutorial will guide you through the basic commands needed to configure your AWS CLI, set up Single Sign-On (SSO), manage EC2 instances, and more. Let's dive into the steps!
Prerequisites
Ensure you have the AWS CLI installed. You can download and install it from
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html .
You need AWS credentials (Access Key ID and Secret Access Key) or SSO credentials. Create a account on AWS and add key pair by tapping on security credentials on My Account , download .csv file and you will get Access Key ID and Secret Access Key from there.
Step 1: Configuring AWS CLI
First, we'll configure the AWS CLI to use AWS Single Sign-On (SSO).
aws configure
This command will guide you through configuring your AWS CLI with either SSO or Access Key credentials.
Step 2: Managing AWS Credentials
To view the credentials stored by the AWS CLI, you can list and display the content of the credentials file:
ls ~/.aws
cat ~/.aws/credentials
Step 3: Configuring EC2 Security Groups
You can describe your existing security groups to review their configuration:
aws ec2 describe-security-groups
// CREATING NEW EC2 INSTANCE
aws ec2 create-security-group --group-name my-sg --description "MY-SG" --vpc-id "UR-VPC-ID"
//To create a new EC2 key pair for SSH access:
aws ec2 create-key-pair --key-name MyKpCli --query 'KeyMaterial' --output text > MyKpCli.pem
chmod 400 MyKpCli.pem
//To run a new EC2 instance:
aws ec2 run-instances --image-id ADD-YOUR-IMAGEID --count 1 --instance-type t2.micro --key-name MyKpCli --security-group-ids YOUR-SECURITY-GROUP-ID --subnet-id YOUR-SUBNET-ID
//To connect to your EC2 instance using SSH, use the following command:
ssh -i MyKpCli.pem ec2-user@your-instance-public-ip
Advanced AWS CLI Tutorial
This advanced tutorial builds upon the basics covered previously and delves into more specific AWS CLI commands for managing EC2 instances, IAM policies, and user accounts.
Prerequisites
Ensure you have completed the basic AWS CLI setup as covered in the previous tutorial. Additionally, make sure you have the necessary permissions to execute IAM and EC2 commands.
Step 1: Describe EC2 Instances
To filter and describe EC2 instances of a specific type, use the following command:
aws ec2 describe-instances --filters "Name=instance-type,Values=t2.micro" --query "Reservations[].Instances[].InstanceId"
Step 2: Manage IAM Policies
Creating a Custom IAM Policy
First, create a JSON file changePwdPolicy.json with the policy definition. Here is an example policy that allows users to change their own password:
{
"Version": "2012-10-17",
"Statement" :[
{
"Effect":"Allow",
"Action":[
"iam:changePassword"
],
"Resource":["arn:aws:iam::YOUR-ACCOUNT-ID:user/{aws.username}"]
},
{
"Effect":"Allow",
"Action":[
"iam:GetAccountPasswordPolicy"
],
"Resource":[
"*"
] }
]
}
Create the policy using the AWS CLI:
aws iam create-policy --policy-name changePwd --policy-document file://changePwdPolicy.json
Attaching the Policy to a Group
Attach the policy to a group (e.g.- MyGroupCli):
aws iam attach-group-policy --group-name MyGroupCli --policy-arn YOUR-ARN
Step 3: Manage IAM Users
Creating a New IAM User
To create a new IAM user:
aws iam create-user --user-name Ec-2User
//To allow the new user to log in to the AWS Management Console, create a login profile:
aws iam create-login-profile --user-name Ec-2User --password mypasswordA2@ --password-reset-required
//Add the user to the group
aws iam add-user-to-group --user-name Ec-2User --group-name MyGroupCli
/ * Creating Access Keys for a User
To create access keys for the user: */
aws iam create-access-key --user-name MyUser-Cli
Setting Environment Variables for Access Keys
Set the access keys as environment variables: This is done so that when You want to use a particular user for particular service and after that the default admin upon exiting this window of export env You will be accessing default user credentials
export AWS_ACCESS_KEY_ID=YOUR ACCESS KEY
export AWS_SECRET_ACCESS_KEY=YOUR SECRET ACCESS KEY
QUICK CHECKLIST :
## List all available security-group ids
aws ec2 describe-security-groups
## create new security group
aws ec2 describe-vpcs
aws ec2 create-security-group --group-name my-sg --description "My security group" --vpc-id
vpc-1a2b3c4d
## this will give output of created my-sg with its id, so we can do:
aws ec2 describe-security-groups --group-ids sg-903004f8
## add firewall rule to the group for port 22
aws ec2 authorize-security-group-ingress --group-id sg-xxxx --protocol tcp --port 22 --cidr ip-address
aws ec2 describe-security-groups --group-ids sg-xxxx
# Use an existing key-value pair or if you want, create and use a new key-pair. 'KeyMaterial' gives
us an unencrypted PEM encoded RSA private key.
aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem
# launch ec2 instance in the specified subnet of a VPC
aws ec2 describe-subnets
aws ec2 describe-instances -> will give us ami-imageid, we will use the same one
aws ec2 run-instances
--image-id ami-xxxxxxxx
--count 1
--instance-type t2.micro
--key-name MyKeyPair
--security-group-ids sg-xxxx
--subnet-id subnet-xxxxx
# ssh into the ec2 instance with the new key pem after creating it - public IP will be returned as
json, so query it
aws ec2 describe-instances --instance-ids {instance-id}
chmod 400 MyKeyPair.pem
ssh -i MyKeyPair.pem ec2-user@public-ip
# check UI for all the components that got created
# describe-instances - with filter and query
--filter is for picking some instances. --query is for picking certain info about those instances
# same way as ec2 had a bunch of commands for components relevant for ec2 instances, iam does too
aws iam create-group --group-name MyIamGroup
aws iam create-user --user-name MyUser
aws iam add-user-to-group --user-name MyUser --group-name MyIamGroup
# verify that my-group contains the my-user
aws iam get-group --group-name MyIamGroup
# attach policy to group
## this is the command so we need the policy-ARN - how can we get that?
aws iam attach-user-policy --user-name MyUser --policy-arn {policy-arn} - attach to user directly
aws iam attach-group-policy --group-name MyGroup --policy-arn {policy-arn} - attach policy to group
## let's go and check on UI AmazonEC2FullAccess policy ARN
## OR if you know the name of the policy 'AmazonEC2FullAccess', list them
aws iam list-policies --query 'Policies[?PolicyName==AmazonEC2FullAccess].{ARN:Arn}' --output text
aws iam attach-group-policy --group-name MyGroup --policy-arn {policy-arn}
# validate policy attached to group or user
aws iam list-attached-group-policies --group-name MyGroup - [aws iam list-attached-user-policies
--user-name MyUser]
# Now that user needs access to the command line and UI, but we didn't give it any credentials. So
let's do that as well!
## UI access
aws iam create-login-profile --user-name MyUser --password My!User1Login8P@ssword
--password-reset-required
-> user will have to update password on UI or programmatically with command: aws iam
update-login-profile --user-name MyUser --password My!User1ADifferentP@ssword
# Create test policy
aws iam create-policy --policy-name bla --policy-document file://bla.json
## cli access
aws iam create-access-key --user-name MyUser
## Now let's ssh into the EC2 instance with this user
'aws configure' with new user creds
$ aws configure set aws_access_key_id default_access_key
$ aws configure set aws_secret_access_key default_secret_key
export AWS_ACCESS_KEY_ID= ADD YOURS
export AWS_SECRET_ACCESS_KEY= ADD YOURS
export AWS_DEFAULT_REGION=ap-south-1