Cloud Course

AWS CLI

The AWS web console is great for learning about services and setting a few things up here and there, but it not practical when we're doing real cloud computing. Eventually we need to automate everything with code.

In the future, we will learn how to use advanced tools like terraform and palumi to automate our infrastructure. But for now, we will just get started with the AWS CLI, which is the simplest way to interact with AWS using code.

Install the AWS CLI

step 1:

Follow the instructions on the AWS CLI Installation Guide to install the AWS CLI on your computer.

Once that's setup, you should be able to run the following command to confirm it's working:

aws --version
aws --version
aws --version
aws --version

Setup AWS Config

step 2:

Run aws configure sso and follow the prompts.

  • session name: a name that will help you identify your aws organization, account-name-sso
  • start URL: the custom url you setup in the previous section, https://my-aws-demo.awsapps.com/start
  • region: any region is fine, I use us-east-1 because it's closest to me
  • scopes: just use the defaultsso:account:access

After you hit enter, you should see something like this in your terminal:

aws configure sso
SSO session name (Recommended): test-account-sso
SSO start URL [None]: https://my-aws-demo.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXJ-LWPQ
aws configure sso
SSO session name (Recommended): test-account-sso
SSO start URL [None]: https://my-aws-demo.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXJ-LWPQ
aws configure sso
SSO session name (Recommended): test-account-sso
SSO start URL [None]: https://my-aws-demo.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXJ-LWPQ
aws configure sso
SSO session name (Recommended): test-account-sso
SSO start URL [None]: https://my-aws-demo.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXJ-LWPQ

And you should be prompted to login with your browser.

step 3:

Click on Allow access

Click on Allow access

When that is successful, you should see something like this in your terminal:

There are 4 AWS accounts available to you.
  Development, development+my-aws-account@meech-ward.me (677276083783)   
> my-aws-account, my-aws-account@meech-ward.me (122610519465)            
  Production, production+my-aws-account@meech-ward.me (221082184448)     
  Playground, playground+my-aws-account@meech-ward.me (329599621562)     
There are 4 AWS accounts available to you.
  Development, development+my-aws-account@meech-ward.me (677276083783)   
> my-aws-account, my-aws-account@meech-ward.me (122610519465)            
  Production, production+my-aws-account@meech-ward.me (221082184448)     
  Playground, playground+my-aws-account@meech-ward.me (329599621562)     
There are 4 AWS accounts available to you.
  Development, development+my-aws-account@meech-ward.me (677276083783)   
> my-aws-account, my-aws-account@meech-ward.me (122610519465)            
  Production, production+my-aws-account@meech-ward.me (221082184448)     
  Playground, playground+my-aws-account@meech-ward.me (329599621562)     
There are 4 AWS accounts available to you.
  Development, development+my-aws-account@meech-ward.me (677276083783)   
> my-aws-account, my-aws-account@meech-ward.me (122610519465)            
  Production, production+my-aws-account@meech-ward.me (221082184448)     
  Playground, playground+my-aws-account@meech-ward.me (329599621562)

It shows all four accounts that were setup, but only one of them can be selected at a time.

step 4:

Select the management account and press enter.

Follow the prompts to setup your CLI profile.

  • CLI default client Region: use the same region that you used before
  • CLI default output format: json is good
  • CLI profile name: this is for the management account, so make it easy to identify that
Using the account ID 122610519465
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]: us-east-1
CLI default output format [json]:
CLI profile name [AdministratorAccess-122610519465]: sam-management

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile sam-management
Using the account ID 122610519465
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]: us-east-1
CLI default output format [json]:
CLI profile name [AdministratorAccess-122610519465]: sam-management

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile sam-management
Using the account ID 122610519465
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]: us-east-1
CLI default output format [json]:
CLI profile name [AdministratorAccess-122610519465]: sam-management

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile sam-management
Using the account ID 122610519465
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]: us-east-1
CLI default output format [json]:
CLI profile name [AdministratorAccess-122610519465]: sam-management

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile sam-management

The management account is now setup and ready to be used with the AWS CLI. Now we just need to do the exact same thing for the other three accounts. Or we can just copy and paste the profile we just created and change a few things.

step 5:

In a code editor, open the file ~/.aws/config.

It should look something like this:

[profile sam-management]
sso_session = test-account-sso
sso_account_id = 122610519465
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[sso-session test-account-sso]
sso_start_url = https://my-aws-demo.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[profile sam-management]
sso_session = test-account-sso
sso_account_id = 122610519465
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[sso-session test-account-sso]
sso_start_url = https://my-aws-demo.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[profile sam-management]
sso_session = test-account-sso
sso_account_id = 122610519465
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[sso-session test-account-sso]
sso_start_url = https://my-aws-demo.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[profile sam-management]
sso_session = test-account-sso
sso_account_id = 122610519465
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[sso-session test-account-sso]
sso_start_url = https://my-aws-demo.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Where the sso-session represents the SSO login for the entire AWS organization, and the profile represents one of the four AWS accounts.

So you will need four [profile ...] blocks, one for each account. But you will only need one [sso-session ...] block, which is the same for all accounts. Do not create any more [sso-session ...] blocks.

step 6:

Copy the profile we just created and paste it into the file three times, once for each account.

  • Change the profile name to match the account name
  • Change the sso_account_id to the account id of the account you are configuring
  • The other fields can stay the same
[profile sam-production]
sso_session = test-account-sso
sso_account_id = 221082184448
...

[profile sam-development]
sso_session = test-account-sso
sso_account_id = 677276083783
...

[profile sam-playground]
sso_session = test-account-sso
sso_account_id = 329599621562
...
[profile sam-production]
sso_session = test-account-sso
sso_account_id = 221082184448
...

[profile sam-development]
sso_session = test-account-sso
sso_account_id = 677276083783
...

[profile sam-playground]
sso_session = test-account-sso
sso_account_id = 329599621562
...
[profile sam-production]
sso_session = test-account-sso
sso_account_id = 221082184448
...

[profile sam-development]
sso_session = test-account-sso
sso_account_id = 677276083783
...

[profile sam-playground]
sso_session = test-account-sso
sso_account_id = 329599621562
...
[profile sam-production]
sso_session = test-account-sso
sso_account_id = 221082184448
...

[profile sam-development]
sso_session = test-account-sso
sso_account_id = 677276083783
...

[profile sam-playground]
sso_session = test-account-sso
sso_account_id = 329599621562
...

To find the account ids, you can enter your AWS URL in the browser. Each account has the id right below it.

Or you can use the AWS CLI and run the following command:

aws organizations list-accounts --profile management-profile
aws organizations list-accounts --profile management-profile
aws organizations list-accounts --profile management-profile
aws organizations list-accounts --profile management-profile

Make sure to use your management profile name.

Test Everything is Working

Let's quickly setup and teardown an S3 bucket, just to check everything is setup correctly.

step 7:

Go to your organization URL and select AdministratorAccess under the Playground account.

Go to your organization URL and select **AdministratorAccess** under the **Playground** account.
step 8:

Navigate to the S3 dashboard

Navigate to the S3 dashboard
step 9:

Click on Create bucket

Click on Create bucket
step 10:

Give the bucket a globally unique name and leave all the other settings alone

Give the bucket a globally unique name and leave all the other settings alone
step 11:

Click on Create bucket

Click on Create bucket

You should now see a single bucket created. You will need the bucket name and the bucket region to delete if from the cli.

To use the cli to delete the bucket, we need to first login to the playground account.

step 12:

Run the following command to login to the playground account.

Then follow the prompts in the browser.

aws sso login --profile your-playground-profile
aws sso login --profile your-playground-profile
aws sso login --profile your-playground-profile
aws sso login --profile your-playground-profile
step 13:

Run the following command to delete the S3 bucket from the CLI.

aws s3 rb s3://some-unique-bucket-name-12345 --profile your-playground-profile --region us-east-1
aws s3 rb s3://some-unique-bucket-name-12345 --profile your-playground-profile --region us-east-1
aws s3 rb s3://some-unique-bucket-name-12345 --profile your-playground-profile --region us-east-1
aws s3 rb s3://some-unique-bucket-name-12345 --profile your-playground-profile --region us-east-1

Refresh the page in the browser and you should see that the bucket has been deleted.

At this point, you are able to manage AWS infrastructure from the web or from the CLI. Now we're ready to start learning about how to use AWS.