AWS CLI profiles

Setup and configure an AWS user for CLI
Tags:
Categories:

  4 minute read  

To access AWS services with the AWS CLI, you need an AWS account and IAM credentials. When running AWS CLI commands, the AWS CLI needs to have access to those AWS credentials. There are two methods of authenticating to AWS from a CLI.

  • IAM user (access key)
  • AWS SSO

Both have advantages, and your use case should determine which to go with. But it is generally considered best practice that IAM user credentials are better suited for programmatic access and offer greater compatibility with third-party tools. At the same time, AWS SSO provides a more secure and centralized approach to managing access for human users. It’s recommended to use AWS SSO for human users and IAM user credentials for applications, scripts, or CI/CD pipelines. Always follow the principle of least privilege, granting only the necessary permissions for each user or application.

If you are using IAM Identity Center (which is recommended) then you can use the same account for this setup as you can select least priviledge account set. This uses the SSO token provider configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens.

IAM User (access key)

You’ll need your AWS Access Key ID and Secret Access Key

You can follow the guide IAM user access key to create the IAM user

  1. Open a terminal and run the following command to configure the AWS CLI:
PS ~> aws configure --profile sandbox-access-keys
AWS Access Key ID [None]: aaaaaaaaaaaaaaaaaaaa
AWS Secret Access Key [None]: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Default region name [east-us-1]: east-us-2
Default output format [None]: json
  • AWS Access Key ID: Enter the access key
  • AWS Secret Access Key: Enter the secret access key
  • Default region name: Enter the default AWS region you want to use (e.g., ‘us-west-2’).
  • Default output format: Choose the output format for AWS CLI responses (e.g., ‘json’, ‘yaml’, ’text’, or ’table’).

AWS SSO

You’ll need a user already configured in the IAM Identity Center

You need the ‘SSO Start URL’

Use the IAM Identity Center to manage the permission set. The recommendation for this usecase is the PowerUserAccess permission set.

To create a profile configuration on your Windows workstation. Open a Terminal session and run through the following setup process, as demonstrated in the example below.

Start the process by running the command aws configure sso, then follow the prompts. You can choose the options relevant to your setup, you don’t need to copy mine.

PS ~> aws configure sso --profile sandbox-sso
SSO session name (Recommended): sandbox-sso
SSO start URL [None]: https://d-xxxxxxxxxx.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

PMSC-PTRR

There are 2 AWS accounts available to you.
Using the account ID aaaaaaaaaaaa
There are 3 roles available to you.
Using the role name "PowerUserAccess"
CLI default client Region [us-east-1]:
CLI default output format [json]:
CLI profile name [PowerUserAccess-aaaaaaaaaaaa]: grinntec.aws.admin:sandbox:PowerUserAccess

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile sandbox-sso
PS ~>

Profile data is stored locally in AWS config files

Both of these processes store configuration data locally on the workstation that ran the commands.

Profile data

Profile data is stored in a file called ~/.aws/config.It will look something like this. Each section represents a named profile, and the settings in each profile apply when that specific profile is used. When you run the CLI commands you can select a profile to use, for example aws s3 ls --profile sandbox-access-keys will call the IAM User (Access Keys) profile.

[profile sandbox-sso]
sso_session = sandbox-sso
sso_account_id = aaaaaaaaaaaa
sso_role_name = PowerUserAccess
region = us-east-1
output = json
[sso-session sandbox-sso]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[sandbox-access-keys]
region = east-us-2
output = json

Credential data

This only applies to IAM User (access key) as the AWS SSO user logs in and gets their token at runtime, one reason why it’s the better choice for human users.

Credential data is stored in a file called ~/.aws/credntials. This file is used to store the access key and secret key for your IAM users. It might look something like this.

[sandbox-access-keys]
aws_access_key_id = aaaaaaaaaaaaaaaaaaaa
aws_secret_access_key = bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

References

Authentication and access credentials

Token provider configuration

Last modified July 21, 2024: update (e2ae86c)