In this quick guide we will go through many of the most used aws cli commands to configure and enter you access credentials. We will also take a look at how to configure your profiles from cross account access with MFA enabled.
If you do not have MFA enabled (you should) then you can ignore the
AWS CLI Configure (Default)
aws configure >> AWS Access Key ID [****************SIPA]: >> AWS Secret Access Key [****************1a5q]: >> Default region name [us-east-1]: >> Default output format [None]:
AWS CLI Configure with Profiles
aws configure --profile extron >> AWS Access Key ID [****************M57Q]: >> AWS Secret Access Key [****************SS4d]: >> Default region name [us-west-2]: >> Default output format [None]:
AWS CLI Role
aws configure set profile.profile-name.role_arn arn:aws:iam::xxxxxxxxx:role/role-name
AWS CLI Source Profile
aws configure set profile.profile-name.source_profile parent-profile
AWS CLI Region
aws configure set region us-west-2 --profile profile-name
AWS CLI MFA_Serial
Apply this to the source_profile (parent-profile) as well as the profile you are going to be rolling into if they both require MFA.
aws configure set profile.profile-name.mfa_serial arn:aws:iam::xxxxxxxxx:mfa/username
Cross-Account Role Access Example
In the example below we are trying to use the CLI to role from a global authentication account holding users and groups into a logging account using the admin role. We are expecting the admin role and MFA device to be setup in this scenario.
The role_arn in the example comes from the logging account.
The mfa_serial in the example comes from the global auth account.
aws configure set profile.logging.role_arn arn:aws:iam::12345678:role/admin aws configure set profile.logging.source_profile globalauth aws configure set region us-west-2 --profile logging aws configure set profile.logging.mfa_serial arn:aws:iam::443322111:mfa/myusername
Testing it out
Let’s test out our new profiles and check if they are working correctly.
Run a basic command to list out the buckets within the logging account
aws s3 ls --profile logging
If you have MFA enabled you will be prompted to enter your MFA code.
Enter MFA code for arn:aws:iam::xxxxxxxxxxx:mfa/username:
After the MFA code is entered your commands should now work. Your original command will now list out your buckets.
2018-11-13 11:08:38 bucket-1 2019-02-04 10:14:29 bucket-2 2019-02-04 10:16:04 bucket-3 2018-08-29 13:17:57 bucket-4 2018-09-08 10:46:26 bucket-5 ...