WAIT If you have not yet installed Amazon Web Services Command Line Interface (AWS-CLI), please read our installation guides for macOS and Linux first.
Once that's done, you can proceed to setting up the config
and credentials
files that, together, will allow you to run AWS-CLI from the command line.
Step 1
AWS-CLI contains a setup wizard that can be triggered from the command line simply by typing aws configure
. This guide ignores that wizard and shows you how to set up theconfig
and credentials
correctly on your own. This approach will give you a better understanding of how the system works. It will also save you the time of running the wizard every time you wish to make a minor change.
We will start with the config
file, which can be found at ~/.aws/config
.
Each entry (user) within config
needs two variables:
- A username. You can make this whatever you like. In our example, I’ll use
charles
- The AWS region you want to connect to. In our example, I’m using
us-east-1
To add a user along the lines of the example above, you would open (or create) ~/.aws/config
and put in the following lines:
[profile charles]
region = us-west-2
You can add as many of these as you need. Just ensure that you leave a blank line between entries in your config
file.
Step 2
Next, we will set up the credentials
file. For this step, you will need:
- Your username. Obviously, this should correspond to the username you chose in the previous step — in our example,
charles
- The AWS access key ID for the account you want to associate with the username
charles
- The AWS secret access key for the account you want to associate with the username
charles
(If you have not yet set up your AWS access key ID and secret access key, you can learn how to do so here.)
The formatting is slightly different in the credentials
file. It follows this pattern:
[charles]
aws_access_key_id = XT97H5HEWZ594LCE04B7
aws_secret_access_key = RMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj
As with the config
file, you can add as many of these as you like. You just need to ensure that:
- There is a blank line between entries
- The name on the first line of each entry corresponds to an entry within the
config
file
Step 3
To test that your credentials are working, you can run the aws sts get-caller-identity command
. If you have only one profile installed, this will default to that. If you have multiple profiles you’ll need to specify which one you want to test with the --profile
flag. So, for the example account above, we’d run:
aws sts get-caller-identity --profile charles
If the account is configured successfully, you’ll get a response that looks like this:
{
“Account”: “389503034782”,
“UserId”: “XT97H5HEWZ594LCE04B7”,
“Arn”: “arn:aws:iam::389503034782:user/charles”
}
Unlike other AWS requests, get-caller-identity
works irrespective of IAM permissions. If it fails, you have almost certainly misconfigured your config
and credentials
files.
Step 4
If you have multiple users listed in your config and credentials files, it might be useful to add some comments so you remember which is which, and which does what. You can do add a comment by adding a new line and beginning it with a #
. Here is an example within our hypothetical credentials
file:
# This line is for the charles user
[charles]
aws_access_key_id = XT97H5HEWZ594LCE04B7
aws_secret_access_key = RMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj
# This line is for the john user
[john]
aws_access_key_id = YT97H5HEWZ594LCE04B7
aws_secret_access_key = XMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj