WAIT If you have not yet installed Amazon Web Services Command Line Interface (AWS-CLI), please read our installation guides for macOS and Linux first.
Once that's done, you can proceed to setting up the config and credentials files that, together, will allow you to run AWS-CLI from the command line.
Step 1
AWS-CLI contains a setup wizard that can be triggered from the command line simply by typing aws configure. This guide ignores that wizard and shows you how to set up theconfig and credentials correctly on your own. This approach will give you a better understanding of how the system works. It will also save you the time of running the wizard every time you wish to make a minor change.
We will start with the config file, which can be found at ~/.aws/config.
Each entry (user) within config needs two variables:
- A username. You can make this whatever you like. In our example, I’ll use
charles - The AWS region you want to connect to. In our example, I’m using
us-east-1
To add a user along the lines of the example above, you would open (or create) ~/.aws/config and put in the following lines:
[profile charles]
region = us-west-2
You can add as many of these as you need. Just ensure that you leave a blank line between entries in your config file.
Step 2
Next, we will set up the credentials file. For this step, you will need:
- Your username. Obviously, this should correspond to the username you chose in the previous step — in our example,
charles - The AWS access key ID for the account you want to associate with the username
charles - The AWS secret access key for the account you want to associate with the username
charles
(If you have not yet set up your AWS access key ID and secret access key, you can learn how to do so here.)
The formatting is slightly different in the credentials file. It follows this pattern:
[charles]
aws_access_key_id = XT97H5HEWZ594LCE04B7
aws_secret_access_key = RMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj
As with the config file, you can add as many of these as you like. You just need to ensure that:
- There is a blank line between entries
- The name on the first line of each entry corresponds to an entry within the
configfile
Step 3
To test that your credentials are working, you can run the aws sts get-caller-identity command. If you have only one profile installed, this will default to that. If you have multiple profiles you’ll need to specify which one you want to test with the --profile flag. So, for the example account above, we’d run:
aws sts get-caller-identity --profile charles
If the account is configured successfully, you’ll get a response that looks like this:
{
“Account”: “389503034782”,
“UserId”: “XT97H5HEWZ594LCE04B7”,
“Arn”: “arn:aws:iam::389503034782:user/charles”
}
Unlike other AWS requests, get-caller-identity works irrespective of IAM permissions. If it fails, you have almost certainly misconfigured your config and credentials files.
Step 4
If you have multiple users listed in your config and credentials files, it might be useful to add some comments so you remember which is which, and which does what. You can do add a comment by adding a new line and beginning it with a #. Here is an example within our hypothetical credentials file:
# This line is for the charles user
[charles]
aws_access_key_id = XT97H5HEWZ594LCE04B7
aws_secret_access_key = RMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj
# This line is for the john user
[john]
aws_access_key_id = YT97H5HEWZ594LCE04B7
aws_secret_access_key = XMntDVcEVaJBtJLh3JBgzI6KiHdByDKvWybKGWNj