AWS CLI
1. What the AWS CLI actually is
Unified command-line for all AWS services: One binary (
aws) with subcommands for S3, EC2, IAM, etc. ([AWS Documentation][1])Current standard is AWS CLI v2 (Python bundled into a native binary, better SSO support, better installers). ([AWS Documentation][2])
You can run it:
- On your machine (Linux/macOS/Windows)
- In Docker images provided by AWS ([AWS Documentation][2])
- In the browser via AWS CloudShell (CLI pre-installed, no local setup). ([AWS Documentation][2])
2. Installing & upgrading (quick overview)
Docs: “Installing or updating to the latest version of the AWS CLI” ([AWS Documentation][3])
Typical patterns:
Linux (most common dev box case)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install # use sudo ./aws/install --update to upgrade
aws --versionOr via snap:
sudo snap install aws-cli --classicmacOS
pkginstaller from AWS site, or:
brew install awscliWindows
- MSI installer from AWS, or
choco install awscliif using Chocolatey.
3. The basic command shape
The general syntax:
aws [global-options] <service> <operation> [parameters]Examples:
aws s3 ls # list S3 buckets
aws s3 ls s3://my-bucket # list objects
aws ec2 describe-instances
aws iam list-users
aws sts get-caller-identityThe CLI has built-in help:
aws help
aws s3 help
aws s3 ls helpDocs: command reference root. ([AWS Documentation][4])
4. Credentials & authentication ― the most important part
Before anything works, the CLI needs credentials. AWS recommends short-lived credentials via IAM Identity Center (SSO) over long-lived access keys. ([AWS Documentation][5])
Main ways the CLI can get credentials
From highest to lowest priority (simplified):
Environment variables
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN,AWS_PROFILE, etc. ([AWS Documentation][6])CLI SSO / IAM Identity Center Configure once, then
aws sso login. ([AWS Documentation][7])Shared credentials/config files (
~/.aws/credentials,~/.aws/config) Populated byaws configureor edited manually. ([AWS Documentation][8])EC2/ECS/EKS Role credentials via instance metadata / task role / IRSA.
Credential process / web identity for more advanced setups. ([AWS Documentation][9])
The config + credentials files
On Linux/macOS:
~/.aws/config– regions, output format, profile settings~/.aws/credentials– access keys & session tokens
On Windows:
C:\Users\<USERNAME>\.aws\configC:\Users\<USERNAME>\.aws\credentials([AWS Documentation][6])
These are split into profiles:
# ~/.aws/config
[default]
region = ap-southeast-2
output = json
[profile prod]
region = ap-southeast-2
role_arn = arn:aws:iam::123456789012:role/Admin
source_profile = default# ~/.aws/credentials
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = ...
[prod]
aws_access_key_id = ...
aws_secret_access_key = ...Docs on profiles & files. ([AWS Documentation][8])
Quick setup: IAM user (classic)
aws configure
# prompts:
# AWS Access Key ID [None]:
# AWS Secret Access Key [None]:
# Default region name [None]: ap-southeast-2
# Default output format [None]: jsonDocs: “Setting up the AWS CLI” and IAM user auth section. ([AWS Documentation][10])
For real systems, AWS strongly prefers SSO/Identity Center and short-lived credentials over static keys. ([AWS Documentation][5])
Quick setup: IAM Identity Center / SSO (recommended now)
aws configure sso
# answer prompts (SSO start URL, region, account, role)
aws sso loginAfter that, you use it like:
aws s3 ls --profile my-sso-profileDocs: IAM Identity Center with CLI. ([AWS Documentation][7])
5. Profiles, regions & output formats
Named profiles let you hop between dev/stage/prod easily:
aws s3 ls --profile dev
AWS_PROFILE=prod aws s3 lsDefault region: set in config or per-command:
aws configure set region ap-southeast-2
aws ec2 describe-instances --region us-east-1Output formats:
json(best for scripting)yaml/yaml-streamtexttable
aws ec2 describe-instances --output tableThese can be set via aws configure or aws configure set output table. ([AWS Documentation][10])
6. Filtering & shaping the output (JMESPath & pagination)
--query (JMESPath expressions)
Lets you pull out just the fields you care about:
aws ec2 describe-instances \
--query "Reservations[].Instances[].InstanceId" \
--output textor include tags:
aws ec2 describe-instances \
--query "Reservations[].Instances[].{Id:InstanceId,Name:Tags[?Key=='Name'].Value | [0]}"This is insanely useful for scripting.
Pagination controls
Most describe/list calls are paginated behind the scenes.
--max-items– total items returned by CLI--page-size– API page size
Example:
aws s3api list-objects-v2 \
--bucket my-bucket \
--max-items 10007. S3 with the CLI (the thing people use first)
There are two S3 “tiers” of commands: ([AWS Documentation][11])
- High-level
aws s3(simple, rsync-like) - Low-level
aws s3api(1:1 with REST API)
High-level S3 examples
# list buckets
aws s3 ls
# make a bucket
aws s3 mb s3://my-bucket
# upload a single file
aws s3 cp ./file.txt s3://my-bucket/path/file.txt
# download recursively
aws s3 sync s3://my-bucket ./local-folder
# sync up (local → S3)
aws s3 sync ./local-folder s3://my-bucketDocs on high-level S3 commands. ([AWS Documentation][12])
Low-level S3 examples (s3api)
aws s3api list-buckets
aws s3api list-objects-v2 --bucket my-bucket --prefix logs/
aws s3api put-object --bucket my-bucket --key demo.txt --body demo.txtUse s3api when you need full control of headers, ACLs, encryption, etc.
8. EC2, STS & IAM – common real-world commands
Identity check (who am I?)
aws sts get-caller-identityHandy to verify which account/role/profile you’re using. ([AWS Documentation][13])
EC2 examples
# all instances
aws ec2 describe-instances
# instances with a specific tag
aws ec2 describe-instances \
--filters "Name=tag:Environment,Values=prod"
# instance IDs only
aws ec2 describe-instances \
--query "Reservations[].Instances[].InstanceId" \
--output textDocs: EC2 CLI examples. ([AWS Documentation][14])
IAM basics
aws iam list-users
aws iam list-roles
aws iam get-role --role-name MyRoleSTS assume role is usually handled in config via role_arn + source_profile rather than calling it manually, but you can also do:
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/Admin \
--role-session-name test-session9. CLI global options & quality-of-life settings
Some very useful flags:
--profile– pick a profile--region– override region--output– override output format--no-cli-pager– disable less/more paging--debug– show HTTP calls & credential resolution
Example:
aws s3 ls --profile prod --region ap-southeast-2 --no-cli-pagerYou can also set cli_pager = in ~/.aws/config to disable paging globally. ([AWS Documentation][6])
10. Security best practices when using the CLI
Based on the official guidance: ([AWS Documentation][5])
Don’t use the root account.
Prefer IAM Identity Center (SSO) → short-lived credentials.
If you must use IAM users:
- Lock down permissions with least privilege.
- Rotate access keys regularly.
Never commit credentials to git / dotfiles.
Use roles instead of multiple long-lived keys:
- Single “base” profile with minimal permissions.
- Other profiles assume roles with
role_arn+source_profile.
11. Automation patterns with the CLI
The AWS CLI plays nicely with bash, Python, etc.
Basic bash scripting
for b in $(aws s3api list-buckets --query "Buckets[].Name" --output text); do
echo "Bucket: $b"
doneUsing it within other tools
- CI/CD: GitHub Actions, GitLab, etc. use
awsto deploy, run migrations, invalidate CloudFront, etc. - Terraform / Pulumi: not required but handy for debugging credentials.
- Docker: use the AWS CLI container for script runs without installing locally. ([AWS Documentation][2])
12. Version 1 vs Version 2 (high level)
- v2 bundles its own Python runtime, so you don’t need a system Python.
- Better installers and IAM Identity Center support is a core feature in v2. ([AWS Documentation][2])
- New features land in v2; v1 is in maintenance mode.
If you’re starting now, you want AWS CLI v2.
13. Where to go deeper
Official docs worth bookmarking:
- Getting started with the AWS CLI ([AWS Documentation][2])
- Setting up the AWS CLI (credentials/region/output) ([AWS Documentation][10])
- Configuration & credential files + profiles ([AWS Documentation][8])
- IAM Identity Center (SSO) with AWS CLI ([AWS Documentation][7])
- Command reference root (for every service/operation) ([AWS Documentation][1])
- Service-specific examples (S3, EC2, STS, etc.) ([AWS Documentation][12])