AWS CLI v2
Overview
The AWS Command Line Interface (AWS CLI) is a unified tool to manage AWS services from the command line. Version 2 is the current major version with improved installers, new configuration options, and native support for AWS IAM Identity Center (SSO).
Official Documentation: https://docs.aws.amazon.com/cli/latest/userguide/
Configuration
Quick Setup
aws configure # AWS Access Key ID: AKIAIOSFODNN7EXAMPLE # AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY # Default region name: us-west-2 # Default output format: json
Named Profiles
aws configure --profile production aws configure --profile development # Use a profile aws s3 ls --profile production export AWS_PROFILE=production
Configuration Files
# ~/.aws/credentials [default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY [production] aws_access_key_id = AKIAI44QH8DHBEXAMPLE aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
# ~/.aws/config [default] region = us-west-2 output = json [profile production] region = us-east-1 output = json [profile sso-user] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-east-1 sso_account_id = 123456789012 sso_role_name = ReadOnlyAccess region = us-west-2
Environment Variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY export AWS_DEFAULT_REGION=us-west-2 export AWS_PROFILE=production export AWS_SESSION_TOKEN=... # For temporary credentials
IAM Identity Center (SSO)
aws configure sso # SSO session name: my-sso # SSO start URL: https://my-sso-portal.awsapps.com/start # SSO region: us-east-1 # SSO registration scopes: sso:account:access # Login to SSO aws sso login --profile my-sso-profile
Core Commands
Identity and Access
aws sts get-caller-identity # Who am I? aws iam list-users # List IAM users aws iam get-user --user-name alice # Get user details aws iam list-roles # List IAM roles
EC2
aws ec2 describe-instances # List all instances aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' --output table aws ec2 start-instances --instance-ids i-1234567890abcdef0 aws ec2 stop-instances --instance-ids i-1234567890abcdef0 aws ec2 describe-regions --all-regions # List all regions
ECS
aws ecs list-clusters # List ECS clusters aws ecs list-services --cluster my-cluster # List services in cluster aws ecs describe-services --cluster my-cluster --services my-service aws ecs list-tasks --cluster my-cluster --service-name my-service aws ecs describe-tasks --cluster my-cluster --tasks <task-arn> aws ecs update-service --cluster my-cluster --service my-service --force-new-deployment
Lambda
aws lambda list-functions # List all functions aws lambda get-function --function-name my-function aws lambda invoke --function-name my-function output.json aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip
S3
aws s3 ls # List buckets aws s3 ls s3://my-bucket/ # List bucket contents aws s3 cp file.txt s3://my-bucket/ # Upload file aws s3 cp s3://my-bucket/file.txt ./ # Download file aws s3 sync ./local-dir s3://my-bucket/prefix/ # Sync directory aws s3 rm s3://my-bucket/file.txt # Delete file aws s3 rb s3://my-bucket --force # Delete bucket aws s3api get-bucket-location --bucket my-bucket
CloudWatch
# List alarms aws cloudwatch describe-alarms aws cloudwatch describe-alarms --state-value ALARM # Get metrics aws cloudwatch get-metric-statistics \ --namespace AWS/EC2 \ --metric-name CPUUtilization \ --dimensions Name=InstanceId,Value=i-1234567890abcdef0 \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-02T00:00:00Z \ --period 3600 \ --statistics Average # List metrics aws cloudwatch list-metrics --namespace AWS/ECS # Put metric data aws cloudwatch put-metric-data \ --namespace "Custom/MyApp" \ --metric-name "RequestCount" \ --value 100
RDS
aws rds describe-db-instances # List RDS instances aws rds describe-db-clusters # List Aurora clusters aws rds describe-db-snapshots # List snapshots aws rds create-db-snapshot --db-instance-identifier mydb --db-snapshot-identifier mydb-snapshot
Cost Explorer
aws ce get-cost-and-usage \ --time-period Start=2024-01-01,End=2024-01-31 \ --granularity DAILY \ --metrics "BlendedCost" "UnblendedCost" \ --group-by Type=DIMENSION,Key=SERVICE
Security Hub
aws securityhub get-findings --max-results 100
aws securityhub get-findings --filters '{"SeverityNormalized": [{"Gte": 70}]}'
aws securityhub describe-standards
GuardDuty
aws guardduty list-detectors aws guardduty list-findings --detector-id <detector-id> aws guardduty get-findings --detector-id <detector-id> --finding-ids <finding-id>
Elastic Load Balancing
aws elbv2 describe-load-balancers # List ALB/NLB aws elbv2 describe-target-groups --load-balancer-arn <arn> aws elbv2 describe-target-health --target-group-arn <arn>
Elastic Beanstalk
aws elasticbeanstalk describe-environments aws elasticbeanstalk describe-environment-health --environment-name my-env --attribute-names All
Integration with Dash Monitoring
The dash monitoring dashboard uses AWS CLI for service discovery and metrics collection. Configuration is in config/aws-monitoring.yaml.
Configuration Example
# config/aws-monitoring.yaml
aws:
region: "us-west-2"
credentials:
use_iam_role: true # Use EC2 instance role or default chain
profile: "" # Or specify a named profile
access_key_id: "" # Or explicit credentials
secret_access_key: ""
service_stability:
discovery:
enabled: true
use_aws_cli: true # Enable CLI-based discovery
clusters:
- name: "production-cluster"
region: "us-west-2"
ec2_filters:
- name: "tag:Environment"
values: ["prod"]
discover_elastic_beanstalk: true
discover_lambda: true
How Dash Uses AWS CLI
The AWSCLIExecutor in dash executes AWS CLI commands for:
- •Service Discovery: ECS services, EC2 instances, Lambda functions, Elastic Beanstalk environments
- •CloudWatch Metrics: CPU, memory, request counts, latency
- •Alarms: CloudWatch alarm states
- •Cost Data: Daily/monthly cost breakdowns
- •Security: Security Hub findings, GuardDuty detections
- •Load Balancer Health: Target group health status
Verifying CLI Access for Dash
# Test identity aws sts get-caller-identity # Test ECS discovery aws ecs list-clusters aws ecs list-services --cluster production-cluster # Test CloudWatch access aws cloudwatch describe-alarms --state-value ALARM # Test Cost Explorer (requires activation) aws ce get-cost-and-usage \ --time-period Start=$(date -v-7d +%Y-%m-%d),End=$(date +%Y-%m-%d) \ --granularity DAILY \ --metrics BlendedCost
Required IAM Permissions for Dash
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"lambda:ListFunctions",
"lambda:GetFunction",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEnvironmentHealth",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"ce:GetCostAndUsage",
"securityhub:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:GetFindings",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}
Common Workflows
Service Discovery Script
# Discover all running services across ECS clusters for cluster in $(aws ecs list-clusters --query 'clusterArns[*]' --output text); do echo "Cluster: $cluster" aws ecs list-services --cluster "$cluster" --query 'serviceArns[*]' --output table done
Health Check All Load Balancers
for lb in $(aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerArn' --output text); do
echo "Load Balancer: $lb"
for tg in $(aws elbv2 describe-target-groups --load-balancer-arn "$lb" --query 'TargetGroups[*].TargetGroupArn' --output text); do
aws elbv2 describe-target-health --target-group-arn "$tg" \
--query 'TargetHealthDescriptions[*].[Target.Id,TargetHealth.State]' --output table
done
done
Export CloudWatch Metrics
aws cloudwatch get-metric-data \ --metric-data-queries file://queries.json \ --start-time $(date -v-1H -u +%Y-%m-%dT%H:%M:%SZ) \ --end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \ --output json > metrics.json
Cost Report
aws ce get-cost-and-usage \ --time-period Start=$(date -v-30d +%Y-%m-%d),End=$(date +%Y-%m-%d) \ --granularity MONTHLY \ --metrics "BlendedCost" \ --group-by Type=DIMENSION,Key=SERVICE \ --query 'ResultsByTime[*].Groups[*].[Keys[0],Metrics.BlendedCost.Amount]' \ --output table
Output Formats
aws ec2 describe-instances --output json # JSON (default) aws ec2 describe-instances --output text # Tab-separated aws ec2 describe-instances --output table # ASCII table aws ec2 describe-instances --output yaml # YAML
JMESPath Queries
# Get instance IDs only aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId' --output text # Filter and format aws ec2 describe-instances \ --query 'Reservations[*].Instances[*].[InstanceId,State.Name,Tags[?Key==`Name`].Value|[0]]' \ --output table # Complex filtering aws ec2 describe-instances \ --query 'Reservations[*].Instances[?State.Name==`running`].[InstanceId,InstanceType]' \ --output table
Troubleshooting
Credential Issues
# Check current identity aws sts get-caller-identity # Debug credential chain AWS_DEBUG=1 aws sts get-caller-identity # Clear cached credentials rm -rf ~/.aws/cli/cache/*
Region Issues
# Check configured region aws configure get region # Override region aws ec2 describe-instances --region us-east-1
Timeout Issues
# Increase timeout aws configure set cli_read_timeout 60 aws configure set cli_connect_timeout 30 # Or via environment export AWS_READ_TIMEOUT=60 export AWS_CONNECT_TIMEOUT=30
Rate Limiting
# Configure retry mode aws configure set retry_mode adaptive aws configure set max_attempts 10
Debug Mode
aws ec2 describe-instances --debug 2>&1 | head -100
Helper Scripts
This skill includes Python helper scripts in the scripts/ directory. Run with uv run:
aws_check.py - Verify AWS CLI Setup
uv run ~/.claude/skills/aws-cli/scripts/aws_check.py # Full diagnostic uv run ~/.claude/skills/aws-cli/scripts/aws_check.py identity # Check credentials uv run ~/.claude/skills/aws-cli/scripts/aws_check.py permissions # Test dash-required permissions uv run ~/.claude/skills/aws-cli/scripts/aws_check.py services # Discover AWS services uv run ~/.claude/skills/aws-cli/scripts/aws_check.py config # Show AWS configuration
aws_metrics.py - CloudWatch Metrics Helper
uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py list AWS/ECS uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py get CPUUtilization --namespace AWS/EC2 --dimension InstanceId=i-1234567890 uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py alarms ALARM uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py ecs my-cluster my-service --hours 24 uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py ec2 i-1234567890abcdef0 --hours 6 uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py rds mydb-instance --hours 12 uv run ~/.claude/skills/aws-cli/scripts/aws_metrics.py export metrics.json --hours 24
Resources
- •AWS CLI v2 User Guide
- •AWS CLI v2 Reference
- •AWS CLI GitHub Repository
- •JMESPath Tutorial
- •IAM Policy Simulator
Installation Reference
macOS
# Homebrew (recommended) brew install awscli # Official installer curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg" sudo installer -pkg AWSCLIV2.pkg -target /
Linux
# x86_64 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install # ARM64 curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install
Docker
docker run --rm -it amazon/aws-cli --version docker run --rm -it -v ~/.aws:/root/.aws amazon/aws-cli s3 ls
Verify Installation
aws --version # aws-cli/2.x.x Python/3.x.x Darwin/23.x.x source/arm64