最後更新: 2023-11-09

目錄

• Install aws cli tools
• Command Completion
• awscli Usage
• No more
• Server-side pagination
• Configure user identity
• User Configure File
• Restrict AWS CLI calls from specific IP
• ami import & export

 

 

---

Install aws cli tools

 

The AWS CLI version 2 has no dependencies on other Python packages.

It has a self-contained, embedded copy of Python included in the installer.

Install

mkdir /usr/src/awscli

cd /usr/src/awscli

# For the latest version of the AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

unzip awscliv2.zip

# The default value is "/usr/local/aws-cli" 及 "/usr/local/bin"

./aws/install

Install Opts

--install-dir or -i

This option specifies the directory to copy all of the files to.

The default value is /usr/local/aws-cli.

--bin-dir or -b

This option specifies that the main aws program in the install directory is

symbolically linked to the file aws in the specified path.

The default value is "/usr/local/bin"

i.e.

./aws/install --install-dir /opt/aws-cli --bin-dir /usr/sbin

ls -l /usr/sbin/aws

lrwxrwxrwx 1 root root 31 Sep 12 23:14 /usr/sbin/aws -> /opt/aws-cli/v2/current/bin/aws

Checking

aws --version

aws-cli/2.2.30 Python/3.8.8 Linux/3.10.0-1160.36.2.el7.x86_64 exe/x86_64.centos.7 prompt/off

 

---

Command Completion

 

# bash shell

# -C command

complete -C /opt/aws-cli/v2/current/bin/aws_completer aws      # 加入 .bashrc 裡

 

---

awscli Usage

 

help

  aws help

  aws <command> help

  aws <command> <subcommand> help

usage

aws [options] <command> <subcommand> [<subcommand> ...] [parameters]

 

---

No more

 

# 暫時

export AWS_PAGER=""

# 永久

aws configure set cli_pager ""

~/.aws/config

[default]
cli_pager=

# 更改用其他看 Output

export AWS_PAGER="less"

Windows 的情況

In Powershell on Windows:

$env:AWS_PAGER = ' ' (one space character) -> there is no output at all

$env:AWS_PAGER = '' -> output is piped to more.com because the environment variable is not set

$env:AWS_PAGER = 'cat' -> tries to output to cat, which doesn't exist, so returns an error

$env:AWS_PAGER = 'powershell -c $input' -> output is piped to another powershell instance, which does not page the output

$env:AWS_PAGER is not set -> output is piped to more.com

 

---

Server-side pagination

 

--no-paginate

By default, the AWS CLI uses a page size determined by the individual service and retrieves all available items.

For example, Amazon S3 has a default page size of 1000.

The "--no-paginate" option disables following pagination tokens on the client side.

When using a command, by default the AWS CLI automatically makes multiple calls to return all possible results to create pagination.

One call for each page. Disabling pagination has the AWS CLI only call once for the first page of command results.

For example, if you run aws s3api list-objects on an Amazon S3 bucket that contains 3,500 objects,

the AWS CLI only makes the first call to Amazon S3, returning only the first 1,000 objects in the final output.

$ aws s3api list-objects \
    --bucket my-bucket \
    --no-paginate

 

---

Configure user identity

 

aws configure

之後設定

• Access key ID
• Secret access key
• AWS Region                  # i.e. ap-east-1
• Output format               # i.e. yaml

Output format

json(default), yaml, text, table(+|-)

Config file

User Configure File

To create access keys for an IAM user

Go https://console.aws.amazon.com/iam/

Users > "Add users" Button > Access type: Programmatic access > Attach existing policies directly: MyImportExportVM

Test CLI On Client

# show current configuration data

aws configure list

      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************TKUY shared-credentials-file
secret_key     ****************j1jO shared-credentials-file
    region                ap-east-1      config-file    ~/.aws/config

aws ec2 describe-instances

設定 config 及 credentials 位置

可以透過 environment variable 更立 Default 位於

• AWS_CONFIG_FILE: config file (~/.aws/config)
• AWS_SHARED_CREDENTIALS_FILE: credentials file (~/.aws/credentials)

ie.

export AWS_CONFIG_FILE=/path/to/config-file-name

 

---

Profiles

 

A collection of settings is called a profile. By default, the AWS CLI uses the default profile.

You can create and use additional named profiles with varying credentials and settings by

specifying the "--profile option" and assigning a name.

# Configure with profile

aws configure --profile produser

# List profiles

aws configure list-profiles

produser

 

# List profile Config

aws configure list --profile produser

# Run CLI

aws s3 ls --profile produser

 

 

---

set

 

AWS CLI supported global command line options

• cli-connect-timeout
• cli-read-timeout
• debug
• color on|off
• no-cli-pager
• output <string>

i.e.

aws configure set color on

aws configure set no-cli-pager on

aws configure set aws_access_key_id default_access_key

aws configure set aws_secret_access_key default_secret_key

aws configure set default.region us-west-2

 

---

User Configure File

 

Linux:

• "~/.aws/config"
• "~/.aws/credentials"    # Access Key ID & Secret Access Key

Windows

• %homepath%\.aws\config
• %homepath%\.aws\credentials

~/.aws/config

[default]
region = ap-east-1
color on
output text

credentials

[default]
aws_access_key_id = ????
aws_secret_access_key = ????

有 Profile 情況

config

[profile produser]
region = ap-east-1

credentials

[produser]
aws_access_key_id =
aws_secret_access_key =

Environment variables Login

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXXX
export AWS_DEFAULT_REGION=ap-east-1

 

---

Restrict AWS CLI calls from specific IP

 

 * This policy does not allow any actions.

    By default, access to resources is denied.
    To allow access to a resource, you must set the Effect element to Allow.
    To override an allow (for example, to override an allow that is otherwise in force), you set the Effect element to Deny.

 * Use this policy in combination with other policies that allow specific actions)

    This policy includes multiple condition keys that result in a logical AND

• "NotIpAddress":{"aws:SourceIp":...}
• "Bool":{"aws:ViaAWSService":...}

    If a single condition operator includes multiple values for one key,
    that condition operator is evaluated using a logical OR.

• "x.x.x.x/32", "y.y.y.y/32"

 * The policy does not deny requests made by AWS services using the principal's credentials.
    (This policy defines permissions for programmatic and console access)

• "Bool": {"aws:ViaAWSService": "false"}

json

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "x.x.x.x/32",
                    "y.y.y.y/32"
                ]
            },
            "Bool": {"aws:ViaAWSService": "false"}
        }
    }
}

當不是那 IP Login 時

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation:
 You are not authorized to perform this operation.

Explicit denies and Implicit denies

• Explicit: policy includes a Deny statement
• Implicit: no applicable Deny statement but also no applicable Allow statement