51

I am trying to embed access and secret key along with aws cli. e.g.

aws ec2 describe-instances --aws-access-key <access_key> --aws-secret-key <secret_key>

Also tried with -o and -w options for access and secret key respectively. It says : Unknown option aws-access-key and aws-secret-key

user3089927
  • 2,405
  • 7
  • 23
  • 31

11 Answers11

89

You can provide keys on the command line via envars:

AWS_ACCESS_KEY_ID=ABCD AWS_SECRET_ACCESS_KEY=EF1234 aws ec2 describe-instances

See http://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials

EDIT: @wisbucky noted this could leave secrets in your command history. One way around this in bash at least I think is to prepend your command with a blank space and the command should not propagate to your bash history.

DanH
  • 4,628
  • 2
  • 43
  • 68
  • 16
    Just be wary that would record your keys in your command history. – wisbucky Mar 15 '17 at 23:30
  • did the above syntax work for anyone. I have searched enough but could not locate a working example of the recommended IAM Role as per the best practice – Mohammed Rafeeq Aug 24 '17 at 11:14
  • See [here](https://unix.stackexchange.com/questions/115917/why-is-bash-not-storing-commands-that-start-with-spaces?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa) for how to not save it in bash history – RSHAP May 02 '18 at 01:14
  • It doesn't address the specific question but assumes the over-arching solution. It works, but it throws off solution searches. I'm looking for the specific answer. – eco Aug 08 '18 at 23:05
  • 1
    Prepending with a blank space will only omit it from your BASH history if that is configured. Not all BASH environemnts are configured to omit commands from the history prepended with a space. – SeamusJ Jul 16 '19 at 00:00
  • "You must specify a region." – Cerin Aug 15 '19 at 15:58
  • Note that you may also need to ignore the AWS credential (and possibly config) file environment variables, as in `AWS_CREDENTIAL_FILE="" AWS_CONFIG_FILE="" AWS_ACCESS_KEY_ID=ABCD AWS_SECRET_ACCESS_KEY=EF1234 aws ec2 describe-instances`, since those take precedence when obtaining the credentials. – Erhhung Nov 15 '19 at 22:43
25

You can set credentials with:

aws configure set aws_access_key_id <yourAccessKey>
aws configure set aws_secret_access_key <yourSecretKey>

Verify your credentials with:

aws sts get-caller-identity

For more information on set command:

aws configure set help

General pattern is:

aws <command> help
aws <command> <subcommand> help

Note: Before overriding your credentials, you may want to keep a copy of it:

aws configure get aws_access_key_id
aws configure get aws_secret_access_key
Noam Manos
  • 10,586
  • 2
  • 68
  • 65
ulubeyn
  • 2,214
  • 1
  • 16
  • 25
  • 1
    How can I set a role_arn to be assumed by the profile from AWS CLI? Its possible? I want to invoke a lambda function from awscli container but it return `An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied`. Any idea? – Carlos Andres Dec 02 '18 at 15:40
7

Summarizing the aws doc, there several ways to pass credentials to the command line. Please note that there are no command line options to pass in the the key and secret key directly. The "provider chain" is used instead.

In my bash scripts, I often use environment variables. To add a tiny bit of security, I source a file containing the variables rather than putting them in the script. With named profiles, it's even easier.

The provider chain is:

  1. command line options: specify region, output format, or profile
  2. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
  3. The AWS credentials file – located at ~/.aws/credentials on Linux, macOS, or Unix, or at C:\Users\USERNAME .aws\credentials on Windows. This file can contain multiple named profiles in addition to a default profile.
  4. The CLI configuration file – typically located at ~/.aws/config on Linux, macOS, or Unix, or at C:\Users\USERNAME .aws\config on Windows. This file can contain a default profile, named profiles, and CLI specific configuration parameters for each.
  5. Container credentials – provided by Amazon Elastic Container Service on container instances when you assign a role to your task.
  6. Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role, and are delivered through the Amazon EC2 metadata service.
LHWizard
  • 1,543
  • 14
  • 25
7

I think the previous answers are correct, here is my response which is more like Danh response but also including multiple options and Windows too

Linux/Mac

export AWS_ACCESS_KEY_ID=your_key; export AWS_SECRET_ACCESS_KEY=your_secret;  aws s3 ls

Another way to skin a cat for Linux/Mac

AWS_ACCESS_KEY_ID=your_key AWS_SECRET_ACCESS_KEY=your_secret aws s3 ls

Windows Powershell

$Env:AWS_ACCESS_KEY_ID="your_key"
$Env:AWS_SECRET_ACCESS_KEY="your_secret"
aws s3 ls

Full credit to great AWS document

grepit
  • 16,512
  • 5
  • 83
  • 71
6

You can also use aws configure:

$ aws configure
AWS Access Key ID [None]: xxxxxxxxxxxxxxxxxxxxxxxxx
AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxx
MaxNevermind
  • 2,390
  • 1
  • 20
  • 28
4

I had to access multiple accounts on Amazon....so my solution:

under: ~/.aws/config

[default] aws_access_key_id = xxxx aws_secret_access_key = xxxxxx region=sa-east-1 output=text

[profile prof1] region=us-east-1 output=text aws_access_key_id = yyy aws_secret_access_key = yyyyy

[profile prof2] region=us-east-1 output=text aws_access_key_id = wwwwww aws_secret_access_key = wwwww

..and then when evoke the aws CLI, i passed the parameter "--profile" as:

/usr/local/bin/aws ec2 describe-security-groups --group-ids sg-xxxx --profile prof2

...that it!

costamatrix
  • 500
  • 5
  • 15
2

Its the best way and more secure to use IAM roles. There you can set specific rights to this instance and what it has to access in your account.

Depending on what awscli version you use you can use describe-instances in a couple ways.

Like this one:

ec2din -O your-key -W your-secret-key --region your-region

Also there is a big difference when you install awscli with pip install or from pkg like ubuntu deb package.

ec2din is a short command to ec2-describe-instances

More examples here: ec2-describe-instances

Regards.

Peycho Dimitrov
  • 997
  • 5
  • 5
1

enter image description here

To access aws through cli,

aws configure
Prashanth Sams
  • 12,937
  • 16
  • 80
  • 106
1

Another method is to use echo with aws configure as a one-liner:

echo -ne '%s\n%s\n%s\n%s\n' <access_key> <security_key> <region> <output> | aws configure
pacificgilly1992
  • 114
  • 9
0

You should store your credentials to ~/.aws/config file (or .aws/credentials)

More info how to setup it http://docs.aws.amazon.com/cli/latest/reference/configure/index.html

Also as alternative way you can create IAM role and certain policy and set it to you ec2 instance where you will use aws cli, then you won't need any credentials setup there

jorfus
  • 2,057
  • 19
  • 21
Evgeniy Kuzmin
  • 2,256
  • 1
  • 16
  • 22
  • You can also store multiple profiles in the .aws/credentials file and reference them with: aws ec2 describe-instances --profile profile-name – jorfus Sep 21 '18 at 18:44
0

Use the access key and id is not recommended as it will be stored in config file. Better approach is to create an IAM role and give required access which you need.

Niharika
  • 1
  • 1