# Aws Cli > Code examples that show how to use AWS Command Line Interface with Bash script with AWS. --- # Bash script examples > Code examples that show how to use AWS Command Line Interface with Bash script with AWS. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/bash_code_examples.html --- # AWS CLI with Bash script code examples The code examples in this topic show you how to use the AWS Command Line Interface with Bash script with AWS. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Some services contain additional example categories that show how to leverage libraries or functions specific to the service. ###### Services - [AWS Batch](./bash_batch_code_examples.html) - [AWS Cloud Map](./bash_servicediscovery_code_examples.html) - [CloudFront](./bash_cloudfront_code_examples.html) - [DynamoDB](./bash_dynamodb_code_examples.html) - [Amazon EC2](./bash_ec2_code_examples.html) - [HealthImaging](./bash_medical-imaging_code_examples.html) - [IAM](./bash_iam_code_examples.html) - [AWS KMS](./bash_kms_code_examples.html) - [Lightsail](./bash_lightsail_code_examples.html) - [Amazon S3](./bash_s3_code_examples.html) - [AWS STS](./bash_sts_code_examples.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) X-Ray AWS Batch --- # Short-term credentials > Configure the AWS CLI to authenticate using short-term credentials. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-short-term.html --- # Authenticating with short-term credentials for the AWS CLI We recommend configuring your SDK or tool to use [IAM Identity Center authentication](https://docs.aws.amazon.com/sdkref/latest/guide/access-sso.html) with extended session duration options. However, you can copy and use temporary credentials that are available in the AWS access portal. New credentials will need to be copied when these expire. You can use the temporary credentials in a profile or use them as values for system properties and environment variables. - [Sign in to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosignin.html). - Follow [these instructions](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html) to copy IAM role credentials from the AWS access portal. For step 2 in the linked instructions, choose the AWS account and IAM role name that grants access for your development needs. This role typically has a name like **PowerUserAccess** or **Developer**. - For step 4, select the **Add a profile to your AWS credentials file** option and copy the contents. - Create or open the shared `credentials` file. This file is `~/.aws/credentials` on Linux and macOS systems, and `%USERPROFILE%\.aws\credentials` on Windows. For more information, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). - Add the following text to the shared `credentials` file. Replace the sample values with the credentials you copied. `[default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY aws_session_token = IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE` - Add your preferred default region and format to the shared `config` file. `[default] region=us-west-2` output=`json` [profile user1] region=`us-east-1` output=`text` When the SDK creates a service client, it will access these temporary credentials and use them for each request. The settings for the IAM role chosen in step 2a determine [how long the temporary credentials are valid](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html). The maximum duration is twelve hours. Repeat these steps each time your credentials expire. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Tutorial: AWS IAM Identity Center and Amazon S3 IAM roles --- # IAM users > Configure the AWS CLI and specify the settings for interacting with AWS. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html --- # Authenticating using IAM user credentials for the AWS CLI ###### Warning To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html). This section explains how to configure basic settings with an IAM user. These include your security credentials using the `config` and `credentials` files. To instead see configuration instructions for AWS IAM Identity Center, see [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html). ###### Topics - [Step 1: Create your IAM user](./cli-authentication-user.html#cli-authentication-user-create) - [Step 2: Get your access keys](./cli-authentication-user.html#cli-authentication-user-get) - [Step 3: Configure the AWS CLI](./cli-authentication-user.html#cli-authentication-user-configure.title) [Using aws configure](./cli-authentication-user.html#cli-authentication-user-configure-wizard) - [Importing access keys via .CSV file](./cli-authentication-user.html#cli-authentication-user-configure-csv) - [Directly editing the config and credentials files](./cli-authentication-user.html#cli-authentication-user-configure-csv.titlecli-authentication-user-configure-file) - [(Optional) Using multi-factor authentication with your IAM user credentials](./cli-authentication-user.html#cli-authentication-user-configure-csv.titlecli-authentication-user-mfa) ## Step 1: Create your IAM user Create your IAM user by following the [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) procedure in the *IAM User Guide*. - For **Permission options**, choose **Attach policies directly** for how you want to assign permissions to this user. - Most "Getting Started" SDK tutorials use the Amazon S3 service as an example. To provide your application with full access to Amazon S3, select the `AmazonS3FullAccess` policy to attach to this user. ## Step 2: Get your access keys - Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). - In the navigation pane of the IAM console, select **Users** and then select the **`User name`** of the user that you created previously. - On the user's page, select the **Security credentials** page. Then, under **Access keys**, select **Create access key**. - For **Create access key Step 1**, choose **Command Line Interface (CLI)**. - For **Create access key Step 2**, enter an optional tag and select **Next**. - For **Create access key Step 3**, select **Download .csv file** to save a `.csv` file with your IAM user's access key and secret access key. You need this information for later. - Select Done. ## Step 3: Configure the AWS CLI For general use, the AWS CLI needs the following pieces of information: - Access key ID - Secret access key - AWS Region - Output format The AWS CLI stores this information in a *profile* (a collection of settings) named `default` in the `credentials` file. By default, the information in this profile is used when you run an AWS CLI command that doesn't explicitly specify a profile to use. For more information on the `credentials` file, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). To configure the AWS CLI, use one of the following procedures: ###### Topics - [Using aws configure](#cli-authentication-user-configure-wizard) - [Importing access keys via .CSV file](#cli-authentication-user-configure-csv) - [Directly editing the config and credentials files](#cli-authentication-user-configure-csv.titlecli-authentication-user-configure-file) ### Using `aws configure` For general use, the `aws configure` command is the fastest way to set up your AWS CLI installation. This configure wizard prompts you for each piece of information you need to get started. Unless otherwise specified by using the `--profile` option, the AWS CLI stores this information in the `default` profile. The following example configures a `default` profile using sample values. Replace them with your own values as described in the following sections. `$ ``aws configure` `AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE` AWS Secret Access Key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` Default region name [None]: `us-west-2` Default output format [None]: `json` The following example configures a profile named `userprod` using sample values. Replace them with your own values as described in the following sections. `$ ``aws configure --profile userprod` `AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE` AWS Secret Access Key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` Default region name [None]: `us-west-2` Default output format [None]: `json` ### Importing access keys via .CSV file Instead of using `aws configure` to enter in access keys, you can import the plain text `.csv` file you downloaded after you created your access keys. The `.csv` file must contain the following headers. - User Name - This column must be added to your `.csv`. This is used to create the profile name used in the the `config` and `credentials` files when you import. - Access key ID - Secret access key ###### Note During initial access keys creation, once you close the **Download .csv file** dialog box, you cannot access your secret access key after you close the dialog box. If you need a `.csv` file, you'll need to create one yourself with the required headers and your stored access keys information. If you do not have access to your access keys information, you need to create a new access keys. To import the `.csv` file, use the `aws configure import` command with the `--csv` option as follows: `$ ``aws configure import --csv file://credentials.csv` For more information, see `[aws_configure_import](./cli-configure-files.html#cli-config-aws_configure_import)`. ### Directly editing the `config` and `credentials` files To directly edit the `config` and `credentials` files, perform the following. - Create or open the shared AWS `credentials` file. This file is `~/.aws/credentials` on Linux and macOS systems, and `%USERPROFILE%\.aws\credentials` on Windows. For more information, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). - Add the following text to the shared `credentials` file. Replace the sample values in the `.csv` file that you downloaded earlier and save the file. `[default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` ## (Optional) Using multi-factor authentication with your IAM user credentials For additional security, you can use a one-time key generated from a multi-factor authentication (MFA) device, a U2F device, or mobile app when you attempt to make a call. With your MFA enabled IAM user, run the [`aws configure mfa-login`](https://docs.aws.amazon.com/cli/latest/reference/configure/mfa-login.html) command to configure a new profile to use with multi-factor authentication (MFA) for the specified profile. If no profile is specified, the MFA is based on the `default` profile. If no default profile is configured, the `mfa-login` command prompts you for you AWS credentials before asking for your MFA information. The following command example uses your default configuration and creates an MFA profile. `$ ``aws configure mfa-login` `MFA serial number or ARN: ``arn:aws:iam::123456789012:mfa/MFADeviceName` `MFA token code: ``123456` `Profile to update [session-MFADeviceName]: Temporary credentials written to profile 'session-MFADeviceName' Credentials will expire at 2023-05-19 18:06:10 UTC To use these credentials, specify --profile session-MFADeviceName when running AWS CLI commands` To update an existing profile, use the `--update-profile` parameter. `$ ``aws configure mfa-login --profile myprofile` --update-profile `mfaprofile` `MFA token code: ``123456`` Temporary credentials written to profile 'mfaprofile' Credentials will expire at 2023-05-19 18:06:10 UTC To use these credentials, specify --profile mfaprofile when running AWS CLI commands` This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported with this command. To use your MFA profile, use the `--profile` option with your commands. `$ ``aws s3 ls --profile mfaprofile` For more information on using MFA with IAM, including how to assign MFA to an IAM user, see [AWS Multi-factor authentication in IAM ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *AWS Identity and Access Management User Guide*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) IAM roles Amazon EC2 metadata --- # Authentication and access credentials > This chapter covers the authentication and credential processes to configure for programmatic access with the AWS CLI to connect to AWS services. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html --- # Authentication and access credentials for the AWS CLI You must establish how the AWS CLI authenticates with AWS when you develop with AWS services. To configure credentials for programmatic access for the AWS CLI, choose one of the following options. The options are in order of recommendation. Authentication type Purpose Instructions AWS Management Console credentials **(Recommended)**Use short-term credentials by logging into the AWS CLI with your console credentials. Recommended if you use root, IAM users, or federation with IAM for AWS account access [Login for AWS local development using console credentials](./cli-configure-sign-in.html) IAM Identity Center workforce users short-term credentials Use short-term credentials for an IAM Identity Center workforce user. Security best practice is to use AWS Organizations with IAM Identity Center. It combines short-term credentials with a user directory, such as the built-in IAM Identity Center directory or Active Directory. [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html) IAM user short-term credentials Use IAM user short-term credentials, which are more secure than long-term credentials. If your credentials are compromised, there is a limited time they can be used before they expire. [Authenticating with short-term credentials for the AWS CLI](./cli-authentication-short-term.html) IAM or IAM Identity Center users on an Amazon EC2 instance. Use Amazon EC2 instance metadata to query for temporary credentials using the role assigned to the Amazon EC2 instance. [Using Amazon EC2 instance metadata as credentials in the AWS CLI](./cli-configure-metadata.html) Assume roles for permissions Pair another credential method and assume a role for temporary access to AWS services your user might not have access to. [Using an IAM role in the AWS CLI](./cli-configure-role.html) IAM user long-term credentials **(Not recommended)** Use long-term credentials, which have no expiration. [Authenticating using IAM user credentials for the AWS CLI](./cli-authentication-user.html) External storage of IAM or IAM Identity Center workforce users **(Not recommended)** Pair another credential method but store credential values in a location outside of the AWS CLI. This method is only as secure as the external location the credentials are stored. [Sourcing credentials with an external process in the AWS CLI](./cli-configure-sourcing-external.html) ## Configuration and credential precedence Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain authentication take precedence over others. The AWS CLI authentication settings take precedence in the following order: - **[Command line options](./cli-configure-options.html)** – Overrides settings in any other location, such as the `--region`, `--output`, and `--profile` parameters. - **[Environment variables](./cli-configure-envvars.html)** – You can store values in your system's environment variables. - **[Assume role](./cli-configure-role.html)** – Assume the permissions of an IAM role through configuration or the [`assume-role`](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) command. - **[Assume role with web identity](./cli-configure-role.html)** – Assume the permissions of an IAM role using web identity through configuration or the [`assume-role-with-web-identity`](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) command. - **[AWS IAM Identity Center](./cli-configure-files.html)** – The IAM Identity Center configuration settings stored in the `config` file are updated when you run the `aws configure sso` command. Credentials are then authenticated when you run the `aws sso login` command. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\config on Windows. - **[Credentials file](./cli-configure-files.html)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `credentials` file is located at `~/.aws/credentials` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\credentials on Windows. - **[Custom process](./cli-configure-sourcing-external.html)** – Get your credentials from an external source. - **[Configuration file](./cli-configure-files.html)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\config on Windows. - **[Container credentials](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)** – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide*. - **[Amazon EC2 instance profile credentials](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)** – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide* and [Using Instance Profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) in the *IAM User Guide*. ## Additional topics in this section - [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html) - [Authenticating with short-term credentials for the AWS CLI](./cli-authentication-short-term.html) - [Using an IAM role in the AWS CLI](./cli-configure-role.html) - [Authenticating using IAM user credentials for the AWS CLI](./cli-authentication-user.html) - [Using Amazon EC2 instance metadata as credentials in the AWS CLI](./cli-configure-metadata.html) - [Sourcing credentials with an external process in the AWS CLI](./cli-configure-sourcing-external.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Endpoints Console credentials --- # AWS CLI examples > This chapter provides examples that show you how to use the AWS CLI with AWS services. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-code-examples.html --- # Examples for the AWS CLI This chapter provides a collection of examples that show you how to use the AWS Command Line Interface (AWS CLI) with AWS services. **The AWS CLI has the following types of examples in this guide:** - **[Guided command examples](./cli-chap-services.html)** - Guided command examples for the AWS CLI User Guide on how to use the AWS CLI with some AWS services. These are often more detailed examples than the examples from the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). - **[AWS CLI command examples](./cli_code_examples.html)** - Open source command examples that are also available in the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). Command examples are hosted in the [AWS CLI](https://github.com/aws/aws-cli/tree/develop/awscli/examples) repository on *GitHub*. - **[AWS CLI using Bash scripting code examples](./bash_code_examples.html)** - Open source bash scripting examples. Bash scripting examples are hosted in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples) on *GitHub*. ###### Example feedback Can't find what you need? Request a command example by using the **Provide feedback** link at the bottom of this page or on the relevant command page in the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). Want to contribute? Contribute AWS CLI command examples in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples) on *GitHub*. For more information on contributing, see [AWS CLI code example contribution quick steps](https://aws.github.io/aws-cli/docs_quicksteps.html) on *GitHub pages*. --- # Configure the AWS CLI > Configure settings that the AWS CLI uses to interact with AWS. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html --- # Configuring settings for the AWS CLI This section explains how to configure the settings that the AWS Command Line Interface (AWS CLI) uses to interact with AWS. These include the following: - **Credentials** identify who is calling the API. Access credentials are used to encrypt the request to the AWS servers to confirm your identity and retrieve associated permissions policies. These permissions determine the actions you can perform. For information on setting up your credentials, see [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). - **Other configuration details** to tell the AWS CLI how to process requests, such as the default output format and the default AWS Region. ###### Note AWS requires that all incoming requests are cryptographically signed. The AWS CLI does this for you. The "signature" includes a date/time stamp. Therefore, you must ensure that your computer's date and time are set correctly. If you don't, and the date/time in the signature is too far off of the date/time recognized by the AWS service, AWS rejects the request. ## Configuration and credentials precedence Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain locations take precedence over others. The AWS CLI credentials and configuration settings take precedence in the following order: - **[Command line options](./cli-configure-options.html)** – Overrides settings in any other location, such as the `--region`, `--output`, and `--profile` parameters. - **[Environment variables](./cli-configure-envvars.html)** – You can store values in your system's environment variables. - **[Assume role](./cli-configure-role.html)** – Assume the permissions of an IAM role through configuration or the [`assume-role`](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) command. - **[Assume role with web identity](./cli-configure-role.html)** – Assume the permissions of an IAM role using web identity through configuration or the [`assume-role-with-web-identity`](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) command. - **[AWS IAM Identity Center](./cli-configure-files.html)** – The IAM Identity Center configuration settings stored in the `config` file are updated when you run the `aws configure sso` command. Credentials are then authenticated when you run the `aws sso login` command. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\config on Windows. - **[Credentials file](./cli-configure-files.html)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `credentials` file is located at `~/.aws/credentials` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\credentials on Windows. - **[Custom process](./cli-configure-sourcing-external.html)** – Get your credentials from an external source. - **[Configuration file](./cli-configure-files.html)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME`\.aws\config on Windows. - **[Container credentials](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)** – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide*. - **[Amazon EC2 instance profile credentials](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)** – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide* and [Using Instance Profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) in the *IAM User Guide*. ## Additional topics in this section - [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html) - [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html) - [Command line options in the AWS CLI](./cli-configure-options.html) - [Configuring command completion in the AWS CLI](./cli-configure-completion.html) - [AWS CLI retries in the AWS CLI](./cli-configure-retries.html) - [Using an HTTP proxy for the AWS CLI](./cli-configure-proxy.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Setup Configuration settings --- # Get started > Get started with the AWS CLI version 2 with instructions on how to install the AWS CLI and the prerequisites needed to run AWS CLI commands. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html --- # Getting started with the AWS CLI This chapter provides steps to get started with version 2 of the AWS Command Line Interface (AWS CLI) and provides links to the relevant instructions. - **[Complete all prerequisites](./getting-started-prereqs.html)** - To access AWS services with the AWS CLI, you need at minimum an AWS account and IAM credentials. To increase the security of your AWS account, we recommend that you do not use your root account credentials. You should create a user with least privilege to provide access credentials to the tasks you'll be running in AWS. - Install or gain access to the AWS CLI using one of the following methods: **(Recommended)** [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). - [Installing past releases of the AWS CLI version 2](./getting-started-version.html). Installing a specific version is primarily used if your team aligns their tools to a specific version. - [Building and installing the AWS CLI from source](./getting-started-source-install.html). Building the AWS CLI from GitHub source is a more in-depth method that is primarily used by customers who work on platforms that we do not directly support with our pre-built installers. - [Running the official Amazon ECR Public or Docker images for the AWS CLI](./getting-started-docker.html). - Access the AWS CLI version 2 in the AWS console from your browser using AWS CloudShell. For more information, see the [AWS CloudShell User Guide](https://docs.aws.amazon.com/cloudshell/latest/userguide/). - [After you have access to the AWS CLI, configure your AWS CLI with your IAM credentials for first time use](./getting-started-quickstart.html). ###### Troubleshooting installer or configure errors If you have issues after installing, uninstalling, or configuring the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. ###### Topics - [Prerequisites to use the AWS CLI version 2](./getting-started-prereqs.html) - [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html) - [Installing past releases of the AWS CLI version 2](./getting-started-version.html) - [Building and installing the AWS CLI from source](./getting-started-source-install.html) - [Running the official Amazon ECR Public or Docker images for the AWS CLI](./getting-started-docker.html) - [Setting up the AWS CLI](./getting-started-quickstart.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Additional documentation and resources Prerequisites --- # Guided command examples > See examples of using the AWS CLI to perform administrator and user tasks in AWS services. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-services.html --- # Guided command examples for the AWS CLI The AWS Command Line Interface (AWS CLI) is an open source tool that enables you to interact with a wide range of AWS services using commands in your command-line shell. This section provides guided examples that show how to leverage the AWS CLI to access some of the AWS services. This includes some of the custom AWS CLI commands, such as the high-level `aws s3` commands. These command examples demonstrate common actions used for some AWS services and provide additional resources for more information. Whether you are an experienced AWS user or new to the AWS CLI, these guided examples serve as a resource for streamlining your AWS operations. For a complete reference of all the available commands for each AWS service, see the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). Additionally, you can utilize the [built-in command line help](./cli-usage-help.html) to explore the array of AWS services, commands, options, and features in the AWS CLI. For more command examples that are not available in this section, see the [AWS CLI command examples](./cli_code_examples.html) section. These are open source command examples that are also available in the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). Command examples are hosted in the [AWS CLI](https://github.com/aws/aws-cli/tree/develop/awscli/examples) repository on *GitHub*. For open source bash scripting examples, see [AWS CLI with Bash script code examples](./bash_code_examples.html). Bash scripting examples are hosted in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples) on *GitHub*. ###### Services - [DynamoDB](./cli-services-dynamodb.html) - [Amazon EC2](./cli-services-ec2.html) - [Amazon Glacier](./cli-services-glacier.html) - [IAM](./cli-services-iam.html) - [Amazon S3](./cli-services-s3.html) - [Amazon SNS](./cli-services-sns.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) AWS CLI examples DynamoDB --- # Troubleshoot errors > This section covers common errors and troubleshooting steps to follow to diagnose and fix a variety of AWS Command Line Interface errors you may encounter. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html --- # Troubleshooting errors for the AWS CLI This section covers common errors and troubleshooting steps to follow to resolve your issue. We suggest following the [general troubleshooting](#tshoot-general) first. ###### Contents - [General troubleshooting to try first](./cli-chap-troubleshooting.html#tshoot-general) [Check your AWS CLI command formatting](./cli-chap-troubleshooting.html#general-formatting) - [Check the AWS Region your AWS CLI command is using](./cli-chap-troubleshooting.html#general-region) - [Confirm that you're running a recent version of the AWS CLI](./cli-chap-troubleshooting.html#general-latest) - [Use the --debug option](./cli-chap-troubleshooting.html#general-debug) - [Enable and review the AWS CLI command history logs](./cli-chap-troubleshooting.html#tshoot-general-history) - [Confirm that your AWS CLI is configured](./cli-chap-troubleshooting.html#tshoot-general-config) - [Command not found errors](./cli-chap-troubleshooting.html#tshoot-install-not-found) - [The "aws --version" command returns a different version than you installed](./cli-chap-troubleshooting.html#tshoot-install-wrong-version) - [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1) - [The AWS CLI processed a command with an incomplete parameter name](./cli-chap-troubleshooting.html#tshoot-parameter-abbrev) - [Access denied errors](./cli-chap-troubleshooting.html#tshoot-access-denied) - [Invalid credentials and key errors](./cli-chap-troubleshooting.html#tshoot-permissions-wrongcreds) - [Signature does not match errors](./cli-chap-troubleshooting.html#tshoot-signature-does-not-match) - [SSL certificate errors](./cli-chap-troubleshooting.html#tshoot-certificate-verify-failed) - [Invalid JSON errors](./cli-chap-troubleshooting.html#tshoot-invalid-json) - [Additional resources](./cli-chap-troubleshooting.html#tshoot-resources) ## General troubleshooting to try first If you receive an error or encounter an issue with the AWS CLI, we suggest the following general tips to help you troubleshoot. [Back to top](#cli-chap-troubleshooting-top) ### Check your AWS CLI command formatting If you receive an error that indicates that a command doesn't exist, or that it doesn't recognize a parameter (`Parameter validation failed`) that the documentation says is available , then your command might be formatted incorrectly. We suggest that you check the following: - Check your command for spelling and formatting errors. - Confirm all [quotes and escaping appropriate for your terminal](./cli-usage-parameters-quoting-strings.html) is correct in your command. - Generate an [AWS CLI skeleton](./cli-usage-skeleton.html) to confirm your command structure. - For JSON, see the additional [troubleshooting for JSON values](#tshoot-invalid-json). If you're having issues with your terminal processing JSON formatting, we suggest skipping past the terminal's quoting rules by using [Blobs to pass JSON data directly to the AWS CLI](./cli-usage-parameters-types.html#parameter-type-blob). For more information on how a specific command should be structured, see the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). [Back to top](#cli-chap-troubleshooting-top) ### Check the AWS Region your AWS CLI command is using ###### Note You must specify an AWS Region when using the AWS CLI, either explicitly or by setting a default Region. For a list of all of the AWS Regions that you can specify, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. The AWS Region designators used by the AWS CLI are the same names that you see in AWS Management Console URLs and service endpoints. Errors or unexpected results might occur if an AWS service isn't available for your specified AWS Region or your resources are located in a different AWS Region. In order of precedence, the AWS Region is set in the following ways: - The `--region` command line option. - The SDK compatible `[AWS_REGION](./cli-configure-envvars.html#envvars-list-AWS_REGION)` environment variable. - The `[AWS_DEFAULT_REGION](./cli-configure-envvars.html#envvars-list-AWS_DEFAULT_REGION)` environment variable. - The [region](./cli-configure-files.html#cli-config-region) profile setting. Confirm you're using the correct AWS Region for your resources. [Back to top](#cli-chap-troubleshooting-top) ### Confirm that you're running a recent version of the AWS CLI If you receive an error that indicates that a command doesn't exist, or that it doesn't recognize a parameter that the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html) says is available, first confirm that your command is correctly formatted. If the formatting is correct, then we recommend that you upgrade to the most recent version of the AWS CLI. Updated versions of the AWS CLI are released almost every business day. New AWS services, features, and parameters are introduced in those new versions of the AWS CLI. The only way to get access to those new services, features, or parameters is to upgrade to a version that was released after that element was first introduced. How you update your version of the AWS CLI depends on how you originally installed it as described in [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). If you used one of the bundled installers, you might need to remove the existing installation before you download and install the latest version for your operating system. [Back to top](#cli-chap-troubleshooting-top) ### Use the `--debug` option When the AWS CLI reports an error that you don't immediately understand, or produces results that you don't expect, you can get more detail about the error by running the command again with the `--debug` option. With this option, the AWS CLI outputs details about every step it takes to process your command. The details in the output can help you to determine when the error occurs and provides clues about where it started. You can send the output to a text file for later review, or to send to AWS Support when asked for it. When you include the `--debug` option, some of the details include: - Looking for credentials - Parsing the provided parameters - Constructing the request sent to AWS servers - The contents of the request sent to AWS - The contents of the raw response - The formatted output Here's an example of a command run with and without the `--debug` option. `$ ``aws iam list-groups --profile MyTestProfile`` { "Groups": [ { "Path": "/", "GroupName": "MyTestGroup", "GroupId": "AGPA0123456789EXAMPLE", "Arn": "arn:aws:iam::123456789012:group/MyTestGroup", "CreateDate": "2019-08-12T19:34:04Z" } ] }` `$ ``aws iam list-groups --profile MyTestProfile --debug`` 2019-08-12 12:36:18,305 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.16.215 Python/3.7.3 Linux/4.14.133-113.105.amzn2.x86_64 botocore/1.12.205 2019-08-12 12:36:18,305 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['iam', 'list-groups', '--debug'] 2019-08-12 12:36:18,305 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 2019-08-12 12:36:18,305 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 2019-08-12 12:36:18,305 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 2019-08-12 12:36:18,307 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set. 2019-08-12 12:36:18,307 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 2019-08-12 12:36:18,308 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/ec2-user/venv/lib/python3.7/site-packages/botocore/data/iam/2010-05-08/service-2.json 2019-08-12 12:36:18,317 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler 2019-08-12 12:36:18,320 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/ec2-user/venv/lib/python3.7/site-packages/botocore/data/iam/2010-05-08/waiters-2.json 2019-08-12 12:36:18,321 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('path-prefix', ), ('marker', ), ('max-items', )]) 2019-08-12 12:36:18,322 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.list-groups: calling handler 2019-08-12 12:36:18,322 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.list-groups: calling handler 2019-08-12 12:36:18,322 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.list-groups: calling handler 2019-08-12 12:36:18,326 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/ec2-user/venv/lib/python3.7/site-packages/botocore/data/iam/2010-05-08/paginators-1.json 2019-08-12 12:36:18,326 - MainThread - awscli.customizations.paginate - DEBUG - Modifying paging parameters for operation: ListGroups 2019-08-12 12:36:18,326 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.list-groups: calling handler 2019-08-12 12:36:18,326 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.list-groups: calling handler > 2019-08-12 12:36:18,327 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.list-groups: calling handler > 2019-08-12 12:36:18,327 - MainThread - botocore.hooks - DEBUG - Event operation-args-parsed.iam.list-groups: calling handler functools.partial(, ['marker', 'max-items'], {'max-items': }, OrderedDict([('path-prefix', ), ('marker', ), ('max-items', ), ('cli-input-json', ), ('starting-token', ), ('page-size', ), ('generate-cli-skeleton', )])) 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.path-prefix: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.marker: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.max-items: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.cli-input-json: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.starting-token: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.page-size: calling handler 2019-08-12 12:36:18,328 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.list-groups.generate-cli-skeleton: calling handler 2019-08-12 12:36:18,329 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.list-groups: calling handler > 2019-08-12 12:36:18,329 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.list-groups: calling handler > 2019-08-12 12:36:18,329 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2019-08-12 12:36:18,329 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2019-08-12 12:36:18,329 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2019-08-12 12:36:18,329 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2019-08-12 12:36:18,330 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/ec2-user/venv/lib/python3.7/site-packages/botocore/data/endpoints.json 2019-08-12 12:36:18,334 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler 2019-08-12 12:36:18,337 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.iam: calling handler 2019-08-12 12:36:18,337 - MainThread - botocore.regions - DEBUG - Using partition endpoint for iam, us-west-2: aws-global 2019-08-12 12:36:18,337 - MainThread - botocore.args - DEBUG - The s3 config key is not a dictionary type, ignoring its value of: None 2019-08-12 12:36:18,340 - MainThread - botocore.endpoint - DEBUG - Setting iam timeout as (60, 60) 2019-08-12 12:36:18,341 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/ec2-user/venv/lib/python3.7/site-packages/botocore/data/_retry.json 2019-08-12 12:36:18,341 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: iam 2019-08-12 12:36:18,342 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.iam.ListGroups: calling handler 2019-08-12 12:36:18,342 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.ListGroups: calling handler 2019-08-12 12:36:18,343 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListGroups) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.16.215 Python/3.7.3 Linux/4.14.133-113.105.amzn2.x86_64 botocore/1.12.205'}, 'body': {'Action': 'ListGroups', 'Version': '2010-05-08'}, 'url': 'https://iam.amazonaws.com/', 'context': {'client_region': 'aws-global', 'client_config': , 'has_streaming_input': False, 'auth_type': None}} 2019-08-12 12:36:18,343 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.ListGroups: calling handler > 2019-08-12 12:36:18,343 - MainThread - botocore.hooks - DEBUG - Event choose-signer.iam.ListGroups: calling handler 2019-08-12 12:36:18,343 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth. 2019-08-12 12:36:18,343 - MainThread - botocore.auth - DEBUG - CanonicalRequest: POST / content-type:application/x-www-form-urlencoded; charset=utf-8 host:iam.amazonaws.com x-amz-date:20190812T193618Z content-type;host;x-amz-date 5f776d91EXAMPLE9b8cb5eb5d6d4a787a33ae41c8cd6eEXAMPLEca69080e1e1f 2019-08-12 12:36:18,344 - MainThread - botocore.auth - DEBUG - StringToSign: AWS4-HMAC-SHA256 20190812T193618Z 20190812/us-east-1/iam/aws4_request ab7e367eEXAMPLE2769f178ea509978cf8bfa054874b3EXAMPLE8d043fab6cc9 2019-08-12 12:36:18,344 - MainThread - botocore.auth - DEBUG - Signature: d85a0EXAMPLEb40164f2f539cdc76d4f294fe822EXAMPLE18ad1ddf58a1a3ce7 2019-08-12 12:36:18,344 - MainThread - botocore.endpoint - DEBUG - Sending http request: 2019-08-12 12:36:18,344 - MainThread - urllib3.util.retry - DEBUG - Converted retries value: False -> Retry(total=False, connect=None, read=None, redirect=0, status=None) 2019-08-12 12:36:18,344 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): iam.amazonaws.com:443 2019-08-12 12:36:18,664 - MainThread - urllib3.connectionpool - DEBUG - https://iam.amazonaws.com:443 "POST / HTTP/1.1" 200 570 2019-08-12 12:36:18,664 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '74c11606-bd38-11e9-9c82-559da0adb349', 'Content-Type': 'text/xml', 'Content-Length': '570', 'Date': 'Mon, 12 Aug 2019 19:36:18 GMT'} 2019-08-12 12:36:18,664 - MainThread - botocore.parsers - DEBUG - Response body: b'\n \n false\n \n \n /\n MyTestGroup\n arn:aws:iam::123456789012:group/MyTestGroup\n AGPA1234567890EXAMPLE\n 2019-08-12T19:34:04Z\n \n \n \n \n 74c11606-bd38-11e9-9c82-559da0adb349\n \n\n' 2019-08-12 12:36:18,665 - MainThread - botocore.hooks - DEBUG - Event needs-retry.iam.ListGroups: calling handler 2019-08-12 12:36:18,665 - MainThread - botocore.retryhandler - DEBUG - No retry needed. 2019-08-12 12:36:18,665 - MainThread - botocore.hooks - DEBUG - Event after-call.iam.ListGroups: calling handler { "Groups": [ { "Path": "/", "GroupName": "MyTestGroup", "GroupId": "AGPA123456789012EXAMPLE", "Arn": "arn:aws:iam::123456789012:group/MyTestGroup", "CreateDate": "2019-08-12T19:34:04Z" } ] }` [Show moreShow less](#) [Back to top](#cli-chap-troubleshooting-top) ### Enable and review the AWS CLI command history logs You can enable the AWS CLI command history logs using the `[cli_history](./cli-configure-files.html#cli-config-cli_history)` file setting. After enabling this setting, the AWS CLI records the history of `aws` commands. You can this list your history using the `aws history list` command, and use the resulting command_ids in the `aws history show` command for details. For more information see [`aws history`](https://docs.aws.amazon.com/cli/latest/reference/history/index.html) in the *AWS CLI reference guide*. When you include the `--debug` option, some of the details include: - API calls made to botocore - Status codes - HTTP responses - Headers - Return codes You can use this information to confirm paramater data and API calls are behaving in the way you expect, and can then deduce at what step in the process your command is failing. [Back to top](#cli-chap-troubleshooting-top) ### Confirm that your AWS CLI is configured Various errors can occur if your `config` and `credentials` files or your IAM user or role is not configured correctly. For more information on resolving errors with `config` and `credentials` files or your IAM user or roles, see [Access denied errors](#tshoot-access-denied) and [Invalid credentials and key errors](#tshoot-permissions-wrongcreds). [Back to top](#cli-chap-troubleshooting-top) ## Command not found errors This error means that the operating system can't find the AWS CLI command. The installation might be incomplete or requires updating. **Possible cause: You're trying to use an AWS CLI feature newer than your installed version, or have incorrect formatting** *Example error text:* `$ ``aws s3 copy` `aws: [ERROR]: argument operation: Found invalid choice 'copy' usage: aws [options] [ ...] [parameters] To see help text, you can run: aws help aws help aws help` Various errors can occur if your command is formatted incorrectly or you are using an earlier version from before the feature was released. For more information on resolving errors around these two issues, see [Check your AWS CLI command formatting](#general-formatting) and [Confirm that you're running a recent version of the AWS CLI](#general-latest). [Back to top](#cli-chap-troubleshooting-top) **Possible cause: The terminal needs to be restarted after installation** *Example error text:* `$ ``aws --version` `command not found: aws` If the `aws` command cannot be found after first installing or updating the AWS CLI, you might need to restart your terminal for it to recognize any `PATH` updates. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: The AWS CLI did not fully install** *Example error text:* `$ ``aws --version` `command not found: aws` If the `aws` command cannot be found after first installing or updating the AWS CLI, it might not have been fully installed. Try reinstalling by following the steps for your platform in [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). [Back to top](#cli-chap-troubleshooting-top) **Possible cause: The AWS CLI does not have permissions (Linux)** If the `aws` command cannot be found after first installing or updating the AWS CLI on Linux, it might not have `execute` permissions for the folder it installed in. Run the following command with the `PATH` to your AWS CLI installation,to provide `[chmod](https://en.wikipedia.org/wiki/Chmod)` permissions to the AWS CLI: `$ ``sudo chmod -R 755 /usr/local/aws-cli/` [Back to top](#cli-chap-troubleshooting-top) **Possible cause: The operating system `PATH` was not updated during installation** *Example error text:* `$ ``aws --version` `command not found: aws` You might need to add the `aws` executable to your operating system's `PATH` environment variable. To add the AWS CLI to your `PATH`, use the following instructions for your operating system. [Back to top](#cli-chap-troubleshooting-top) ## The "`aws --version`" command returns a different version than you installed Your terminal might be returning a different `PATH` for the AWS CLI than you expect. **Possible cause: The terminal needs to be restarted after installing** If the `aws` command shows the wrong version, you might need to restart your terminal for it to recognize any `PATH` updates. All open terminals needs to be closed, not just your active terminal. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: The system needs to be restarted after installing** If the `aws` command shows the wrong version and restarting the terminal didn't work, you might need to restart your system for it to recognize your `PATH` updates. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: You have multiple versions of the AWS CLI** If you updated the AWS CLI and used a different install method than your pre-existing installation, it might cause multiple versions to be installed. For example, if on Linux or macOS you used `pip` for your current install, but tried to update using the `.pkg` install file, this could cause some conflicts especially with your `PATH` pointing to the old version. To resolve this, [uninstall all versions of the AWS CLI](#tshoot-uninstall-multiple-version) and perform a clean install. After uninstalling all versions, follow instructions appropriate for your operating system to install your desired version of the [AWS CLI version 1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-install.html) or [AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). ###### Note If this is happening after you installed the AWS CLI version 2 with a pre-existing install of AWS CLI version 1, follow the migration instructions in [Installing AWS CLI version 2 from AWS CLI version 1](./cliv2-migration-instructions.html). [Back to top](#cli-chap-troubleshooting-top) ## The "`aws --version`" command returns a version after uninstalling the AWS CLI This often occurs when there is still an AWS CLI installed somewhere on your system. **Possible cause: The terminal needs to be restarted after uninstalling** If the `aws --version` command still works, you might need to restart your terminal for it to recognize any terminal updates. [Back to top](#cli-chap-troubleshooting-top) ** Possible cause: You have multiple versions of the AWS CLI on your system, or didn't use the same uninstall method that you used to originally install the AWS CLI** The AWS CLI might not uninstall correctly if you uninstalled the AWS CLI using a different method than you used to install it, or if you installed multiple versions. For example, if you used `pip` for your current install, you must use `pip` to uninstall it. To resolve this, uninstall AWS CLI using the same method that you used to install it. - Follow the instructions appropriate for your operating system and your original installation method to uninstall the [AWS CLI version 1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-install.html) and [AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/uninstall.html). - Close all terminals you have open. - Open your preferred terminal, enter in the following command and confirm that no version is returned. `$ ``aws --version` `command not found: aws` If you still have a version listed in the output, the AWS CLI was most likely installed using a different method or there are multiple versions. If you don't know which method you installed the AWS CLI, follow the instructions for each uninstall method for the [AWS CLI version 1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-install.html) and [AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/uninstall.html) appropriate to your operating system until no version output is received. ###### Note If you used a package manager to install the AWS CLI (`pip`, `apt`, `brew`, etc.), you must use the same package manager to uninstall it. Be sure to follow the instructions provided by the package manager on how to uninstall all versions of a package. [Back to top](#cli-chap-troubleshooting-top) ## The AWS CLI processed a command with an incomplete parameter name **Possible cause: You used a recognized abbreviation of the AWS CLI parameter** Since the AWS CLI is built using Python, the AWS CLI uses the Python `argparse` library, including the [`allow_abbrev`](https://docs.python.org/3/library/argparse.html#allow-abbrev) argument. Abbreviations of parameters are recognized by the AWS CLI and processed. The following [`create-change-set`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html) command example changes the CloudFormation stack name. The parameter `--change-set-n` is recognized as an abbreviation of `--change-set-name`, and the AWS CLI processes the command. `$ ``aws cloudformation create-change-set --stack-name my-stack --change-set-n` my-change-set When your abbreviation could be multiple commands, the parameter will not be recognized as an abbreviation. The following [`create-change-set`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html) command example changes the CloudFormation stack name. The parameter `--change-set-` is **not** recognized as an abbreviation, as there are there are multiple parameters it could be an abbreviation of, such as `--change-set-name` and `--change-set-type`. Therefore the AWS CLI does **not** process the command. `$ ``aws cloudformation create-change-set --stack-name my-stack --change-set-` my-change-set ###### Warning **Do not** purposefully use parameter abbreviations. They are unreliable and are not backwards compatible. If any new parameters are added to a command that confuse your abbreviations, it will break your commands. Additionally, if the parameter is a single-value argument, it can cause unexpected behavior with your commands. If multiple instances of a single-value argument is passed, only the last instance will run. In the following example, the parameter `--filters` is a single-valued argument. The parameters `--filters` and `--filter` are specified. The `--filter` parameter is an abbreviation of `--filters`. This cause two instances of `--filters` being applied and only the last `--filter` argument applies. `$ ``aws ec2 describe-vpc-peering-connections \ --filters` Name=tag:TagName,Values=VpcPeeringConnection \ `--filter` Name=status-code,Values=active Confirm you are using valid parameters before running a command to prevent unexpected behavior. [Back to top](#cli-chap-troubleshooting-top) ## Access denied errors **Possible cause: The AWS CLI program file doesn't have "run" permission** On Linux or macOS, make sure that the `aws` program has run permissions for the calling user. Typically, the permissions are set to `755`. To add run permission for your user, run the following command, substituting `~/.local/bin/aws` with the path to the program on your computer. `$ ``chmod +x ~/.local/bin/aws` [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your IAM identity doesn't have permission to perform the operation** *Example error text:* `$ ``aws s3 ls` `An error occurred (AcessDenied) when calling the ListBuckets operation: Access denied.` When you run a AWS CLI command, AWS operations are performed on your behalf, using credentials that associate you with an IAM account or role. The policies attached must grant you permission to call the API actions that correspond to the commands that you run with the AWS CLI. Most commands call a single action with a name that matches the command name. However, custom commands like `aws s3 sync` call multiple APIs. You can see which APIs a command calls by using the `--debug` option. If you are sure that the user or role has the proper permissions assigned by policy, make sure that your AWS CLI command is using the credentials you expect. See the [next section about credentials](#tshoot-permissions-wrongcreds) to verify that the credentials the AWS CLI is using are the ones that you expect. For information about assigning IAM permissions, see [Overview of Access Management: Permissions and Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html) in the *IAM User Guide*. [Back to top](#cli-chap-troubleshooting-top) ## Invalid credentials and key errors *Example error text:* `$ ``aws s3 ls` `An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.` `$ ``aws s3 ls` `An error occurred (InvalidClientTokenId) when calling the ListBuckets operation: The security token included in the request is invalid.` **Possible cause: The AWS CLI is reading incorrect credentials or from an unexpected location** The AWS CLI might be reading credentials from a different location than you expect, or your key pair information is incorrect. You can run `aws configure list` to confirm which credentials are used. The following example shows how to check the credentials used for the default profile. `$ ``aws configure list` `NAME : VALUE : TYPE : LOCATION profile : : None : None access_key : ****************ABCD : shared-credentials-file : secret_key : ****************ABCD : shared-credentials-file : region : us-west-2 : env : AWS_DEFAULT_REGION` The following example shows how to check the credentials of a named profile. `$ ``aws configure list --profile dev01` `NAME : VALUE : TYPE : LOCATION profile : dev01 : None : --profile access_key : ****************ABCD : shared-credentials-file : secret_key : ****************ABCD : shared-credentials-file : region : us-west-2 : config-file : ~/.aws/config` To confirm your key pair details, check your `config` and `credentials` files. For more information on `config` and `credentials` files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). For more information on credentials and authentication, including credentials precedence, see [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your computer's clock is out of sync** If you are using valid credentials, your clock might be out of sync. On Linux or macOS, run `date` to check the time. `$ ``date` If your system clock is not correct within a few minutes, use `ntpd` to sync it. `$ ``sudo service ntpd stop` `$ ``sudo ntpdate time.nist.gov` `$ ``sudo service ntpd start` `$ ``ntpstat` On Windows, use the date and time options in the Control Panel to configure your system clock. [Back to top](#cli-chap-troubleshooting-top) ## Signature does not match errors *Example error text:* `$ ``aws s3 ls` `An error occurred (SignatureDoesNotMatch) when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.` When the AWS CLI runs a command, it sends an encrypted request to the AWS servers to perform the appropriate AWS service operations. Your credentials (the access key and secret key) are involved in the encryption and enable AWS to authenticate the person making the request. There are several things that can interfere with the correct operation of this process, as follows. **Possible cause: Your clock is out of sync with the AWS servers** To help protect against [replay attacks](https://wikipedia.org/wiki/Replay_attack), the current time can be used during the encryption/decryption process. If the time of the client and server disagree by more than the allowed amount, the process can fail and the request is rejected. This can also happen when you run a command in a virtual machine whose clock is out of sync with the host machine's clock. One possible cause is when the virtual machine hibernates and takes some time after waking up to sync the clock with the host machine. On Linux or macOS, run `date` to check the time. `$ ``date` If your system clock is not correct within a few minutes, use `ntpd` to sync it. `$ ``sudo service ntpd stop` `$ ``sudo ntpdate time.nist.gov` `$ ``sudo service ntpd start` `$ ``ntpstat` On Windows, use the date and time options in the Control Panel to configure your system clock. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your operating system is mishandling AWS keys that contain certain special characters** If your AWS keys include certain special characters, such as `-`, `+`, `/`, or `%`, some operating system variants process the string improperly and cause the key string to be interpreted incorrectly. If you process your keys using other tools or scripts, such as tools that build the credentials file on a new instance as part of its creation, those tools and scripts might have their own handling of special characters that causes them to be transformed into something that AWS no longer recognizes. We suggest regenerating the secret key to get one that does not include the special character causing issues. [Back to top](#cli-chap-troubleshooting-top) ## SSL certificate errors **Possible cause: The AWS CLI doesn't trust your proxy's certificate** *Example error text:* `$ ``aws s3 ls` `[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed` When you use a AWS CLI command, you receive an `[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed` error message. This is caused by the AWS CLI not trusting your proxy's certificate due to factors such as your proxy's certificate being self-signed, with your company set as the Certification Authority (CA). This prevents the AWS CLI from finding your companies CA root certificate in the local CA registry. To fix this, instruct the AWS CLI where to find your companies `.pem` file using the `[ca_bundle](./cli-configure-files.html#cli-config-ca_bundle)` configuration file setting, **[--ca-bundle](./cli-configure-options.html#cli-configure-options-ca-bundle)** command line option, or the `[AWS_CA_BUNDLE](./cli-configure-envvars.html#envvars-list-AWS_CA_BUNDLE)` environment variable. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your configuration isn't pointing to the correct CA root certificate location** *Example error text:* `$ ``aws s3 ls` `SSL validation failed for regionname` [Errno 2] No such file or directory This is caused by your Certification Authority (CA) bundle file location being configured incorrectly in the AWS CLI. To fix this, confirm where your companies `.pem` file is located and update the AWS CLI configuration by using the `[ca_bundle](./cli-configure-files.html#cli-config-ca_bundle)` configuration file setting, **[--ca-bundle](./cli-configure-options.html#cli-configure-options-ca-bundle)** command line option, or the `[AWS_CA_BUNDLE](./cli-configure-envvars.html#envvars-list-AWS_CA_BUNDLE)` environment variable. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your configuration isn't using the correct AWS Region** *Example error text:* `$ ``aws s3 ls` `[SSL: CERTIFICATE_ VERIFY_FAILED] certificate verify failed` Errors or unexpected results might occur if an AWS service isn't available for your specified AWS Region or your resources are located in a different AWS Region. For troubleshooting steps, see [Check the AWS Region your AWS CLI command is using](#general-region). [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your TLS version needs to be updated ** *Example error text:* `$ ``aws s3 ls` `[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled` The AWS service is using a version of TLS that is incompatible with your device's TLS version. To resolve this issue, update to a supported TLS version. For more information, see [Enforcing a minimum version of TLS for the AWS CLI](./cli-security-enforcing-tls.html). [Back to top](#cli-chap-troubleshooting-top) ## Invalid JSON errors *Example error text:* `$ ``aws dynamodb update-table \ --provisioned-throughput '{"ReadCapacityUnits":15,WriteCapacityUnits":10}'` \ --table-name MyDDBTable `Error parsing parameter '--provisioned-throughput': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 25 (char 24) JSON received: {"ReadCapacityUnits":15,WriteCapacityUnits":10}` When you use an AWS CLI command, you receive a "`Invalid JSON`" error message. This is usually an error seen when you enter a command with an expected JSON format and the AWS CLI cannot read your JSON correctly. **Possible cause: You did not enter valid JSON for the AWS CLI to use** Confirm you have valid JSON entered for your command. We suggest using a JSON validator for JSON you're having issues formatting. For more advanced JSON usage in the command line, consider using a command line JSON processor, like `jq`, to create JSON strings. For more information on `jq`, see the [jq repository](http://stedolan.github.io/jq/) on *GitHub*. [Back to top](#cli-chap-troubleshooting-top) **Possible cause: Your terminal's quoting rules are preventing valid JSON being sent to the AWS CLI** Before the AWS CLI receives anything from a command, your terminal processes the command using it's own quoting and escaping rules. Due to a terminal's formatting rules, some of your JSON content may be stripped before the command is passed to the AWS CLI. When formulating commands, be sure to use your [terminal's quoting rules](./cli-usage-parameters-quoting-strings.html). To troubleshoot, use the `echo` command to see how the shell is handling your parameters: `$ ``echo {"ReadCapacityUnits":15,"WriteCapacityUnits":10}` `ReadCapacityUnits:15 WriteCapacityUnits:10` `$ ``echo '{"ReadCapacityUnits":15,"WriteCapacityUnits":10}'` `{"ReadCapacityUnits":15,"WriteCapacityUnits":10}` Modify your command until your until valid JSON is returned. For more in-depth troubleshooting, use the `--debug` parameter to view the debug logs as they'll display exactly what got passed to the AWS CLI: `$ ``aws dynamodb update-table \ --provisioned-throughput '{"ReadCapacityUnits":15,WriteCapacityUnits":10}'` \ --table-name MyDDBTable \ --debug `2022-07-19 22:25:07,741 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.18.147 Python/2.7.18 Linux/5.4.196-119.356.amzn2int.x86_64 botocore/1.18.6 2022-07-19 22:25:07,741 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['dynamodb', 'update-table', '--provisioned-throughput', '{"ReadCapacityUnits":15,WriteCapacityUnits":10}', '--table-name', 'MyDDBTable', '--debug']` Use your terminal's quoting rules to fix any issues your JSON input has when being sent to the AWS CLI. For more information on quoting rules, see [Using quotation marks and literals with strings in the AWS CLI](./cli-usage-parameters-quoting-strings.html). ###### Note If you're having issues with getting valid JSON to the AWS CLI, we recommend to bypass a terminal's quoting rules for JSON data input by using Blobs to pass your JSON data directly to the AWS CLI. For more information on Blobs, see [Blob](./cli-usage-parameters-types.html#parameter-type-blob). [Back to top](#cli-chap-troubleshooting-top) ## Additional resources For additional help with your AWS CLI issues, visit the [AWS CLI community](https://github.com/aws/aws-cli/issues) on *GitHub* or the [AWS re:Post community](https://repost.aws/). [Back to top](#cli-chap-troubleshooting-top) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Aliases AWS CLI examples --- # Using the AWS CLI > Use the AWS Command Line Interface with the common features and calling patterns. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html --- # Using the AWS CLI This section provides a comprehensive overview of the general use, common features, and options available in the AWS Command Line Interface (AWS CLI), going beyond the details covered in the Configuration [Using endpoints in the AWS CLI](./cli-configure-endpoints.html) section. This guide delves into the fundamental aspects of writing AWS CLI commands, including their basic structure, formatting, and filtering capabilities. By understanding these core elements, you'll be able to construct commands that precisely target the resources and actions you require, without the need to navigate complex web-based consoles. Additionally, this highlights the help content and documentation available for the AWS CLI. From the built-in command line help to the comprehensive [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/), you'll have access to information to assist you in exploring the features and capabilities of the AWS CLI. For AWS service specific examples and use cases, see [Examples for the AWS CLI](./cli-chap-code-examples.html) or the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/). These provide command specific information and demonstrate examples on how to leverage the AWS CLI for various AWS services. ###### Note By default, the AWS CLI sends requests to AWS services by using HTTPS on TCP port 443. To ensure successful use of the AWS CLI, you must be able to make outbound connections on this port. ###### Topics in this guide - [Accessing help and resources for the AWS CLI](./cli-usage-help.html) - [Command structure in the AWS CLI](./cli-usage-commandstructure.html) - [Specifying parameter values in the AWS CLI](./cli-usage-parameters.html) - [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html) - [Controlling command output in the AWS CLI](./cli-usage-output.html) - [Command line return codes in the AWS CLI](./cli-usage-returncodes.html) - [Using custom wizards to run interactive commands in the AWS CLI](./cli-usage-wizard.html) - [Creating and using aliases in the AWS CLI](./cli-usage-alias.html) - [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) External credentials Get Help --- # About the AWS CLI > Use the AWS CLI to control AWS services from the command line of your preferred terminal and automate them using scripts. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html --- # What is the AWS Command Line Interface? The AWS Command Line Interface (AWS CLI) is an open source tool that enables you to interact with AWS services using commands in your command-line shell. With minimal configuration, the AWS CLI enables you to start running commands that implement functionality equivalent to that provided by the browser-based AWS Management Console from the command prompt in your terminal program: - **Linux shells** – Use common shell programs such as [`bash`](https://www.gnu.org/software/bash/), [`zsh`](http://www.zsh.org/), and [`tcsh`](https://www.tcsh.org/) to run commands in Linux or macOS. - **Windows command line** – On Windows, run commands at the Windows command prompt or in PowerShell. - **Remotely** – Run commands on Amazon Elastic Compute Cloud (Amazon EC2) instances through a remote terminal program such as PuTTY or SSH, or with AWS Systems Manager. All IaaS (infrastructure as a service) AWS administration, management, and access functions in the AWS Management Console are available in the AWS API and AWS CLI. New AWS IaaS features and services provide full AWS Management Console functionality through the API and CLI at launch or within 180 days of launch. The AWS CLI provides direct access to the public APIs of AWS services. You can explore a service's capabilities with the AWS CLI, and develop shell scripts to manage your resources. In addition to the low-level, API-equivalent commands, several AWS services provide customizations for the AWS CLI. Customizations can include higher-level commands that simplify using a service with a complex API. ## About AWS CLI version 2 The AWS CLI version 2 is the most recent major version of the AWS CLI and supports all of the latest features. Some features introduced in version 2 are not backported to version 1 and you must upgrade to access those features. There are some "breaking" changes from version 1 that might require you to change your scripts. For a list of breaking changes in version 2, see [Migration guide for the AWS CLI version 2](./cliv2-migration.html). The AWS CLI version 2 is available to install only as a bundled installer. While you might find it in package managers, these are unsupported and unofficial packages that are not produced or managed by AWS. We recommend that you install the AWS CLI from only the official AWS distribution points, as documented in this guide. To install the AWS CLI version 2, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). To check the currently installed version, use the following command: `$ ``aws --version` `aws-cli/2.27.41 Python/3.11.6 Linux/5.10.205-195.807.amzn2.x86_64 botocore/1.18.6` For version history, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. ## Maintenance and support for SDK major versions For information about maintenance and support for SDK major versions and their underlying dependencies, see the following in the [AWS SDKs and Tools Reference Guide](https://docs.aws.amazon.com/sdkref/latest/guide/overview.html): - [AWS SDKs and tools maintenance policy](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html) - [AWS SDKs and tools version support matrix](https://docs.aws.amazon.com/sdkref/latest/guide/version-support-matrix.html) ## About Amazon Web Services Amazon Web Services (AWS) is a collection of digital infrastructure services that developers can leverage when developing their applications. The services include computing, storage, database, and application synchronization (messaging and queuing). AWS uses a pay-as-you-go service model. You are charged only for the services that you—or your applications—use. Also, to make AWS more approachable as a platform for prototyping and experimentation, AWS offers a free usage tier. On this tier, services are free below a certain level of usage. For more information about AWS costs and the Free Tier, see [AWS Free Tier](https://aws.amazon.com/free/). To obtain an AWS account, open the [AWS home page](https://aws.amazon.com/) and then choose **Create an AWS Account**. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) About the examples --- # Command completion > The AWS CLI includes a bash-compatible command-completion feature that enables you to use the Tab key to complete a partially entered command. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html --- # Configuring command completion in the AWS CLI The AWS Command Line Interface (AWS CLI) includes a bash-compatible command-completion feature that enables you to use the **Tab** key to complete a partially entered command. On most systems you need to configure this manually. For information on the AWS CLI version 2 auto-prompt feature instead, see [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html). ###### Topics - [How it works](#cli-command-completion-about) - [Configuring command completion on Linux or macOS](#cli-command-completion-linux) - [Configuring command completion on Windows](#cli-command-completion-windows) ## How it works When you partially enter a command, parameter, or option, the command-completion feature either automatically completes your command or displays a suggested list of commands. To prompt command completion, you partially enter in a command and press the completion key, which is typically `Tab` in most shells. The following examples show different ways that you can use command completion: - Partially enter a command and press `Tab` to display a suggested list of commands. `$ ``aws dynamodb d``TAB` `delete-backup describe-global-table delete-item describe-global-table-settings delete-table describe-limits describe-backup describe-table describe-continuous-backups describe-table-replica-auto-scaling describe-contributor-insights describe-time-to-live describe-endpoints` - Partially enter a parameter and press `Tab` to display a suggested list of parameters. `$ ``aws dynamodb delete-table --``TAB` `--ca-bundle --endpoint-url --profile --cli-connect-timeout --generate-cli-skeleton --query --cli-input-json --no-paginate --region --cli-read-timeout --no-sign-request --table-name --color --no-verify-ssl --version --debug --output` - Enter a parameter and press `Tab` to display a suggested list of resource values. This feature is available only in the AWS CLI version 2. `$ ``aws dynamodb delete-table --table-name ``TAB` `Table 1 Table 2 Table 3` ## Configuring command completion on Linux or macOS To configure command completion on Linux or macOS, you must know the name of the shell you're using and the location of the `aws_completer` script. ###### Note Command completion is automatically configured and enabled by default on Amazon EC2 instances that run Amazon Linux. ###### Topics - [Confirm the completer's folder is in your path](#cli-command-completion-path) - [Enable command completion](#cli-command-completion-enable) - [Verify command completion](#cli-command-completion-test) ### Confirm the completer's folder is in your path For the AWS completer to work successfully, the `aws_completer` needs to be in your shell's path. The `which` command can check if the completer is in your path. `$ ``which aws_completer` `/usr/local/bin/aws_completer` If the which command can't find the completer, then use the following steps to add the completer's folder to your path. #### Step 1: Locate the AWS completer The location of the AWS completer can vary depending on the installation method used. - **Package Manager** - Programs such as `pip`, `yum`, `brew`, and `apt-get` typically install the AWS completer (or a symlink to it) to a standard path location. If you used `pip` **without** the `--user` parameter, the default path is `/usr/local/bin/aws_completer`. - If you used `pip` **with** the `--user` parameter the default path is `/home/username`/.local/bin/aws_completer. - **Bundled Installer** - If you used the bundled installer, the default path is `/usr/local/bin/aws_completer`. If all else fails, you can use the `find` command to search your file system for the AWS completer. `$ ``find / -name aws_completer` `/usr/local/bin/aws_completer` #### Step 2: Identify your shell To identify which shell you're using, you can use one of the following commands. - **echo $SHELL** – Displays the shell's program file name. This usually matches the name of the in-use shell, unless you launched a different shell after logging in. `$ ``echo $SHELL` `/bin/**bash**` - **ps** – Displays the processes running for the current user. One of them is the shell. `$ ``ps` ` PID TTY TIME CMD 2148 pts/1 00:00:00 **bash** 8756 pts/1 00:00:00 ps` #### Step 3: Add the completer to your path - Find your shell's profile script in your user folder. `$ ``ls -a ~/`` . .. .bash_logout .bash_profile .bashrc Desktop Documents Downloads` **Bash**– `.bash_profile`, `.profile`, or `.bash_login` - **Zsh**– `.zshrc` - **Tcsh**– `.tcshrc`, `.cshrc`, or `.login` - Add an export command at the end of your profile script that's similar to the following example. Replace `/usr/local/bin/` with the folder that you discovered in the previous section. `export PATH=/usr/local/bin/`:$PATH - Reload the profile into the current session to put those changes into effect. Replace `.bash_profile` with the name of the shell script you discovered in the first section. `$ ``source ~/.bash_profile` ### Enable command completion After confirming the completer is in your path, enable command completion by running the appropriate command for the shell that you're using. You can add the command to your shell's profile to run it each time you open a new shell. In each command, replace the `/usr/local/bin/` path with the one found on your system in [Confirm the completer's folder is in your path](#cli-command-completion-path). - **`bash`** – Use the built-in command `complete`. `$ ``complete -C '/usr/local/bin/`aws_completer' aws Add the previous command to `~/.bashrc` to run it each time you open a new shell. Your `~/.bash_profile` should source `~/.bashrc` to ensure that the command is also run in login shells. - **`zsh`** – To run command completion, you need to run `bashcompinit` by adding the following autoload line at the end of your `~/.zshrc` profile script. `$ ``autoload bashcompinit && bashcompinit` `$ ``autoload -Uz compinit && compinit` To enable command completion, use the built-in command `complete`. `$ ``complete -C '/usr/local/bin/`aws_completer' aws Add the previous commands to `~/.zshrc` to run it each time you open a new shell. - **`tcsh`** – Complete for `tcsh` takes a word type and pattern to define the completion behavior. `> ``complete aws 'p/*/`aws_completer`/'` Add the previous command to `~/.tcshrc` to run it each time you open a new shell. After you've enabled command completion, [Verify command completion](#cli-command-completion-test) is working. ### Verify command completion After enabling command completion, reload your shell, enter a partial command, and press **Tab** to see the available commands. `$ ``aws s``TAB` `s3 ses sqs sts swf s3api sns storagegateway support` ## Configuring command completion on Windows ###### Note For information on how PowerShell handles their completion, including their various completion keys, see [about_Tab_Expansion](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_tab_expansion) in the *Microsoft PowerShell Docs*. To enable command completion for PowerShell on Windows, complete the following steps in PowerShell. - Open your `$PROFILE` with the following command. `PS C:\> ``Notepad $PROFILE` If you do not have a `$PROFILE`, create a user profile using the following command. `PS C:\> ``if (!(Test-Path -Path $PROFILE )) { New-Item -Type File -Path $PROFILE -Force }` For more information on PowerShell profiles, see [How to Use Profiles in Windows PowerShell ISE](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/ise/how-to-use-profiles-in-windows-powershell-ise) on the *Microsoft Docs* website. - To enable command completion, add the following code block to your profile, save, and then close the file. `Register-ArgumentCompleter -Native -CommandName aws -ScriptBlock { param($commandName, $wordToComplete, $cursorPosition) $env:COMP_LINE=$wordToComplete if ($env:COMP_LINE.Length -lt $cursorPosition){ $env:COMP_LINE=$env:COMP_LINE + " " } $env:COMP_POINT=$cursorPosition aws_completer.exe | ForEach-Object { [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_) } Remove-Item Env:\COMP_LINE Remove-Item Env:\COMP_POINT }` - After enabling command completion, reload your shell, enter a partial command, and press **Tab** to cycle through the available commands. `$ ``aws s``Tab` `$ ``aws ``s3` To see all available commands available to your completion, enter a partial command and press **Ctrl** + **Space**. `$ ``aws s``Ctrl + Space` `s3 ses sqs sts swf s3api sns storagegateway support` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Command line options Retries --- # Endpoints > The AWS CLI automatically uses the default endpoint for each service in an AWS Region, but you can specify an alternate endpoint for your API requests. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-endpoints.html --- # Using endpoints in the AWS CLI To connect programmatically to an AWS service, you use an endpoint. An *endpoint* is the URL of the entry point for an AWS web service. The AWS Command Line Interface (AWS CLI) automatically uses the default endpoint for each service in an AWS Region, but you can specify an alternate endpoint for your API requests. ###### Endpoint topics - [Set endpoint for a single command](./cli-configure-endpoints.html#endpoints-command) - [Set global endpoint for all AWS services](./cli-configure-endpoints.html#endpoints-global) - [Set to use FIPs endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-fips) - [Set to use dual-stack endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-dual-stack) - [Set service-specific endpoints](./cli-configure-endpoints.html#endpoints-service-specific) [Environment variables](./cli-configure-endpoints.html#endpoints-service-specific-envvars) - [Shared config file](./cli-configure-endpoints.html#endpoints-service-specific-config) - [List of service-specific identifiers](./cli-configure-endpoints.html#endpoints-service-specific-table) - [Account-based endpoints](./cli-configure-endpoints.html#endpoints-accountid) - [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence) ## Set endpoint for a single command To override any endpoint settings or environment variables for a single command, use the `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` command line option. The following command example uses a custom Amazon S3 endpoint URL. `$ ``aws s3 ls --endpoint-url http://localhost:4567` ## Set global endpoint for all AWS services To route requests for all services to a custom endpoint URL, use one of the following settings: - Environment variables: `[AWS_IGNORE_CONFIGURED_ENDPOINT_URLS](./cli-configure-envvars.html#envvars-list-AWS_IGNORE_CONFIGURED_URLS)` - Ignore configured endpoint URLs. - `[AWS_ENDPOINT_URL](./cli-configure-envvars.html#envvars-list-AWS_ENDPOINT_URL)` - Set global endpoint URL. - The `config` file: `[ignore_configure_endpoint_urls](./cli-configure-files.html#cli-config-ignore_configure_endpoint_urls)` - Ignore configured endpoint URLs. `ignore_configure_endpoint_urls = true` - `[endpoint_url](./cli-configure-files.html#cli-config-endpoint_url)` - Set global endpoint URL. `endpoint_url = http://localhost:4567` Service-specific endpoints and the `--endpoint-url` command line option override any global endpoints. ## Set to use FIPs endpoints for all AWS services To route requests for all services to use FIPs endpoints, use one of the following: - `[AWS_USE_FIPS_ENDPOINT](./cli-configure-envvars.html#envvars-list-AWS_USE_FIPS_ENDPOINT)` environment variable. - `[use_fips_endpoint](./cli-configure-files.html#cli-config-use_fips_endpoint)` file setting. `use_fips_endpoint = true` Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` option or use [service-specific endpoints](#endpoints-service-specific). For more information on specifying FIPS endpoints by AWS Region, see [FIPS Endpoints by Service](https://aws.amazon.com/compliance/fips/). ## Set to use dual-stack endpoints for all AWS services To route requests for all services to use dual-stack endpoints when available, use one of the following settings: - `[AWS_USE_DUALSTACK_ENDPOINT](./cli-configure-envvars.html#envvars-list-AWS_USE_DUALSTACK_ENDPOINT)` environment variable. - `[use_dualstack_endpoint](./cli-configure-files.html#cli-config-use_dualstack_endpoint)` file setting. `use_dualstack_endpoint = true` Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. This is disabled by default. ## Set service-specific endpoints Service-specific endpoint configuration provides the option to use a persistent endpoint of your choosing for AWS CLI requests. These settings provide flexibility to support local endpoints, VPC endpoints, and third-party local AWS development environments. Different endpoints can be used for testing and production environments. You can specify an endpoint URL for individual AWS services. Service-specific endpoints can be specified in the following ways: - The command line option `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` for a single command. - Environment variables: `[AWS_IGNORE_CONFIGURED_ENDPOINT_URLS](./cli-configure-envvars.html#envvars-list-AWS_IGNORE_CONFIGURED_URLS)` - Ignore all configured endpoint URLs, unless specified on the command line. - `[AWS_ENDPOINT_URL_](./cli-configure-envvars.html#envvars-list-AWS_ENDPOINT_URL_SERVICE)` - Specifies a custom endpoint that is used for a specific service, where `` is replace with the AWS service identifier. For all service-specific variables, see [Service-specific endpoints: List of service-specific identifiers](#endpoints-service-specific-table). - `config` file: `[ignore_configure_endpoint_urls](./cli-configure-files.html#cli-config-ignore_configure_endpoint_urls)` - Ignore all configured endpoint URLs, unless specified using environment variables or on the command line. - The [services](./cli-configure-files.html#cli-configure-files-format-services) section of the `config` file combined with the `[endpoint_url](./cli-configure-files.html#cli-config-endpoint_url)` file setting. ###### Service-specific endpoints topics: - [Environment variables](#endpoints-service-specific-envvars) - [Shared config file](#endpoints-service-specific-config) - [List of service-specific identifiers](#endpoints-service-specific-table) ### Service-specific endpoints: Environment variables Environment variables override settings in your config file, but do not override options specified on the command line. Use environment variables if you want all profiles to use the same endpoints on your device. The following are service-specific environment variables: - `[AWS_IGNORE_CONFIGURED_ENDPOINT_URLS](./cli-configure-envvars.html#envvars-list-AWS_IGNORE_CONFIGURED_URLS)` - Ignore all configured endpoint URLs, unless specified on the command line. - `[AWS_ENDPOINT_URL_](./cli-configure-envvars.html#envvars-list-AWS_ENDPOINT_URL_SERVICE)` - Specifies a custom endpoint that is used for a specific service, where `` is replaced with the AWS service identifier. For all service-specific variables, see [Service-specific endpoints: List of service-specific identifiers](#endpoints-service-specific-table). The following environment variable examples sets an endpoint for AWS Elastic Beanstalk: For more information on setting environment variables, see [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html). ### Service-specific endpoints: Shared `config` file In the shared `config` file, `endpoint_url` is used in multiple sections. To set a service-specific endpoint, use the `endpoint_url` setting nested under a service identifier key within a `services` section. For details on defining a `services` section in your shared `config` file, see [Section type: services](./cli-configure-files.html#cli-configure-files-format-services). The following example uses a `services` section to configure a service-specific endpoint URL for Amazon S3 and a custom global endpoint used for all other services: `[profile dev1`] endpoint_url = `http://localhost:1234` services = `s3-specific` [services `testing-s3`] s3 = endpoint_url = `http://localhost:4567` A single profile can configure endpoints for multiple services. The following example sets the service-specific endpoint URLs for Amazon S3 and AWS Elastic Beanstalk in the same profile. For a list of all service identifier keys to use in the `services` section, see [List of service-specific identifiers](#endpoints-service-specific-table). `[profile dev1`] services = `testing-s3-and-eb` [services `testing-s3-and-eb`] s3 = endpoint_url = `http://localhost:4567` elastic_beanstalk = endpoint_url = `http://localhost:8000` The service configuration section can be used in multiple profiles. The following example has two profiles use the same `services` definition: `[profile dev1`] output = json services = `testing-s3` [profile `dev2`] output = text services = `testing-s3` [services `testing-s3`] s3 = endpoint_url = `https://localhost:4567` ### Service-specific endpoints: List of service-specific identifiers The AWS service identifier is based on the API model’s `serviceId` by replacing all spaces with underscores and lowercasing all letters. The following table lists all service-specific identifiers, `config` file keys, and environment variables. `serviceId` Service identifier key for shared AWS `config` file `AWS_ENDPOINT_URL_` environment variable `AccessAnalyzer` `accessanalyzer` `AWS_ENDPOINT_URL_ACCESSANALYZER` `Account` `account` `AWS_ENDPOINT_URL_ACCOUNT` `ACM` `acm` `AWS_ENDPOINT_URL_ACM` `ACM PCA` `acm_pca` `AWS_ENDPOINT_URL_ACM_PCA` `Alexa For Business` `alexa_for_business` `AWS_ENDPOINT_URL_ALEXA_FOR_BUSINESS` `amp` `amp` `AWS_ENDPOINT_URL_AMP` `Amplify` `amplify` `AWS_ENDPOINT_URL_AMPLIFY` `AmplifyBackend` `amplifybackend` `AWS_ENDPOINT_URL_AMPLIFYBACKEND` `AmplifyUIBuilder` `amplifyuibuilder` `AWS_ENDPOINT_URL_AMPLIFYUIBUILDER` `API Gateway` `api_gateway` `AWS_ENDPOINT_URL_API_GATEWAY` `ApiGatewayManagementApi` `apigatewaymanagementapi` `AWS_ENDPOINT_URL_APIGATEWAYMANAGEMENTAPI` `ApiGatewayV2` `apigatewayv2` `AWS_ENDPOINT_URL_APIGATEWAYV2` `AppConfig` `appconfig` `AWS_ENDPOINT_URL_APPCONFIG` `AppConfigData` `appconfigdata` `AWS_ENDPOINT_URL_APPCONFIGDATA` `AppFabric` `appfabric` `AWS_ENDPOINT_URL_APPFABRIC` `Appflow` `appflow` `AWS_ENDPOINT_URL_APPFLOW` `AppIntegrations` `appintegrations` `AWS_ENDPOINT_URL_APPINTEGRATIONS` `Application Auto Scaling` `application_auto_scaling` `AWS_ENDPOINT_URL_APPLICATION_AUTO_SCALING` `Application Insights` `application_insights` `AWS_ENDPOINT_URL_APPLICATION_INSIGHTS` `ApplicationCostProfiler` `applicationcostprofiler` `AWS_ENDPOINT_URL_APPLICATIONCOSTPROFILER` `App Mesh` `app_mesh` `AWS_ENDPOINT_URL_APP_MESH` `AppRunner` `apprunner` `AWS_ENDPOINT_URL_APPRUNNER` `AppStream` `appstream` `AWS_ENDPOINT_URL_APPSTREAM` `AppSync` `appsync` `AWS_ENDPOINT_URL_APPSYNC` `ARC Zonal Shift` `arc_zonal_shift` `AWS_ENDPOINT_URL_ARC_ZONAL_SHIFT` `Artifact` `artifact` `AWS_ENDPOINT_URL_ARTIFACT` `Athena` `athena` `AWS_ENDPOINT_URL_ATHENA` `AuditManager` `auditmanager` `AWS_ENDPOINT_URL_AUDITMANAGER` `Auto Scaling` `auto_scaling` `AWS_ENDPOINT_URL_AUTO_SCALING` `Auto Scaling Plans` `auto_scaling_plans` `AWS_ENDPOINT_URL_AUTO_SCALING_PLANS` `b2bi` `b2bi` `AWS_ENDPOINT_URL_B2BI` `Backup` `backup` `AWS_ENDPOINT_URL_BACKUP` `Backup Gateway` `backup_gateway` `AWS_ENDPOINT_URL_BACKUP_GATEWAY` `BackupStorage` `backupstorage` `AWS_ENDPOINT_URL_BACKUPSTORAGE` `Batch` `batch` `AWS_ENDPOINT_URL_BATCH` `BCM Data Exports` `bcm_data_exports` `AWS_ENDPOINT_URL_BCM_DATA_EXPORTS` `Bedrock` `bedrock` `AWS_ENDPOINT_URL_BEDROCK` `Bedrock Agent` `bedrock_agent` `AWS_ENDPOINT_URL_BEDROCK_AGENT` `Bedrock Agent Runtime` `bedrock_agent_runtime` `AWS_ENDPOINT_URL_BEDROCK_AGENT_RUNTIME` `Bedrock Runtime` `bedrock_runtime` `AWS_ENDPOINT_URL_BEDROCK_RUNTIME` `billingconductor` `billingconductor` `AWS_ENDPOINT_URL_BILLINGCONDUCTOR` `Braket` `braket` `AWS_ENDPOINT_URL_BRAKET` `Budgets` `budgets` `AWS_ENDPOINT_URL_BUDGETS` `Cost Explorer` `cost_explorer` `AWS_ENDPOINT_URL_COST_EXPLORER` `chatbot` `chatbot` `AWS_ENDPOINT_URL_CHATBOT` `Chime` `chime` `AWS_ENDPOINT_URL_CHIME` `Chime SDK Identity` `chime_sdk_identity` `AWS_ENDPOINT_URL_CHIME_SDK_IDENTITY` `Chime SDK Media Pipelines` `chime_sdk_media_pipelines` `AWS_ENDPOINT_URL_CHIME_SDK_MEDIA_PIPELINES` `Chime SDK Meetings` `chime_sdk_meetings` `AWS_ENDPOINT_URL_CHIME_SDK_MEETINGS` `Chime SDK Messaging` `chime_sdk_messaging` `AWS_ENDPOINT_URL_CHIME_SDK_MESSAGING` `Chime SDK Voice` `chime_sdk_voice` `AWS_ENDPOINT_URL_CHIME_SDK_VOICE` `CleanRooms` `cleanrooms` `AWS_ENDPOINT_URL_CLEANROOMS` `CleanRoomsML` `cleanroomsml` `AWS_ENDPOINT_URL_CLEANROOMSML` `Cloud9` `cloud9` `AWS_ENDPOINT_URL_CLOUD9` `CloudControl` `cloudcontrol` `AWS_ENDPOINT_URL_CLOUDCONTROL` `CloudDirectory` `clouddirectory` `AWS_ENDPOINT_URL_CLOUDDIRECTORY` `CloudFormation` `cloudformation` `AWS_ENDPOINT_URL_CLOUDFORMATION` `CloudFront` `cloudfront` `AWS_ENDPOINT_URL_CLOUDFRONT` `CloudFront KeyValueStore` `cloudfront_keyvaluestore` `AWS_ENDPOINT_URL_CLOUDFRONT_KEYVALUESTORE` `CloudHSM` `cloudhsm` `AWS_ENDPOINT_URL_CLOUDHSM` `CloudHSM V2` `cloudhsm_v2` `AWS_ENDPOINT_URL_CLOUDHSM_V2` `CloudSearch` `cloudsearch` `AWS_ENDPOINT_URL_CLOUDSEARCH` `CloudSearch Domain` `cloudsearch_domain` `AWS_ENDPOINT_URL_CLOUDSEARCH_DOMAIN` `CloudTrail` `cloudtrail` `AWS_ENDPOINT_URL_CLOUDTRAIL` `CloudTrail Data` `cloudtrail_data` `AWS_ENDPOINT_URL_CLOUDTRAIL_DATA` `CloudWatch` `cloudwatch` `AWS_ENDPOINT_URL_CLOUDWATCH` `codeartifact` `codeartifact` `AWS_ENDPOINT_URL_CODEARTIFACT` `CodeBuild` `codebuild` `AWS_ENDPOINT_URL_CODEBUILD` `CodeCatalyst` `codecatalyst` `AWS_ENDPOINT_URL_CODECATALYST` `CodeCommit` `codecommit` `AWS_ENDPOINT_URL_CODECOMMIT` `CodeDeploy` `codedeploy` `AWS_ENDPOINT_URL_CODEDEPLOY` `CodeGuru Reviewer` `codeguru_reviewer` `AWS_ENDPOINT_URL_CODEGURU_REVIEWER` `CodeGuru Security` `codeguru_security` `AWS_ENDPOINT_URL_CODEGURU_SECURITY` `CodeGuruProfiler` `codeguruprofiler` `AWS_ENDPOINT_URL_CODEGURUPROFILER` `CodePipeline` `codepipeline` `AWS_ENDPOINT_URL_CODEPIPELINE` `CodeStar` `codestar` `AWS_ENDPOINT_URL_CODESTAR` `CodeStar connections` `codestar_connections` `AWS_ENDPOINT_URL_CODESTAR_CONNECTIONS` `codestar notifications` `codestar_notifications` `AWS_ENDPOINT_URL_CODESTAR_NOTIFICATIONS` `Cognito Identity` `cognito_identity` `AWS_ENDPOINT_URL_COGNITO_IDENTITY` `Cognito Identity Provider` `cognito_identity_provider` `AWS_ENDPOINT_URL_COGNITO_IDENTITY_PROVIDER` `Cognito Sync` `cognito_sync` `AWS_ENDPOINT_URL_COGNITO_SYNC` `Comprehend` `comprehend` `AWS_ENDPOINT_URL_COMPREHEND` `ComprehendMedical` `comprehendmedical` `AWS_ENDPOINT_URL_COMPREHENDMEDICAL` `Compute Optimizer` `compute_optimizer` `AWS_ENDPOINT_URL_COMPUTE_OPTIMIZER` `Config Service` `config_service` `AWS_ENDPOINT_URL_CONFIG_SERVICE` `Connect` `connect` `AWS_ENDPOINT_URL_CONNECT` `Connect Contact Lens` `connect_contact_lens` `AWS_ENDPOINT_URL_CONNECT_CONTACT_LENS` `ConnectCampaigns` `connectcampaigns` `AWS_ENDPOINT_URL_CONNECTCAMPAIGNS` `ConnectCases` `connectcases` `AWS_ENDPOINT_URL_CONNECTCASES` `ConnectParticipant` `connectparticipant` `AWS_ENDPOINT_URL_CONNECTPARTICIPANT` `ControlTower` `controltower` `AWS_ENDPOINT_URL_CONTROLTOWER` `Cost Optimization Hub` `cost_optimization_hub` `AWS_ENDPOINT_URL_COST_OPTIMIZATION_HUB` `Cost and Usage Report Service` `cost_and_usage_report_service` `AWS_ENDPOINT_URL_COST_AND_USAGE_REPORT_SERVICE` `Customer Profiles` `customer_profiles` `AWS_ENDPOINT_URL_CUSTOMER_PROFILES` `DataBrew` `databrew` `AWS_ENDPOINT_URL_DATABREW` `DataExchange` `dataexchange` `AWS_ENDPOINT_URL_DATAEXCHANGE` `Data Pipeline` `data_pipeline` `AWS_ENDPOINT_URL_DATA_PIPELINE` `DataSync` `datasync` `AWS_ENDPOINT_URL_DATASYNC` `DataZone` `datazone` `AWS_ENDPOINT_URL_DATAZONE` `DAX` `dax` `AWS_ENDPOINT_URL_DAX` `Detective` `detective` `AWS_ENDPOINT_URL_DETECTIVE` `Device Farm` `device_farm` `AWS_ENDPOINT_URL_DEVICE_FARM` `DevOps Guru` `devops_guru` `AWS_ENDPOINT_URL_DEVOPS_GURU` `Direct Connect` `direct_connect` `AWS_ENDPOINT_URL_DIRECT_CONNECT` `Application Discovery Service` `application_discovery_service` `AWS_ENDPOINT_URL_APPLICATION_DISCOVERY_SERVICE` `DLM` `dlm` `AWS_ENDPOINT_URL_DLM` `Database Migration Service` `database_migration_service` `AWS_ENDPOINT_URL_DATABASE_MIGRATION_SERVICE` `DocDB` `docdb` `AWS_ENDPOINT_URL_DOCDB` `DocDB Elastic` `docdb_elastic` `AWS_ENDPOINT_URL_DOCDB_ELASTIC` `drs` `drs` `AWS_ENDPOINT_URL_DRS` `Directory Service` `directory_service` `AWS_ENDPOINT_URL_DIRECTORY_SERVICE` `DynamoDB` `dynamodb` `AWS_ENDPOINT_URL_DYNAMODB` `DynamoDB Streams` `dynamodb_streams` `AWS_ENDPOINT_URL_DYNAMODB_STREAMS` `EBS` `ebs` `AWS_ENDPOINT_URL_EBS` `EC2` `ec2` `AWS_ENDPOINT_URL_EC2` `EC2 Instance Connect` `ec2_instance_connect` `AWS_ENDPOINT_URL_EC2_INSTANCE_CONNECT` `ECR` `ecr` `AWS_ENDPOINT_URL_ECR` `ECR PUBLIC` `ecr_public` `AWS_ENDPOINT_URL_ECR_PUBLIC` `ECS` `ecs` `AWS_ENDPOINT_URL_ECS` `EFS` `efs` `AWS_ENDPOINT_URL_EFS` `EKS` `eks` `AWS_ENDPOINT_URL_EKS` `EKS Auth` `eks_auth` `AWS_ENDPOINT_URL_EKS_AUTH` `Elastic Inference` `elastic_inference` `AWS_ENDPOINT_URL_ELASTIC_INFERENCE` `ElastiCache` `elasticache` `AWS_ENDPOINT_URL_ELASTICACHE` `Elastic Beanstalk` `elastic_beanstalk` `AWS_ENDPOINT_URL_ELASTIC_BEANSTALK` `Elastic Transcoder` `elastic_transcoder` `AWS_ENDPOINT_URL_ELASTIC_TRANSCODER` `Elastic Load Balancing` `elastic_load_balancing` `AWS_ENDPOINT_URL_ELASTIC_LOAD_BALANCING` `Elastic Load Balancing v2` `elastic_load_balancing_v2` `AWS_ENDPOINT_URL_ELASTIC_LOAD_BALANCING_V2` `EMR` `emr` `AWS_ENDPOINT_URL_EMR` `EMR containers` `emr_containers` `AWS_ENDPOINT_URL_EMR_CONTAINERS` `EMR Serverless` `emr_serverless` `AWS_ENDPOINT_URL_EMR_SERVERLESS` `EntityResolution` `entityresolution` `AWS_ENDPOINT_URL_ENTITYRESOLUTION` `Elasticsearch Service` `elasticsearch_service` `AWS_ENDPOINT_URL_ELASTICSEARCH_SERVICE` `EventBridge` `eventbridge` `AWS_ENDPOINT_URL_EVENTBRIDGE` `Evidently` `evidently` `AWS_ENDPOINT_URL_EVIDENTLY` `finspace` `finspace` `AWS_ENDPOINT_URL_FINSPACE` `finspace data` `finspace_data` `AWS_ENDPOINT_URL_FINSPACE_DATA` `Firehose` `firehose` `AWS_ENDPOINT_URL_FIREHOSE` `fis` `fis` `AWS_ENDPOINT_URL_FIS` `FMS` `fms` `AWS_ENDPOINT_URL_FMS` `forecast` `forecast` `AWS_ENDPOINT_URL_FORECAST` `forecastquery` `forecastquery` `AWS_ENDPOINT_URL_FORECASTQUERY` `FraudDetector` `frauddetector` `AWS_ENDPOINT_URL_FRAUDDETECTOR` `FreeTier` `freetier` `AWS_ENDPOINT_URL_FREETIER` `FSx` `fsx` `AWS_ENDPOINT_URL_FSX` `GameLift` `gamelift` `AWS_ENDPOINT_URL_GAMELIFT` `Glacier` `glacier` `AWS_ENDPOINT_URL_GLACIER` `Global Accelerator` `global_accelerator` `AWS_ENDPOINT_URL_GLOBAL_ACCELERATOR` `Glue` `glue` `AWS_ENDPOINT_URL_GLUE` `grafana` `grafana` `AWS_ENDPOINT_URL_GRAFANA` `Greengrass` `greengrass` `AWS_ENDPOINT_URL_GREENGRASS` `GreengrassV2` `greengrassv2` `AWS_ENDPOINT_URL_GREENGRASSV2` `GroundStation` `groundstation` `AWS_ENDPOINT_URL_GROUNDSTATION` `GuardDuty` `guardduty` `AWS_ENDPOINT_URL_GUARDDUTY` `Health` `health` `AWS_ENDPOINT_URL_HEALTH` `HealthLake` `healthlake` `AWS_ENDPOINT_URL_HEALTHLAKE` `Honeycode` `honeycode` `AWS_ENDPOINT_URL_HONEYCODE` `IAM` `iam` `AWS_ENDPOINT_URL_IAM` `identitystore` `identitystore` `AWS_ENDPOINT_URL_IDENTITYSTORE` `imagebuilder` `imagebuilder` `AWS_ENDPOINT_URL_IMAGEBUILDER` `ImportExport` `importexport` `AWS_ENDPOINT_URL_IMPORTEXPORT` `Inspector` `inspector` `AWS_ENDPOINT_URL_INSPECTOR` `Inspector Scan` `inspector_scan` `AWS_ENDPOINT_URL_INSPECTOR_SCAN` `Inspector2` `inspector2` `AWS_ENDPOINT_URL_INSPECTOR2` `InternetMonitor` `internetmonitor` `AWS_ENDPOINT_URL_INTERNETMONITOR` `IoT` `iot` `AWS_ENDPOINT_URL_IOT` `IoT Data Plane` `iot_data_plane` `AWS_ENDPOINT_URL_IOT_DATA_PLANE` `IoT Jobs Data Plane` `iot_jobs_data_plane` `AWS_ENDPOINT_URL_IOT_JOBS_DATA_PLANE` `IoT 1Click Devices Service` `iot_1click_devices_service` `AWS_ENDPOINT_URL_IOT_1CLICK_DEVICES_SERVICE` `IoT 1Click Projects` `iot_1click_projects` `AWS_ENDPOINT_URL_IOT_1CLICK_PROJECTS` `IoTAnalytics` `iotanalytics` `AWS_ENDPOINT_URL_IOTANALYTICS` `IotDeviceAdvisor` `iotdeviceadvisor` `AWS_ENDPOINT_URL_IOTDEVICEADVISOR` `IoT Events` `iot_events` `AWS_ENDPOINT_URL_IOT_EVENTS` `IoT Events Data` `iot_events_data` `AWS_ENDPOINT_URL_IOT_EVENTS_DATA` `IoTFleetHub` `iotfleethub` `AWS_ENDPOINT_URL_IOTFLEETHUB` `IoTFleetWise` `iotfleetwise` `AWS_ENDPOINT_URL_IOTFLEETWISE` `IoTSecureTunneling` `iotsecuretunneling` `AWS_ENDPOINT_URL_IOTSECURETUNNELING` `IoTSiteWise` `iotsitewise` `AWS_ENDPOINT_URL_IOTSITEWISE` `IoTThingsGraph` `iotthingsgraph` `AWS_ENDPOINT_URL_IOTTHINGSGRAPH` `IoTTwinMaker` `iottwinmaker` `AWS_ENDPOINT_URL_IOTTWINMAKER` `IoT Wireless` `iot_wireless` `AWS_ENDPOINT_URL_IOT_WIRELESS` `ivs` `ivs` `AWS_ENDPOINT_URL_IVS` `IVS RealTime` `ivs_realtime` `AWS_ENDPOINT_URL_IVS_REALTIME` `ivschat` `ivschat` `AWS_ENDPOINT_URL_IVSCHAT` `Kafka` `kafka` `AWS_ENDPOINT_URL_KAFKA` `KafkaConnect` `kafkaconnect` `AWS_ENDPOINT_URL_KAFKACONNECT` `kendra` `kendra` `AWS_ENDPOINT_URL_KENDRA` `Kendra Ranking` `kendra_ranking` `AWS_ENDPOINT_URL_KENDRA_RANKING` `Keyspaces` `keyspaces` `AWS_ENDPOINT_URL_KEYSPACES` `Kinesis` `kinesis` `AWS_ENDPOINT_URL_KINESIS` `Kinesis Video Archived Media` `kinesis_video_archived_media` `AWS_ENDPOINT_URL_KINESIS_VIDEO_ARCHIVED_MEDIA` `Kinesis Video Media` `kinesis_video_media` `AWS_ENDPOINT_URL_KINESIS_VIDEO_MEDIA` `Kinesis Video Signaling` `kinesis_video_signaling` `AWS_ENDPOINT_URL_KINESIS_VIDEO_SIGNALING` `Kinesis Video WebRTC Storage` `kinesis_video_webrtc_storage` `AWS_ENDPOINT_URL_KINESIS_VIDEO_WEBRTC_STORAGE` `Kinesis Analytics` `kinesis_analytics` `AWS_ENDPOINT_URL_KINESIS_ANALYTICS` `Kinesis Analytics V2` `kinesis_analytics_v2` `AWS_ENDPOINT_URL_KINESIS_ANALYTICS_V2` `Kinesis Video` `kinesis_video` `AWS_ENDPOINT_URL_KINESIS_VIDEO` `KMS` `kms` `AWS_ENDPOINT_URL_KMS` `LakeFormation` `lakeformation` `AWS_ENDPOINT_URL_LAKEFORMATION` `Lambda` `lambda` `AWS_ENDPOINT_URL_LAMBDA` `Launch Wizard` `launch_wizard` `AWS_ENDPOINT_URL_LAUNCH_WIZARD` `Lex Model Building Service` `lex_model_building_service` `AWS_ENDPOINT_URL_LEX_MODEL_BUILDING_SERVICE` `Lex Runtime Service` `lex_runtime_service` `AWS_ENDPOINT_URL_LEX_RUNTIME_SERVICE` `Lex Models V2` `lex_models_v2` `AWS_ENDPOINT_URL_LEX_MODELS_V2` `Lex Runtime V2` `lex_runtime_v2` `AWS_ENDPOINT_URL_LEX_RUNTIME_V2` `License Manager` `license_manager` `AWS_ENDPOINT_URL_LICENSE_MANAGER` `License Manager Linux Subscriptions` `license_manager_linux_subscriptions` `AWS_ENDPOINT_URL_LICENSE_MANAGER_LINUX_SUBSCRIPTIONS` `License Manager User Subscriptions` `license_manager_user_subscriptions` `AWS_ENDPOINT_URL_LICENSE_MANAGER_USER_SUBSCRIPTIONS` `Lightsail` `lightsail` `AWS_ENDPOINT_URL_LIGHTSAIL` `Location` `location` `AWS_ENDPOINT_URL_LOCATION` `CloudWatch Logs` `cloudwatch_logs` `AWS_ENDPOINT_URL_CLOUDWATCH_LOGS` `LookoutEquipment` `lookoutequipment` `AWS_ENDPOINT_URL_LOOKOUTEQUIPMENT` `LookoutMetrics` `lookoutmetrics` `AWS_ENDPOINT_URL_LOOKOUTMETRICS` `LookoutVision` `lookoutvision` `AWS_ENDPOINT_URL_LOOKOUTVISION` `m2` `m2` `AWS_ENDPOINT_URL_M2` `Machine Learning` `machine_learning` `AWS_ENDPOINT_URL_MACHINE_LEARNING` `Macie2` `macie2` `AWS_ENDPOINT_URL_MACIE2` `ManagedBlockchain` `managedblockchain` `AWS_ENDPOINT_URL_MANAGEDBLOCKCHAIN` `ManagedBlockchain Query` `managedblockchain_query` `AWS_ENDPOINT_URL_MANAGEDBLOCKCHAIN_QUERY` `Marketplace Agreement` `marketplace_agreement` `AWS_ENDPOINT_URL_MARKETPLACE_AGREEMENT` `Marketplace Catalog` `marketplace_catalog` `AWS_ENDPOINT_URL_MARKETPLACE_CATALOG` `Marketplace Deployment` `marketplace_deployment` `AWS_ENDPOINT_URL_MARKETPLACE_DEPLOYMENT` `Marketplace Entitlement Service` `marketplace_entitlement_service` `AWS_ENDPOINT_URL_MARKETPLACE_ENTITLEMENT_SERVICE` `Marketplace Commerce Analytics` `marketplace_commerce_analytics` `AWS_ENDPOINT_URL_MARKETPLACE_COMMERCE_ANALYTICS` `MediaConnect` `mediaconnect` `AWS_ENDPOINT_URL_MEDIACONNECT` `MediaConvert` `mediaconvert` `AWS_ENDPOINT_URL_MEDIACONVERT` `MediaLive` `medialive` `AWS_ENDPOINT_URL_MEDIALIVE` `MediaPackage` `mediapackage` `AWS_ENDPOINT_URL_MEDIAPACKAGE` `MediaPackage Vod` `mediapackage_vod` `AWS_ENDPOINT_URL_MEDIAPACKAGE_VOD` `MediaPackageV2` `mediapackagev2` `AWS_ENDPOINT_URL_MEDIAPACKAGEV2` `MediaStore` `mediastore` `AWS_ENDPOINT_URL_MEDIASTORE` `MediaStore Data` `mediastore_data` `AWS_ENDPOINT_URL_MEDIASTORE_DATA` `MediaTailor` `mediatailor` `AWS_ENDPOINT_URL_MEDIATAILOR` `Medical Imaging` `medical_imaging` `AWS_ENDPOINT_URL_MEDICAL_IMAGING` `MemoryDB` `memorydb` `AWS_ENDPOINT_URL_MEMORYDB` `Marketplace Metering` `marketplace_metering` `AWS_ENDPOINT_URL_MARKETPLACE_METERING` `Migration Hub` `migration_hub` `AWS_ENDPOINT_URL_MIGRATION_HUB` `mgn` `mgn` `AWS_ENDPOINT_URL_MGN` `Migration Hub Refactor Spaces` `migration_hub_refactor_spaces` `AWS_ENDPOINT_URL_MIGRATION_HUB_REFACTOR_SPACES` `MigrationHub Config` `migrationhub_config` `AWS_ENDPOINT_URL_MIGRATIONHUB_CONFIG` `MigrationHubOrchestrator` `migrationhuborchestrator` `AWS_ENDPOINT_URL_MIGRATIONHUBORCHESTRATOR` `MigrationHubStrategy` `migrationhubstrategy` `AWS_ENDPOINT_URL_MIGRATIONHUBSTRATEGY` `Mobile` `mobile` `AWS_ENDPOINT_URL_MOBILE` `mq` `mq` `AWS_ENDPOINT_URL_MQ` `MTurk` `mturk` `AWS_ENDPOINT_URL_MTURK` `MWAA` `mwaa` `AWS_ENDPOINT_URL_MWAA` `Neptune` `neptune` `AWS_ENDPOINT_URL_NEPTUNE` `Neptune Graph` `neptune_graph` `AWS_ENDPOINT_URL_NEPTUNE_GRAPH` `neptunedata` `neptunedata` `AWS_ENDPOINT_URL_NEPTUNEDATA` `Network Firewall` `network_firewall` `AWS_ENDPOINT_URL_NETWORK_FIREWALL` `NetworkManager` `networkmanager` `AWS_ENDPOINT_URL_NETWORKMANAGER` `NetworkMonitor` `networkmonitor` `AWS_ENDPOINT_URL_NETWORKMONITOR` `nimble` `nimble` `AWS_ENDPOINT_URL_NIMBLE` `OAM` `oam` `AWS_ENDPOINT_URL_OAM` `Omics` `omics` `AWS_ENDPOINT_URL_OMICS` `OpenSearch` `opensearch` `AWS_ENDPOINT_URL_OPENSEARCH` `OpenSearchServerless` `opensearchserverless` `AWS_ENDPOINT_URL_OPENSEARCHSERVERLESS` `OpsWorks` `opsworks` `AWS_ENDPOINT_URL_OPSWORKS` `OpsWorksCM` `opsworkscm` `AWS_ENDPOINT_URL_OPSWORKSCM` `Organizations` `organizations` `AWS_ENDPOINT_URL_ORGANIZATIONS` `OSIS` `osis` `AWS_ENDPOINT_URL_OSIS` `Outposts` `outposts` `AWS_ENDPOINT_URL_OUTPOSTS` `p8data` `p8data` `AWS_ENDPOINT_URL_P8DATA` `p8data` `p8data` `AWS_ENDPOINT_URL_P8DATA` `Panorama` `panorama` `AWS_ENDPOINT_URL_PANORAMA` `Payment Cryptography` `payment_cryptography` `AWS_ENDPOINT_URL_PAYMENT_CRYPTOGRAPHY` `Payment Cryptography Data` `payment_cryptography_data` `AWS_ENDPOINT_URL_PAYMENT_CRYPTOGRAPHY_DATA` `Pca Connector Ad` `pca_connector_ad` `AWS_ENDPOINT_URL_PCA_CONNECTOR_AD` `Personalize` `personalize` `AWS_ENDPOINT_URL_PERSONALIZE` `Personalize Events` `personalize_events` `AWS_ENDPOINT_URL_PERSONALIZE_EVENTS` `Personalize Runtime` `personalize_runtime` `AWS_ENDPOINT_URL_PERSONALIZE_RUNTIME` `PI` `pi` `AWS_ENDPOINT_URL_PI` `Pinpoint` `pinpoint` `AWS_ENDPOINT_URL_PINPOINT` `Pinpoint Email` `pinpoint_email` `AWS_ENDPOINT_URL_PINPOINT_EMAIL` `Pinpoint SMS Voice` `pinpoint_sms_voice` `AWS_ENDPOINT_URL_PINPOINT_SMS_VOICE` `Pinpoint SMS Voice V2` `pinpoint_sms_voice_v2` `AWS_ENDPOINT_URL_PINPOINT_SMS_VOICE_V2` `Pipes` `pipes` `AWS_ENDPOINT_URL_PIPES` `Polly` `polly` `AWS_ENDPOINT_URL_POLLY` `Pricing` `pricing` `AWS_ENDPOINT_URL_PRICING` `PrivateNetworks` `privatenetworks` `AWS_ENDPOINT_URL_PRIVATENETWORKS` `Proton` `proton` `AWS_ENDPOINT_URL_PROTON` `QBusiness` `qbusiness` `AWS_ENDPOINT_URL_QBUSINESS` `QConnect` `qconnect` `AWS_ENDPOINT_URL_QCONNECT` `QLDB` `qldb` `AWS_ENDPOINT_URL_QLDB` `QLDB Session` `qldb_session` `AWS_ENDPOINT_URL_QLDB_SESSION` `QuickSight` `quicksight` `AWS_ENDPOINT_URL_QUICKSIGHT` `RAM` `ram` `AWS_ENDPOINT_URL_RAM` `rbin` `rbin` `AWS_ENDPOINT_URL_RBIN` `RDS` `rds` `AWS_ENDPOINT_URL_RDS` `RDS Data` `rds_data` `AWS_ENDPOINT_URL_RDS_DATA` `Redshift` `redshift` `AWS_ENDPOINT_URL_REDSHIFT` `Redshift Data` `redshift_data` `AWS_ENDPOINT_URL_REDSHIFT_DATA` `Redshift Serverless` `redshift_serverless` `AWS_ENDPOINT_URL_REDSHIFT_SERVERLESS` `Rekognition` `rekognition` `AWS_ENDPOINT_URL_REKOGNITION` `repostspace` `repostspace` `AWS_ENDPOINT_URL_REPOSTSPACE` `resiliencehub` `resiliencehub` `AWS_ENDPOINT_URL_RESILIENCEHUB` `Resource Explorer 2` `resource_explorer_2` `AWS_ENDPOINT_URL_RESOURCE_EXPLORER_2` `Resource Groups` `resource_groups` `AWS_ENDPOINT_URL_RESOURCE_GROUPS` `Resource Groups Tagging API` `resource_groups_tagging_api` `AWS_ENDPOINT_URL_RESOURCE_GROUPS_TAGGING_API` `RoboMaker` `robomaker` `AWS_ENDPOINT_URL_ROBOMAKER` `RolesAnywhere` `rolesanywhere` `AWS_ENDPOINT_URL_ROLESANYWHERE` `Route 53` `route_53` `AWS_ENDPOINT_URL_ROUTE_53` `Route53 Recovery Cluster` `route53_recovery_cluster` `AWS_ENDPOINT_URL_ROUTE53_RECOVERY_CLUSTER` `Route53 Recovery Control Config` `route53_recovery_control_config` `AWS_ENDPOINT_URL_ROUTE53_RECOVERY_CONTROL_CONFIG` `Route53 Recovery Readiness` `route53_recovery_readiness` `AWS_ENDPOINT_URL_ROUTE53_RECOVERY_READINESS` `Route 53 Domains` `route_53_domains` `AWS_ENDPOINT_URL_ROUTE_53_DOMAINS` `Route53Resolver` `route53resolver` `AWS_ENDPOINT_URL_ROUTE53RESOLVER` `RUM` `rum` `AWS_ENDPOINT_URL_RUM` `S3` `s3` `AWS_ENDPOINT_URL_S3` `S3 Control` `s3_control` `AWS_ENDPOINT_URL_S3_CONTROL` `S3Outposts` `s3outposts` `AWS_ENDPOINT_URL_S3OUTPOSTS` `SageMaker` `sagemaker` `AWS_ENDPOINT_URL_SAGEMAKER` `SageMaker A2I Runtime` `sagemaker_a2i_runtime` `AWS_ENDPOINT_URL_SAGEMAKER_A2I_RUNTIME` `Sagemaker Edge` `sagemaker_edge` `AWS_ENDPOINT_URL_SAGEMAKER_EDGE` `SageMaker FeatureStore Runtime` `sagemaker_featurestore_runtime` `AWS_ENDPOINT_URL_SAGEMAKER_FEATURESTORE_RUNTIME` `SageMaker Geospatial` `sagemaker_geospatial` `AWS_ENDPOINT_URL_SAGEMAKER_GEOSPATIAL` `SageMaker Metrics` `sagemaker_metrics` `AWS_ENDPOINT_URL_SAGEMAKER_METRICS` `SageMaker Runtime` `sagemaker_runtime` `AWS_ENDPOINT_URL_SAGEMAKER_RUNTIME` `savingsplans` `savingsplans` `AWS_ENDPOINT_URL_SAVINGSPLANS` `Scheduler` `scheduler` `AWS_ENDPOINT_URL_SCHEDULER` `schemas` `schemas` `AWS_ENDPOINT_URL_SCHEMAS` `SimpleDB` `simpledb` `AWS_ENDPOINT_URL_SIMPLEDB` `Secrets Manager` `secrets_manager` `AWS_ENDPOINT_URL_SECRETS_MANAGER` `SecurityHub` `securityhub` `AWS_ENDPOINT_URL_SECURITYHUB` `SecurityLake` `securitylake` `AWS_ENDPOINT_URL_SECURITYLAKE` `ServerlessApplicationRepository` `serverlessapplicationrepository` `AWS_ENDPOINT_URL_SERVERLESSAPPLICATIONREPOSITORY` `Service Quotas` `service_quotas` `AWS_ENDPOINT_URL_SERVICE_QUOTAS` `Service Catalog` `service_catalog` `AWS_ENDPOINT_URL_SERVICE_CATALOG` `Service Catalog AppRegistry` `service_catalog_appregistry` `AWS_ENDPOINT_URL_SERVICE_CATALOG_APPREGISTRY` `ServiceDiscovery` `servicediscovery` `AWS_ENDPOINT_URL_SERVICEDISCOVERY` `SES` `ses` `AWS_ENDPOINT_URL_SES` `SESv2` `sesv2` `AWS_ENDPOINT_URL_SESV2` `Shield` `shield` `AWS_ENDPOINT_URL_SHIELD` `signer` `signer` `AWS_ENDPOINT_URL_SIGNER` `SimSpaceWeaver` `simspaceweaver` `AWS_ENDPOINT_URL_SIMSPACEWEAVER` `SMS` `sms` `AWS_ENDPOINT_URL_SMS` `Snow Device Management` `snow_device_management` `AWS_ENDPOINT_URL_SNOW_DEVICE_MANAGEMENT` `Snowball` `snowball` `AWS_ENDPOINT_URL_SNOWBALL` `SNS` `sns` `AWS_ENDPOINT_URL_SNS` `SQS` `sqs` `AWS_ENDPOINT_URL_SQS` `SSM` `ssm` `AWS_ENDPOINT_URL_SSM` `SSM Contacts` `ssm_contacts` `AWS_ENDPOINT_URL_SSM_CONTACTS` `SSM Incidents` `ssm_incidents` `AWS_ENDPOINT_URL_SSM_INCIDENTS` `Ssm Sap` `ssm_sap` `AWS_ENDPOINT_URL_SSM_SAP` `SSO` `sso` `AWS_ENDPOINT_URL_SSO` `SSO Admin` `sso_admin` `AWS_ENDPOINT_URL_SSO_ADMIN` `SSO OIDC` `sso_oidc` `AWS_ENDPOINT_URL_SSO_OIDC` `SFN` `sfn` `AWS_ENDPOINT_URL_SFN` `Storage Gateway` `storage_gateway` `AWS_ENDPOINT_URL_STORAGE_GATEWAY` `STS` `sts` `AWS_ENDPOINT_URL_STS` `SupplyChain` `supplychain` `AWS_ENDPOINT_URL_SUPPLYCHAIN` `Support` `support` `AWS_ENDPOINT_URL_SUPPORT` `Support App` `support_app` `AWS_ENDPOINT_URL_SUPPORT_APP` `SWF` `swf` `AWS_ENDPOINT_URL_SWF` `synthetics` `synthetics` `AWS_ENDPOINT_URL_SYNTHETICS` `Textract` `textract` `AWS_ENDPOINT_URL_TEXTRACT` `Timestream InfluxDB` `timestream_influxdb` `AWS_ENDPOINT_URL_TIMESTREAM_INFLUXDB` `Timestream Query` `timestream_query` `AWS_ENDPOINT_URL_TIMESTREAM_QUERY` `Timestream Write` `timestream_write` `AWS_ENDPOINT_URL_TIMESTREAM_WRITE` `tnb` `tnb` `AWS_ENDPOINT_URL_TNB` `Transcribe` `transcribe` `AWS_ENDPOINT_URL_TRANSCRIBE` `Transfer` `transfer` `AWS_ENDPOINT_URL_TRANSFER` `Translate` `translate` `AWS_ENDPOINT_URL_TRANSLATE` `TrustedAdvisor` `trustedadvisor` `AWS_ENDPOINT_URL_TRUSTEDADVISOR` `VerifiedPermissions` `verifiedpermissions` `AWS_ENDPOINT_URL_VERIFIEDPERMISSIONS` `Voice ID` `voice_id` `AWS_ENDPOINT_URL_VOICE_ID` `VPC Lattice` `vpc_lattice` `AWS_ENDPOINT_URL_VPC_LATTICE` `WAF` `waf` `AWS_ENDPOINT_URL_WAF` `WAF Regional` `waf_regional` `AWS_ENDPOINT_URL_WAF_REGIONAL` `WAFV2` `wafv2` `AWS_ENDPOINT_URL_WAFV2` `WellArchitected` `wellarchitected` `AWS_ENDPOINT_URL_WELLARCHITECTED` `Wisdom` `wisdom` `AWS_ENDPOINT_URL_WISDOM` `WorkDocs` `workdocs` `AWS_ENDPOINT_URL_WORKDOCS` `WorkLink` `worklink` `AWS_ENDPOINT_URL_WORKLINK` `WorkMail` `workmail` `AWS_ENDPOINT_URL_WORKMAIL` `WorkMailMessageFlow` `workmailmessageflow` `AWS_ENDPOINT_URL_WORKMAILMESSAGEFLOW` `WorkSpaces` `workspaces` `AWS_ENDPOINT_URL_WORKSPACES` `WorkSpaces Thin Client` `workspaces_thin_client` `AWS_ENDPOINT_URL_WORKSPACES_THIN_CLIENT` `WorkSpaces Web` `workspaces_web` `AWS_ENDPOINT_URL_WORKSPACES_WEB` `XRay` `xray` `AWS_ENDPOINT_URL_XRAY` ## Account-based endpoints Account-based endpoints can be specified in the following ways: - Environment variables `[AWS_ACCOUNT_ID](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID)` - Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. - `[AWS_ACCOUNT_ID_ENDPOINT_MODE](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID_ENDPOINT_MODE)` - Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. Can be set to `preferred`, `disabled`, or `required`. Default value is `preferred`. - The `config` file: `[aws_account_id](./cli-configure-files.html#cli-config-aws_account_id)` - Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. `aws_account_id = ` - `[account_id_endpoint_mode](./cli-configure-files.html#cli-config-account_id_endpoint_mode)` - Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. Can be set to `preferred`, `disabled`, or `required`. Default value is preferred. `account_id_endpoint_mode = preferred` Account-based endpoints help ensure high performance and scalability by using your AWS account ID to streamline the routing of AWS service requests for services that support this feature. When you use a credential provider and a service that supports account-based endpoints, the AWS CLI automatically constructs and uses an account-based endpoint instead of a regional endpoint. Account-based endpoints use the following format, where `` is replaced with your AWS account ID and `` is replaced with your AWS Region: `https://`.myservice.``.amazonaws.com By default in the AWS CLI, the account-based endpoint mode is set to `preferred`. ## Endpoint configuration and settings precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI endpoint configuration settings take precedence in the following order: - The `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` command line option. - If enabled, the `[AWS_IGNORE_CONFIGURED_ENDPOINT_URLS](./cli-configure-envvars.html#envvars-list-AWS_IGNORE_CONFIGURED_URLS)` global endpoint environment variable or profile setting `[ignore_configure_endpoint_urls](./cli-configure-files.html#cli-config-ignore_configure_endpoint_urls)` to ignore custom endpoints. - The value provided by a service-specific environment variable `[AWS_ENDPOINT_URL_](./cli-configure-envvars.html#envvars-list-AWS_ENDPOINT_URL_SERVICE)`, such as `AWS_ENDPOINT_URL_DYNAMODB`. - The values provided by the `[AWS_USE_DUALSTACK_ENDPOINT](./cli-configure-envvars.html#envvars-list-AWS_USE_DUALSTACK_ENDPOINT)`, `[AWS_USE_FIPS_ENDPOINT](./cli-configure-envvars.html#envvars-list-AWS_USE_FIPS_ENDPOINT)`, and `[AWS_ENDPOINT_URL](./cli-configure-envvars.html#envvars-list-AWS_ENDPOINT_URL)` environment variables. - The `[AWS_ACCOUNT_ID_ENDPOINT_MODE](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID_ENDPOINT_MODE)` environment variable is set to `preferred` or `required` using the Account ID in the `[AWS_ACCOUNT_ID](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID)` environment variable or `[aws_account_id](./cli-configure-files.html#cli-config-aws_account_id)` setting. - The service-specific endpoint value provided by the `[endpoint_url](./cli-configure-files.html#cli-config-endpoint_url)` setting within a `services` section of the shared `config` file. - The value provided by the `[endpoint_url](./cli-configure-files.html#cli-config-endpoint_url)` setting within a `profile` of the shared `config` file. - `[use_dualstack_endpoint](./cli-configure-files.html#cli-config-use_dualstack_endpoint)`, `[use_fips_endpoint](./cli-configure-files.html#cli-config-use_fips_endpoint)`, and `[endpoint_url](./cli-configure-files.html#cli-config-endpoint_url)` settings. - The `[account_id_endpoint_mode](./cli-configure-files.html#cli-config-account_id_endpoint_mode)` setting is set to `preferred` or `required` using the Account ID in the `[AWS_ACCOUNT_ID](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID)` environment variable or `[aws_account_id](./cli-configure-files.html#cli-config-aws_account_id)` setting. - Any default endpoint URL for the respective AWS service is used last. For a list of the standard service endpoints available in each Region, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) HTTP proxies Authentication and access credentials --- # Environment Variables > Environment variables provide another way to specify configuration options and credentials, and can be useful for scripting or temporarily setting a named profile as the default. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html --- # Configuring environment variables for the AWS CLI Environment variables provide another way to specify configuration options and credentials, and can be useful for scripting. ###### Precedence of options - If you specify an option by using one of the environment variables described in this topic, it overrides any value loaded from a profile in the configuration file. - If you specify an option by using a parameter on the AWS CLI command line, it overrides any value from either the corresponding environment variable or a profile in the configuration file. For more information about precedence and how the AWS CLI determines which credentials to use, see [Configuring settings for the AWS CLI](./cli-chap-configure.html). ###### Topics - [How to set environment variables](#envvars-set) - [AWS CLI supported environment variables](#envvars-list) ## How to set environment variables The following examples show how you can configure environment variables for the default user. ## AWS CLI supported environment variables The AWS CLI supports the following environment variables. ** `AWS_ACCESS_KEY_ID`** Specifies an AWS access key associated with an IAM account. If defined, this environment variable overrides the value for the profile setting `aws_access_key_id`. You can't specify the access key ID by using a command line option. ** `AWS_ACCOUNT_ID`** Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](./cli-configure-endpoints.html#endpoints-accountid). This setting overrides the `[aws_account_id](./cli-configure-files.html#cli-config-aws_account_id)` setting. The `[AWS_ACCOUNT_ID_ENDPOINT_MODE](#envvars-list-AWS_ACCOUNT_ID_ENDPOINT_MODE)` environment variable or `[account_id_endpoint_mode](./cli-configure-files.html#cli-config-account_id_endpoint_mode)` setting must be set to `preferred` or `required` to use this setting. ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `AWS_ACCOUNT_ID_ENDPOINT_MODE`** Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](./cli-configure-endpoints.html#endpoints-accountid). This setting can be set to the following: - **(default)** **`preferred`** – The endpoint should include account ID if available. - **`disabled`** – A resolved endpoint doesn't include account ID. - **`required`** – The endpoint must include account ID. If the account ID isn't available, the SDK throws an error. This setting overrides the `[account_id_endpoint_mode](./cli-configure-files.html#cli-config-account_id_endpoint_mode)` setting. To use account-based endpoints, the ID must be set in the `[AWS_ACCOUNT_ID](#envvars-list-AWS_ACCOUNT_ID)` environment variable or `[aws_account_id](./cli-configure-files.html#cli-config-aws_account_id)` setting. ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `AWS_CA_BUNDLE`** Specifies the path to a certificate bundle to use for HTTPS certificate validation. If defined, this environment variable overrides the value for the profile setting `[ca_bundle](./cli-configure-files.html#cli-config-ca_bundle)`. You can override this environment variable by using the `[--ca-bundle](./cli-configure-options.html#cli-configure-options-ca-bundle)` command line parameter. **` AWS_CLI_AUTO_PROMPT`** Enables the auto-prompt for the AWS CLI version 2. There are two settings that can be used: - **`on`** uses the full auto-prompt mode each time you attempt to run an `aws` command. This includes pressing **ENTER** after both a complete command or incomplete command. - **`on-partial`** uses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command. If defined, this environment variable overrides the value for the `[cli_auto_prompt](./cli-configure-files.html#cli-config-cli_auto_prompt)` profile setting. You can override this environment variable by using the `[--cli-auto-prompt](./cli-configure-options.html#cli-configure-options-cli-auto-prompt)` and `[--no-cli-auto-prompt](./cli-configure-options.html#cli-configure-options-no-cli-auto-prompt)` command line parameters. For a list of standard encodings, see [Standard Encodings](https://docs.python.org/3/library/codecs.html#standard-encodings) in the *Python Documentation*. For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html). ** `AWS_CLI_FILE_ENCODING`** Specifies the encoding used for text files. By default encoding matches your locale. To set encoding different from the locale, use the `AWS_CLI_FILE_ENCODING` environment variable. For example, if you use Windows with default encoding `CP1252`, setting `aws_cli_file_encoding=UTF-8` sets the CLI to open text files using `UTF-8`. For a list of standard encodings, see [Standard Encodings](https://docs.python.org/3/library/codecs.html#standard-encodings) in the *Python Documentation*. ** `AWS_CLI_OUTPUT_ENCODING`** Specifies the encoding used for the output for the AWS CLI. By default encoding matches your locale. For example, if you use Windows with default encoding `CP1252`, setting `AWS_CLI_OUTPUT_ENCODING=UTF-8` sets the CLI to open text files using `UTF-8`. ** `AWS_CLI_S3_MV_VALIDATE_SAME_S3_PATHS`** If the source and destination buckets are the same when using the `s3 mv` command, the source file or object can be moved onto itself, which can result in accidental deletion of your source file or object. The `AWS_CLI_S3_MV_VALIDATE_SAME_S3_PATHS` environment variable and `--validate-same-s3-paths` option specifies whether to validate your access point ARNs or access point aliases in your Amazon S3 source or destination URIs. ###### Note Path validation for `s3 mv` requires additional API calls. ** `AWS_CONFIG_FILE`** Specifies the location of the file that the AWS CLI uses to store configuration profiles. The default path is `~/.aws/config`. You can't specify this value in a named profile setting or by using a command line parameter. ** `AWS_DATA_PATH`** A list of additional directories to check outside of the built-in search path of `~/.aws/models` when loading AWS CLI data. Setting this environment variable indicates additional directories to check first before falling back to the built-in search path. Multiple entries should be separated with the `os.pathsep` character, which is `:` on Linux or macOS and `;` on Windows. ** `AWS_DEFAULT_OUTPUT`** Specifies the [output format](./cli-usage-output.html) to use. If defined, this environment variable overrides the value for the profile setting `output`. You can override this environment variable by using the `--output` command line parameter. ** `AWS_DEFAULT_REGION`** The `Default region name` identifies the AWS Region whose servers you want to send your requests to by default. This is typically the Region closest to you, but it can be any Region. For example, you can type `us-west-2` to use US West (Oregon). This is the Region that all later requests are sent to, unless you specify otherwise in an individual command. This setting is for the AWS CLI only, and is kept for backwards compatibility. It is suggested to use the AWS SDK compatible [AWS_REGION](#envvars-list-AWS_REGION) environment variable instead. ###### Note You must specify an AWS Region when using the AWS CLI, either explicitly or by setting a default Region. For a list of the available Regions, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html). The Region designators used by the AWS CLI are the same names that you see in AWS Management Console URLs and service endpoints. If defined, this environment variable overrides the value for the profile setting `region`. You can override this environment variable by using the `--region` command line parameter and the AWS SDK compatible `AWS_REGION` environment variable. ** `AWS_EC2_METADATA_DISABLED`** Disables the use of the Amazon EC2 instance metadata service (IMDS). If set to true, user credentials or configuration (like the Region) are not requested from IMDS. ** `AWS_ENDPOINT_URL`** Specifies the endpoint that is used for all service requests. For more information, see [Set global endpoint for all AWS services](./cli-configure-endpoints.html#endpoints-global). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `AWS_ENDPOINT_URL_`** Specifies a custom endpoint that is used for a specific service, where `` is replaced with the AWS service identifier. For example, Amazon DynamoDB has a `serviceId` of [`DynamoDB`](https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/dynamodb/2012-08-10/service-2.json#L10). For this service, the endpoint URL environment variable is `AWS_ENDPOINT_URL_DYNAMODB`. For a list of all service-specific environment variables, see [List of service-specific identifiers](./cli-configure-endpoints.html#endpoints-service-specific-table). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `AWS_IGNORE_CONFIGURED_ENDPOINT_URLS`** If enabled, the AWS CLI ignores all custom endpoint configurations. Valid values are `**true**` and `**false**`. For more information, see [Set global endpoint for all AWS services](./cli-configure-endpoints.html#endpoints-global). Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. For endpoint precedence, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** [AWS_MAX_ATTEMPTS](./cli-configure-files.html#cli-config-max_attempts)** Specifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the value that you provide. For more information on retries, see [AWS CLI retries in the AWS CLI](./cli-configure-retries.html). If defined, this environment variable overrides the value for the profiles setting `max_attempts`. ** `AWS_METADATA_SERVICE_NUM_ATTEMPTS`** When attempting to retrieve credentials on an Amazon EC2 instance that has been configured with an IAM role, the AWS CLI attempts to retrieve credentials once from the instance metadata service before stopping. If you know your commands will run on an Amazon EC2 instance, you can increase this value to make AWS CLI retry multiple times before giving up. ** `AWS_METADATA_SERVICE_TIMEOUT`** The number of seconds before a connection to the instance metadata service should time out. When attempting to retrieve credentials on an Amazon EC2 instance that is configured with an IAM role, a connection to the instance metadata service times out after 1 second by default. If you know you're running on an Amazon EC2 instance with an IAM role configured, you can increase this value if needed. ** [AWS_PAGER](./cli-configure-files.html#cli-config-cli_pager)** Specifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program. To disable all use of an external paging program, set the variable to an empty string. If defined, this environment variable overrides the value for the profile setting `cli_pager`. ** [AWS_PROFILE](./cli-configure-files.html#cli-configure-files-using-profiles)** Specifies the name of the AWS CLI profile with the credentials and options to use. This can be the name of a profile stored in a `credentials` or `config` file, or the value `default` to use the default profile. If defined, this environment variable overrides the behavior of using the profile named `[default]` in the configuration file. You can override this environment variable by using the `--profile` command line parameter. ** `AWS_REGION`** The AWS SDK compatible environment variable that specifies the AWS Region to send the request to. If defined, this environment variable overrides the values in the environment variable `AWS_DEFAULT_REGION` and the profile setting `region`. You can override this environment variable by using the `--region` command line parameter. ** `AWS_REQUEST_CHECKSUM_CALCULATION`** Specifies when a checksum is calculated for request payloads, and has the following options: - `when_supported` – **(Default)** The request payload checksum is calculated when an operation either specifies a checksum algorithm in its service model or requires request checksums. - `when_required` – The request payload checksum is calculated when an operation requires request checksums or when a user provides a `requestAlgorithmMember` that is modeled by the AWS service. If defined, this environment variable overrides the value for the profiles setting [request_checksum_calculation](./cli-configure-files.html#cli-config-request_checksum_calculation). ** `AWS_RESPONSE_CHECKSUM_VALIDATION`** Specifies when checksum validation is performed for response payloads, and has the following options: - `when_supported` – **(Default)** The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports. - `when_required` – The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports, and you set the modeled `requestValidationModeMember` to `ENABLED` in the operation input. If defined, this environment variable overrides the value for the profiles setting [response_checksum_validation](./cli-configure-files.html#cli-config-response_checksum_validation). ** [AWS_RETRY_MODE](./cli-configure-files.html#cli-config-retry_mode)** Specifies which retry mode AWS CLI uses. There are three retry modes available: `standard` (default), `legacy`, and `adaptive`. For more information on retries, see [AWS CLI retries in the AWS CLI](./cli-configure-retries.html). If defined, this environment variable overrides the value for the profiles setting `retry_mode`. ** `AWS_ROLE_ARN`** Specifies the Amazon Resource Name (ARN) of an IAM role with a web identity provider that you want to use to run the AWS CLI commands. Used with the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_SESSION_NAME` environment variables. If defined, this environment variable overrides the value for the profile setting [role_arn](./cli-configure-files.html#cli-config-role_arn). You can't specify a role session name as a command line parameter. ###### Note This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ** `AWS_ROLE_SESSION_NAME`** Specifies the name to attach to the role session. This value is provided to the `RoleSessionName` parameter when the AWS CLI calls the `AssumeRole` operation, and becomes part of the assumed role user ARN: ` arn:aws:sts::123456789012`:assumed-role/`role_name`/`role_session_name`. This is an optional parameter. If you do not provide this value, a session name is generated automatically. This name appears in AWS CloudTrail logs for entries associated with this session. If defined, this environment variable overrides the value for the profile setting [role_session_name](./cli-configure-files.html#cli-config-role_session_name). Used with the `AWS_ROLE_ARN` and `AWS_WEB_IDENTITY_TOKEN_FILE` environment variables. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ###### Note This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration. ** `AWS_SDK_UA_APP_ID`** A single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID identifies which source application made a set of calls using an AWS service. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails to uniquely identify which of your applications is associated with the notification. By default, there is no value. The Application ID is a string with maximum length of 50 characters. Letters, numbers and the following special characters are allowed: `! $ % & * + - . , ^ _ ` | ~` If defined, this environment variable overrides the value for the profile setting [sdk_ua_app_id](./cli-configure-files.html#cli-config-sdk_ua_app_id). You can't specify Application ID as a command line option. ** `AWS_SECRET_ACCESS_KEY`** Specifies the secret key associated with the access key. This is essentially the "password" for the access key. If defined, this environment variable overrides the value for the profile setting `aws_secret_access_key`. You can't specify the secret access key ID as a command line option. ** `AWS_SESSION_TOKEN`** Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations. For more information, see the [Output section of the assume-role command](https://docs.aws.amazon.com/cli/v1/reference/sts/assume-role.html#output) in the *AWS CLI Command Reference*. If defined, this environment variable overrides the value for the profile setting `aws_session_token`. ** `AWS_SHARED_CREDENTIALS_FILE`** Specifies the location of the file that the AWS CLI uses to store access keys. The default path is `~/.aws/credentials`. You can't specify this value in a named profile setting or by using a command line parameter. ** `AWS_SIGV4A_SIGNING_REGION_SET`** Specifies the regions to use when signing with SigV4a using a comma-delimited list. If this variable is not set, the AWS CLI uses the default used by the AWS service. If the AWS service has no default, the request signature becomes valid in all regions using a value of `*`. For more information on SigV4a, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide* If defined, this environment variable overrides the value for the profile setting [sigv4a_signing_region_set](./cli-configure-files.html#cli-config-sigv4a_signing_region_set). ** `AWS_USE_DUALSTACK_ENDPOINT`** Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-dual-stack). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `AWS_USE_FIPS_ENDPOINT`** Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. For more information see, [Set to use FIPs endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-fips). If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` option or use [service-specific endpoints](./cli-configure-endpoints.html#endpoints-service-specific). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** [AWS_WEB_IDENTITY_TOKEN_FILE](./cli-configure-envvars.html)** Specifies the path to a file that contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. The AWS CLI loads the contents of this file and passes it as the `WebIdentityToken` argument to the `AssumeRoleWithWebIdentity` operation. Used with the `AWS_ROLE_ARN` and `AWS_ROLE_SESSION_NAME` environment variables. If defined, this environment variable overrides the value for the profile setting `web_identity_token_file`. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ###### Note This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Configuration settings Command line options --- # Configuration settings > You can save your frequently used configuration settings and credentials in files that are divided into named profiles. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html --- # Configuration and credential file settings in the AWS CLI You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI. The files are divided into `profiles`. By default, the AWS CLI uses the settings found in the profile named `default`. To use alternate settings, you can create and reference additional profiles. You can override an individual setting by either setting one of the supported environment variables, or by using a command line parameter. For more information on configuration setting precedence, see [Configuring settings for the AWS CLI](./cli-chap-configure.html). ###### Note For information on setting up your credentials, see [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). ###### Topics - [Format of the configuration and credential files](#cli-configure-files-format) - [Where are configuration settings stored?](#cli-configure-files-where) - [Using named profiles](#cli-configure-files-using-profiles) - [Set and view configuration settings using commands](#cli-configure-files-methods) - [Setting new configuration and credentials command examples](#cli-configure-files-examples) - [Supported config file settings](#cli-configure-files-settings) ## Format of the configuration and credential files The `config` and `credentials` files are organized into sections. Sections include *profiles*, *sso-sessions*, and *services*. A section is a named collection of settings, and continues until another section definition line is encountered. Multiple profiles and sections can be stored in the `config` and `credentials` files. These files are plaintext files that use the following format: - Section names are enclosed in brackets [ ] such as `[default]`, `[profile user1`], and `[sso-session]`. - All entries in a section take the general form of `setting_name=value`. - Lines can be commented out by starting the line with a hash character (`#`). ###### The config and credentials files contain the following section types: - [profile](#cli-configure-files-format-profile) - [sso-session](#cli-configure-files-format-sso-session) - [services](#cli-configure-files-format-services) ### Section type: `profile` Depending on the file, profile section names use the following format: - **Config file:** `[default]` `[profile user1`] - **Credentials file:** `[default]` `[user1`] Do ***not*** use the word `profile` when creating an entry in the `credentials` file. Each profile can specify different credentials and can also specify different AWS Regions and output formats. When naming the profile in a `config` file, include the prefix word "`profile`", but do not include it in the `credentials` file. The following examples show a `credentials` and `config` file with two profiles, region, and output specified. The first *[default]* is used when you run a AWS CLI command with no profile specified. The second is used when you run a AWS CLI command with the `--profile user1` parameter. For more information and additional authorization and credential methods see, see [Authenticating using IAM user credentials for the AWS CLI](./cli-authentication-user.html). ### Section type: `sso-session` The `sso-session` section of the `config` file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used: - **(Required)** `[sso_start_url](#cli-config-sso_start_url)` - **(Required)** `[sso_region](#cli-config-sso_region)` - `[sso_account_id](#cli-config-sso_account_id)` - `[sso_role_name](#cli-config-sso_role_name)` - `[sso_registration_scopes](#cli-config-sso_registration_scopes)` You define an `sso-session` section and associate it to a profile. `sso_region` and `sso_start_url` must be set within the `sso-session` section. Typically, `sso_account_id` and `sso_role_name` must be set in the `profile` section so that the SDK can request SSO credentials. The following example configures the SDK to request SSO credentials and supports automated token refresh: `[profile dev`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole` [sso-session `my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start` This also allows `sso-session` configurations to be reused across multiple profiles: `[profile dev`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole` [profile `prod`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole2` [sso-session `my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start` However, `sso_account_id` and `sso_role_name` aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario, `sso_account_id` and `sso_role_name` aren't required. See the individual guide for your AWS service to determine if it supports bearer token authorization. Additionally, registration scopes can be configured as part of a `sso-session`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application will be limited to the scopes granted. These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. The following example sets `sso_registration_scopes` to provide access for listing accounts/roles: `[sso-session my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start` sso_registration_scopes = `sso:account:access` The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a filename based on the session name. For more information on this configuration type, see [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html). ### Section type: `services` The `services` section is a group of settings that configures custom endpoints for AWS service requests. A profile then is linked to a `services` section. `[profile dev`] services = `my-services` The `services` section is separated into subsections by ` = ` lines, where `` is the AWS service identifier key. The AWS service identifier is based on the API model’s `serviceId` by replacing all spaces with underscores and lowercasing all letters. For a list of all service identifier keys to use in the `services` section, see [Using endpoints in the AWS CLI](./cli-configure-endpoints.html). The service identifier key is followed by nested settings with each on its own line and indented by two spaces. The following example configures the endpoint to use for requests made to the Amazon DynamoDB service in the `my-services` section that is used in the `dev` profile. Any immediately following lines that are indented are included in that subsection and apply to that service. `[profile dev`] services = `my-services` [services `my-services`] dynamodb = endpoint_url = `http://localhost:8000` For more information on service-specific endpoints, see [Using endpoints in the AWS CLI](./cli-configure-endpoints.html). If your profile has role-based credentials configured through a `source_profile` parameter for IAM assume role functionality, the SDK only uses service configurations for the specified profile. It does not use profiles that are role chained to it. For example, using the following shared `config` file: `[profile A`] credential_source = `Ec2InstanceMetadata` endpoint_url = `https://profile-a-endpoint.aws/` [profile `B`] source_profile = `A` role_arn = `arn:aws:iam::123456789012:role/roleB` services = `profileB` [services `profileB`] ec2 = endpoint_url = `https://profile-b-ec2-endpoint.aws` If you use profile `B` and make a call in your code to Amazon EC2, the endpoint resolves as `https://profile-b-ec2-endpoint.aws`. If your code makes a request to any other service, the endpoint resolution will not follow any custom logic. The endpoint does not resolve to the global endpoint defined in profile `A`. For a global endpoint to take effect for profile `B`, you would need to set `endpoint_url` directly within profile `B`. ## Where are configuration settings stored? The AWS CLI stores sensitive credential information that you specify with `aws configure` in a local file named `credentials`, in a folder named `.aws` in your home directory. The less sensitive configuration options that you specify with `aws configure` are stored in a local file named `config`, also stored in the `.aws` folder in your home directory. ###### Storing credentials in the config file You can keep all of your profile settings in a single file as the AWS CLI can read credentials from the `config` file. If there are credentials in both files for a profile sharing the same name, the keys in the credentials file take precedence. We suggest keeping credentials in the `credentials` files. These files are also used by the various language software development kits (SDKs). If you use one of the SDKs in addition to the AWS CLI, confirm if the credentials should be stored in their own file. Where you find your home directory location varies based on the operating system, but is referred to using the environment variables `%UserProfile%` in Windows and `$HOME` or `~` (tilde) in Unix-based systems. You can specify a non-default location for the files by setting the `AWS_CONFIG_FILE` and `AWS_SHARED_CREDENTIALS_FILE` environment variables to another local path. See [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html) for details. When you use a shared profile that specifies an AWS Identity and Access Management (IAM) role, the AWS CLI calls the AWS STS `AssumeRole` operation to retrieve temporary credentials. These credentials are then stored (in `~/.aws/cli/cache`). Subsequent AWS CLI commands use the cached temporary credentials until they expire, and at that point the AWS CLI automatically refreshes the credentials. ## Using named profiles If no profile is explicitly defined, the `default` profile is used. To use a named profile, add the `--profile profile-name` option to your command. The following example lists all of your Amazon EC2 instances using the credentials and settings defined in the `user1` profile. `$ ``aws ec2 describe-instances --profile user1` To use a named profile for multiple commands, you can avoid specifying the profile in every command by setting the `AWS_PROFILE` environment variable as the default profile. You can override this setting by using the `--profile` parameter. ## Set and view configuration settings using commands There are several ways to view and set your configuration settings using commands. **`[aws configure](https://docs.aws.amazon.com/cli/v1/reference/configure/index.html)`** Run this command to quickly set and view your credentials, Region, and output format. The following example shows sample values. `$ ``aws configure` `AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE` AWS Secret Access Key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` Default region name [None]: `us-west-2` Default output format [None]: `json` **`[aws configure set](https://docs.aws.amazon.com/cli/v1/reference/configure/set.html)`** You can set any credentials or configuration settings using `aws configure set`. Specify the profile that you want to view or modify with the `--profile` setting. For example, the following command sets the `region` in the profile named `integ`. `$ ``aws configure set region us-west-2` --profile `integ` To remove a setting, manually delete the setting in your `config` and `credentials` files in a text editor. **[`aws configure get`](https://docs.aws.amazon.com/cli/v1/reference/configure/get.html)** You can retrieve any credentials or configuration settings you've set using `aws configure get`. Specify the profile that you want to view or modify with the `--profile` setting. For example, the following command retrieves the `region` setting in the profile named `integ`. `$ ``aws configure get region` --profile `integ`` us-west-2` If the output is empty, the setting is not explicitly set and uses the default value. ** [`aws configure import`](https://docs.aws.amazon.com/cli/latest/reference/reference/configure/import.html)** Import `CSV` credentials generated from the IAM web console. This is not for credentials generated from IAM Identity Center; customers who use IAM Identity Center should use aws configure sso. A CSV file is imported with the profile name matching the username. The CSV file must contain the following headers. - User Name - Access key ID - Secret access key ###### Note During initial key pair creation, once you close the **Download .csv file** dialog box, you cannot access your secret access key after you close the dialog box. If you need a `.csv` file, you'll need to create one yourself with the required headers and your stored key pair information. If you do not have access to your key pair information, you need to create a new key pair. `$ ``aws configure import --csv file://credentials.csv` **[`aws configure list`](https://docs.aws.amazon.com/cli/v1/reference/configure/list.html)** To list configuration data, use the `aws configure list` command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name. For example, if you provide the AWS Region in an environment variable, this command shows you the name of the region you've configured, that this value came from an environment variable, and the name of the environment variable. For temporary credential methods such as roles and IAM Identity Center, this command displays the temporarily cached access key and secret access key is displayed. `$ ``aws configure list` `NAME : VALUE : TYPE : LOCATION profile : : None : None access_key : ****************ABCD : shared-credentials-file : secret_key : ****************ABCD : shared-credentials-file : region : us-west-2 : env : AWS_DEFAULT_REGION` **[`aws configure list-profiles`](https://docs.aws.amazon.com/cli/v1/reference/configure/list-profiles.html)** To list all your profile names, use the `aws configure list-profiles` command. `$ ``aws configure list-profiles` `default test` **`[aws configure mfa-login](./cli-configure-sso.html)`** Run this command to configure a new profile to use with multi-factor authentication (MFA) and your IAM user credentials in the specified profile. If no profile is specified, the MFA is based on the `default` profile. If no default profile is configured, the `mfa-login` command prompts you for you AWS credentials before asking for your MFA information. The following command example uses your default configuration and creates an MFA profile. `$ ``aws configure mfa-login` `MFA serial number or ARN: ``arn:aws:iam::123456789012:mfa/MFADeviceName` `MFA token code: ``123456` `Profile to update [session-MFADeviceName]: Temporary credentials written to profile 'session-MFADeviceName' Credentials will expire at 2023-05-19 18:06:10 UTC To use these credentials, specify --profile session-MFADeviceName when running AWS CLI commands` To update an existing profile, use the `--update-profile` parameter. `$ ``aws configure mfa-login --profile myprofile` --update-profile `mfaprofile` `MFA token code: ``123456`` Temporary credentials written to profile 'mfaprofile' Credentials will expire at 2023-05-19 18:06:10 UTC To use these credentials, specify --profile mfaprofile when running AWS CLI commands` This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported with this command. For more information on using MFA with IAM, see [AWS Multi-factor authentication in IAM ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *AWS Identity and Access Management User Guide*. **`[aws configure sso](./cli-configure-sso.html)`** Run this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format. The following example shows sample values. `$ ``aws configure sso` `SSO session name (Recommended): ``my-sso` `SSO start URL [None]: ``https://my-sso-portal.awsapps.com/start` `SSO region [None]: ``us-east-1` `SSO registration scopes [None]: ``sso:account:access` **`[aws configure sso-session](./cli-configure-sso.html)`** Run this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format in the `sso-session` section of the `credentials` and `config` files. The following example shows sample values. `$ ``aws configure sso-session`` SSO session name: ``my-sso` `SSO start URL [None]: ``https://my-sso-portal.awsapps.com/start` `SSO region [None]: ``us-east-1` `SSO registration scopes [None]: ``sso:account:access` **` aws configure export-credentials`** Run this command to export currently set credentials in the specified format. By default, the command exports the default credentials in the `process` format, which is a JSON format supported by the AWS SDKs and Tools credential format. `$ ``aws configure export-credentials` `{ "Version": 1, "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" }` To export a specific profile and format, use the `--profile` and `--format` options. The format options are as follows: - **(default)****`process`** ‐ The JSON format supported by the AWS SDKs and Tools `credential_process` configuration. - **`env`** ‐ Environment variables in exported shell format. - **`env-no-export`** ‐ Non-exported environment variables in shell format. - **`powershell`** ‐ Environment variables in PowerShell format. - **`windows-cmd`** ‐ Environment variables in Windows Command Line format. The following example exports the `user1` profile to an exported shell format. `$ ``aws configure export-credentials --profile user1 --format env` `export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` ## Setting new configuration and credentials command examples The following examples show configuring a default profile with credentials, region, and output specified for different authentication methods. ## Supported `config` file settings ###### Topics - [Global settings](#cli-configure-files-global) - [S3 Custom command settings](#cli-configure-files-s3) The following settings are supported in the `config` file. The values listed in the specified (or default) profile are used unless they are overridden by the presence of an environment variable with the same name, or a command line option with the same name. For more information on what order settings take precendence, see [Configuring settings for the AWS CLI](./cli-chap-configure.html) ### Global settings ** `account_id_endpoint_mode` ** Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](./cli-configure-endpoints.html#endpoints-accountid). This setting can be set to the following: - **(default)** **`preferred`** – The endpoint should include account ID if available. - **`disabled`** – A resolved endpoint doesn't include account ID. - **`required`** – The endpoint must include account ID. If the account ID isn't available, the SDK throws an error. Can be overridden by the `[AWS_ACCOUNT_ID_ENDPOINT_MODE](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID_ENDPOINT_MODE)` environment variable. To use account-based endpoints, the ID must be set in the `[AWS_ACCOUNT_ID](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID)` environment variable or `[aws_account_id](#cli-config-aws_account_id)` setting. `account_id_endpoint_mode = preferred` ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `aws_access_key_id` ** Specifies the AWS access key used as part of the credentials to authenticate the command request. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file. Can be overridden by the `AWS_ACCESS_KEY_ID` environment variable. You can't specify the access key ID as a command line option. `aws_access_key_id = AKIAIOSFODNN7EXAMPLE` ** `aws_account_id` ** Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](./cli-configure-endpoints.html#endpoints-accountid). Can be overridden by the `[AWS_ACCOUNT_ID](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID)` environment variable. The `[AWS_ACCOUNT_ID_ENDPOINT_MODE](./cli-configure-envvars.html#envvars-list-AWS_ACCOUNT_ID_ENDPOINT_MODE)` environment variable or `[account_id_endpoint_mode](#cli-config-account_id_endpoint_mode)` setting must be set to `preferred` or `required` to use this setting. `aws_account_id = 123456789EXAMPLE` ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `aws_secret_access_key`** Specifies the AWS secret key used as part of the credentials to authenticate the command request. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file. Can be overridden by the `AWS_SECRET_ACCESS_KEY` environment variable. You can't specify the secret access key as a command line option. `aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` ** `aws_session_token`** Specifies an AWS session token. A session token is required only if you manually specify temporary security credentials. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file. Can be overridden by the `AWS_SESSION_TOKEN` environment variable. You can't specify the session token as a command line option. `aws_session_token = AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4Olgk` ** `ca_bundle`** Specifies a CA certificate bundle (a file with the `.pem` extension) that is used to verify SSL certificates. Can be overridden by the `[AWS_CA_BUNDLE](./cli-configure-envvars.html#envvars-list-AWS_CA_BUNDLE)` environment variable or the `[--ca-bundle](./cli-configure-options.html#cli-configure-options-ca-bundle)` command line option. `ca_bundle = dev/apps/ca-certs/cabundle-2019mar05.pem` ** `cli_auto_prompt`** Enables the auto-prompt for the AWS CLI version 2. There are two settings that can be used: - **`on`** uses the full auto-prompt mode each time you attempt to run an `aws` command. This includes pressing **ENTER** after both a complete command or incomplete command. `cli_auto_prompt = on` - **`on-partial`** uses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is particular useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command. `cli_auto_prompt = on-partial` You can override this setting by using the `[aws_cli_auto_prompt](./cli-configure-envvars.html#envvars-list-aws_cli_auto_prompt)` environment variable or the `[--cli-auto-prompt](./cli-configure-options.html#cli-configure-options-cli-auto-prompt)` and `[--no-cli-auto-prompt](./cli-configure-options.html#cli-configure-options-no-cli-auto-prompt)` command line parameters. For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html). ** `cli_binary_format`** Specifies how the AWS CLI version 2 interprets binary input parameters. It can be one of the following values: - **base64** – This is the default value. An input parameter that is typed as a binary large object (BLOB) accepts a base64-encoded string. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value. To pass base64-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value. - **raw-in-base64-out** – Default for the AWS CLI version 1. If the setting's value is `raw-in-base64-out`, files referenced using the `file://` prefix is read as text and then the AWS CLI attempts to encode it to binary. This entry does not have an equivalent environment variable. You can specify the value on a single command by using the `--cli-binary-format raw-in-base64-out` parameter. `cli_binary_format = raw-in-base64-out` If you reference a binary value in a file using the `fileb://` prefix notation, the AWS CLI *always* expects the file to contain raw binary content and does not attempt to convert the value. If you reference a binary value in a file using the `file://` prefix notation, the AWS CLI handles the file according to the current `cli_binary_format` setting. If that setting's value is `base64` (the default when not explicitly set), the AWS CLI expects the file to contain base64-encoded text. If that setting's value is `raw-in-base64-out`, the AWS CLI expects the file to contain raw binary content. ** `cli_help_output`** As of version `2.31.0` The display for the `help` command is configured by the `cli_help_output` setting, and has the following values: - **(default)** `terminal` ‐ Open the man page in the terminal. - `browser` ‐ Open the man page as a local HTML file in your default browser. A notice is printed to your terminal when your default browser is being opened, and an error message if the AWS CLI cannot open your browser. - `url` ‐ Print the URL to the online AWS CLI Reference Guide for the version of the AWS CLI you have installed. Settings for client-side paging, such as the `AWS_PAGER` environment variable, is respected. `cli_help_output = browser` For more information on the `help` command, see [Accessing help and resources for the AWS CLI](./cli-usage-help.html). ** `cli_history`** Disabled by default. This setting enables command history for the AWS CLI. After enabling this setting, the AWS CLI records the history of `aws` commands. `cli_history = enabled` You can list your history using the `aws history list` command, and use the resulting `command_ids` in the `aws history show` command for details. For more information see [`aws history`](https://docs.aws.amazon.com/cli/latest/reference/history/index.html) in the *AWS CLI reference guide*. ** `cli_pager`** Specifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program. Can be overridden by the AWS_PAGER environment variable. `cli_pager=less` ** `cli_timestamp_format`** Specifies the output format of timestamp values. You can specify either of the following values: - **iso8601** – The default value for the AWS CLI version 2. If specified, the AWS CLI reformats all timestamps in the output according to [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html). ISO 8601 formatted timestamps look like the following examples. The following example demonstrates how the time is formatted by separating the date and time with a `T` and including a `Z` after the time. `YYYY-MM-DDThh:mm:ssZ` The following examples shows a timestamp using the previous formatting. `2024-05-08T15:16:43Z` - **wire** – The default value for the AWS CLI version 1. If specified, the AWS CLI displays all timestamp values exactly as received in the HTTP query response. This setting does not have an equivalent environment variable or command line option. This setting does not alter timestamp inputs, only output formatting. `cli_timestamp_format = iso8601` ** `[credential_process](./cli-configure-sourcing-external.html)`** Specifies an external command that the AWS CLI runs to generate or retrieve authentication credentials to use for this command. The command must return the credentials in a specific format. For more information about how to use this setting, see [Sourcing credentials with an external process in the AWS CLI](./cli-configure-sourcing-external.html). This entry does not have an equivalent environment variable or command line option. `credential_process = /opt/bin/awscreds-retriever --username susan` ** `[credential_source](./cli-configure-role.html)`** Used within Amazon EC2 instances or containers to specify where the AWS CLI can find credentials to use to assume the role you specified with the `role_arn` parameter. You cannot specify both `source_profile` and `credential_source` in the same profile. This parameter can have one of three values: - **Environment** – Specifies that the AWS CLI is to retrieve source credentials from environment variables. - **Ec2InstanceMetadata** – Specifies that the AWS CLI is to use the IAM role attached to the [EC2 instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to get source credentials. - **EcsContainer** – Specifies that the AWS CLI is to use the IAM role attached to the ECS container as source credentials. `credential_source = Ec2InstanceMetadata` ** `duration_seconds`** Specifies the maximum duration of the role session, in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role (which can be a maximum of 43200). This is an optional parameter and by default, the value is set to 3600 seconds. ** `endpoint_url`** Specifies the endpoint that is used for all service requests. If this setting is used in the [services](#cli-configure-files-format-services) section of the `config` file, then the endpoint is used only for the specified service. For more information, see [Set global endpoint for all AWS services](./cli-configure-endpoints.html#endpoints-global). The following example uses the global endpoint `http://localhost:1234` and a service-specific endpoint of `http://localhost:4567` for Amazon S3. `[profile dev] endpoint_url = http://localhost:1234 services = s3-specific [services s3-specific] s3 = endpoint_url = http://localhost:4567` ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `ignore_configure_endpoint_urls`** If enabled, the AWS CLI ignores all custom endpoint configurations specified in the `config` file. Valid values are `**true**` and `**false**`. `ignore_configure_endpoint_urls = true` ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `[external_id](./cli-configure-role.html#cli-configure-role-xaccount)`** Specifies a unique identifier that is used by third parties to assume a role in their customers' accounts. This maps to the `ExternalId` parameter in the `AssumeRole` operation. This parameter is needed only if the trust policy for the role specifies a value for `ExternalId`. For more information, see [How to use an external ID when granting access to your AWS resources to a third party ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) in the *IAM User Guide*. ** `[max_attempts](./cli-configure-retries.html)`** Specifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the `max_attempts` value that you provide. You can override this value by using the `AWS_MAX_ATTEMPTS` environment variable. `max_attempts = 3` ** `[mfa_serial](./cli-configure-role.html#cli-configure-role-mfa)`** The identification number of an MFA device to use when assuming a role. This is mandatory only if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value can be either a serial number for a hardware device (such as `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual MFA device (such as `arn:aws:iam::123456789012:mfa/user`). ** `output`** Specifies the default output format for commands requested using this profile. You can specify any of the following values: - **[json](./cli-usage-output-format.html#json-output)** – The output is formatted as a [JSON](https://json.org/) string. - **[yaml](./cli-usage-output-format.html#yaml-output)** – The output is formatted as a [YAML](https://yaml.org/) string. - **[yaml-stream](./cli-usage-output-format.html#yaml-stream-output)** – The output is streamed and formatted as a [YAML](https://yaml.org/) string. Streaming allows for faster handling of large data types. - **[text](./cli-usage-output-format.html#text-output)** – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like `grep`, `sed`, or `awk`. - **[table](./cli-usage-output-format.html#table-output)** – The output is formatted as a table using the characters +|- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful. Can be overridden by the `AWS_DEFAULT_OUTPUT` environment variable or the `--output` command line option. `output = table` ** `parameter_validation`** Specifies whether the AWS CLI client attempts to validate parameters before sending them to the AWS service endpoint. - **true** – This is the default value. If specified, the AWS CLI performs local validation of command line parameters. - **false** – If specified, the AWS CLI does not validate command line parameters before sending them to the AWS service endpoint. This entry does not have an equivalent environment variable or command line option. `parameter_validation = false` ** `region`** Specifies the AWS Region to send requests to for commands requested using this profile. - You can specify any of the Region codes available for the chosen service as listed in [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. - `aws_global` enables you to specify the global endpoint for services that support a global endpoint in addition to Regional endpoints, such as AWS Security Token Service (AWS STS) and Amazon Simple Storage Service (Amazon S3). You can override this value by using the `AWS_REGION` environment variable, `AWS_DEFAULT_REGION` environment variable, or the `--region` command line option. `region = us-west-2` ** `request_checksum_calculation`** Specifies when a checksum is calculated for request payloads, and has the following options: - `when_supported` – **(Default)** The request payload checksum is calculated when an operation either specifies a checksum algorithm in its service model or requires request checksums. - `when_required` – The request payload checksum is calculated when an operation requires request checksums or when a user provides a `requestAlgorithmMember` that is modeled by the AWS service. `request_checksum_calculation = when_supported` The environment variable [AWS_REQUEST_CHECKSUM_CALCULATION](./cli-configure-envvars.html#envvars-list-AWS_REQUEST_CHECKSUM_CALCULATION) overrides this setting. ** `response_checksum_validation`** Specifies when checksum validation is performed for response payloads, and has the following options: - `when_supported` – **(Default)** The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports. - `when_required` – The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports, and you set the modeled `requestValidationModeMember` to `ENABLED` in the operation input. `response_checksum_validation = when_supported` The environment variable [AWS_RESPONSE_CHECKSUM_VALIDATION](./cli-configure-envvars.html#envvars-list-AWS_RESPONSE_CHECKSUM_VALIDATION) overrides this setting. ** `[retry_mode](./cli-configure-retries.html)`** Specifies which retry mode AWS CLI uses. There are three retry modes available: `standard` (default), `legacy` (default), and `adaptive`. For more information on retries, see [AWS CLI retries in the AWS CLI](./cli-configure-retries.html). You can override this value by using the `AWS_RETRY_MODE` environment variable. `retry_mode = standard` ** `[role_arn](./cli-configure-role.html)`** Specifies the Amazon Resource Name (ARN) of an IAM role that you want to use to run the AWS CLI commands. You must also specify one of the following parameters to identify the credentials that have permission to assume this role: - source_profile - credential_source `role_arn = arn:aws:iam::123456789012`:role/`role-name` The environment variable [AWS_ROLE_ARN](./cli-configure-envvars.html#envvars-list-AWS_ROLE_ARN) overrides this setting. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ** `[role_session_name](./cli-configure-role.html#cli-configure-role-session-name)`** Specifies the name to attach to the role session. This value is provided to the `RoleSessionName` parameter when the AWS CLI calls the `AssumeRole` operation, and becomes part of the assumed role user ARN: ` arn:aws:sts::123456789012`:assumed-role/`role_name`/`role_session_name`. This is an optional parameter. If you do not provide this value, a session name is generated automatically. This name appears in AWS CloudTrail logs for entries associated with this session. `role_session_name = maria_garcia_role` The environment variable [AWS_ROLE_SESSION_NAME](./cli-configure-envvars.html#envvars-list-AWS_ROLE_SESSION_NAME) overrides this setting. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ** `[services](#cli-configure-files-format-services)`** Specifies the service configuration to use for your profile. `[profile dev-s3-specific-and-global`] endpoint_url = `http://localhost:1234` services = `s3-specific` [services `s3-specific`] s3 = endpoint_url = `http://localhost:4567` For more information on the `services` section, see [Section type: services](#cli-configure-files-format-services). The environment variable [AWS_ROLE_SESSION_NAME](./cli-configure-envvars.html#envvars-list-AWS_ROLE_SESSION_NAME) overrides this setting. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ** `sdk_ua_app_id`** A single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID identifies which source application made a set of calls using an AWS service. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails to uniquely identify which of your applications is associated with the notification. The Application ID is a string with maximum length of 50 characters. Letters, numbers and the following special characters are allowed: `! $ % & * + - . , ^ _ ` | ~` By default, no value is assigned. `sdk_ua_app_id = prod1` This setting can be overwritten by using the [AWS_SDK_UA_APP_ID](./cli-configure-envvars.html#envvars-list-AWS_SDK_UA_APP_ID) environment variable. You can't set this value as a command line parameter. ** `sigv4a_signing_region_set`** Specifies the regions to use when signing with SigV4a using a comma-delimited list. If this variable is not set, the AWS CLI uses the default used by the AWS service. If the AWS service has no default, the request signature becomes valid in all regions using a value of `*`. `sigv4a_signing_region_set = us-west-2, us-east-1` For more information on SigV4a, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide* This setting can be overwritten by using the [AWS_SIGV4A_SIGNING_REGION_SET](./cli-configure-envvars.html#envvars-list-AWS_SIGV4A_SIGNING_REGION_SET) environment variable. You can't set this value as a command line parameter. ** `[source_profile](./cli-configure-role.html)`** Specifies a named profile with long-term credentials that the AWS CLI can use to assume a role that you specified with the `role_arn` parameter. You cannot specify both `source_profile` and `credential_source` in the same profile. `source_profile = production-profile` ** `[sso_account_id](./cli-configure-sso.html)`** Specifies the AWS account ID that contains the IAM role with the permission that you want to grant to the associated IAM Identity Center user. This setting does not have an environment variable or command line option. `sso_account_id = 123456789012` ** `[sso_region](./cli-configure-sso.html)` ** Specifies the AWS Region that contains the AWS access portal host. This is separate from, and can be a different Region than the default CLI `region` parameter. This setting does not have an environment variable or command line option. `sso_region = us_west-2` ** `[sso_registration_scopes](./cli-configure-sso.html)` ** A comma-delimited list of scopes to be authorized for the `sso-session`. Scopes authorize access to IAM Identity Center bearer token authorized endpoints. A valid scope is a string, such as `sso:account:access`. This setting isn't applicable to the legacy non-refreshable configuration. `sso_registration_scopes = sso:account:access` ** `[sso_role_name](./cli-configure-sso.html)` ** Specifies the friendly name of the IAM role that defines the user's permissions when using this profile. This setting does not have an environment variable or command line option. `sso_role_name = ReadAccess` ** `[sso_start_url](./cli-configure-sso.html)`** Specifies the URL that points to the organization's AWS access portal. The AWS CLI uses this URL to establish a session with the IAM Identity Center service to authenticate its users. To find your AWS access portal URL, use one of the following: - Open your invitation email, the AWS access portal URL is listed. - Open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). The AWS access portal URL is listed in your settings. This setting does not have an environment variable or command line option. `sso_start_url = https://my-sso-portal.awsapps.com/start` ** `use_dualstack_endpoint`** Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings are `true` and `false`. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-dual-stack). This is mutually exclusive with the `use_accelerate_endpoint` setting. ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `use_fips_endpoint`** Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. For more information see, [Set to use FIPs endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-fips). If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `[--endpoint-url](./cli-configure-options.html#cli-configure-options-endpoint-url)` option or use [service-specific endpoints](./cli-configure-endpoints.html#endpoints-service-specific). ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** `[web_identity_token_file](./cli-configure-role.html#cli-configure-role-oidc)`** Specifies the path to a file that contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. The AWS CLI loads the contents of this file and passes it as the `WebIdentityToken` argument to the `AssumeRoleWithWebIdentity` operation. The environment variable `[AWS_WEB_IDENTITY_TOKEN_FILE](./cli-configure-envvars.html#envvars-list-AWS_WEB_IDENTITY_TOKEN_FILE)` overrides this setting. For more information on using web identities, see [Assume role with web identity](./cli-configure-role.html#cli-configure-role-oidc). ** `tcp_keepalive`** Specifies whether the AWS CLI client uses TCP keep-alive packets. This entry does not have an equivalent environment variable or command line option. `tcp_keepalive = false` ### S3 Custom command settings Amazon S3 supports several settings that configure how the AWS CLI performs Amazon S3 operations. Some apply to all S3 commands in both the `s3api` and `s3` namespaces. Others are specifically for the S3 "custom" commands that abstract common operations and do more than a one-to-one mapping to an API operation. The `aws s3` transfer commands `cp`, `sync`, `mv`, and `rm` have additional settings you can use to control S3 transfers. All of these options can be configured by specifying the `s3` nested setting in your `config` file. Each setting is then indented on its own line. ###### Note These settings are entirely optional. You should be able to successfully use the `aws s3` transfer commands without configuring any of these settings. These settings are provided to enable you to tune for performance or to account for the specific environment where you are running these `aws s3` commands. These settings are all set under a top-level `s3` key in the `config` file, as shown in the following example for the `development` profile. `[profile development] s3 = max_concurrent_requests = 20 max_queue_size = 10000 multipart_threshold = 64MB multipart_chunksize = 16MB max_bandwidth = 50MB/s use_accelerate_endpoint = true addressing_style = path` The following settings apply to any S3 command in the `s3` or `s3api` namespaces. ** `addressing_style`** Specifies which addressing style to use. This controls whether the bucket name is in the hostname or is part of the URL. Valid values are: `path`, `virtual`, and `auto`. The default value is `auto`. There are two styles of constructing an Amazon S3 endpoint. The first is called `virtual` and includes the bucket name as part of the hostname. For example: `https://bucketname`.s3.amazonaws.com. Alternatively, with the `path` style, you treat the bucket name as if it is a path in the URI; for example, `https://s3.amazonaws.com/bucketname`. The default value in the CLI is to use `auto`, which attempts to use the `virtual` style where it can, but will fall back to `path` style when required. For example, if your bucket name is not DNS compatible, the bucket name cannot be part of the hostname and must be in the path. With `auto`, the CLI will detect this condition and automatically switch to `path` style for you. If you set the addressing style to `path`, you must then ensure that the AWS Region you configured in the AWS CLI matches the Region of your bucket. ** `payload_signing_enabled`** Specifies whether to SHA256 sign sigv4 payloads. By default, this is disabled for streaming uploads (`UploadPart` and `PutObject`) when using HTTPS. By default, this is set to `false` for streaming uploads (`UploadPart` and `PutObject`), but only if a `ContentMD5` is present (it is generated by default) and the endpoint uses HTTPS. If set to true, S3 requests receive additional content validation in the form of a SHA256 checksum which is calculated for you and included in the request signature. If set to false, the checksum isn't calculated. Disabling this can be useful to reduce the performance overhead created by the checksum calculation. ** `use_accelerate_endpoint`** Use the Amazon S3 Accelerate endpoint for all `s3` and `s3api` commands. The default value is false. This is mutually exclusive with the `use_dualstack_endpoint` setting. If set to true, the AWS CLI directs all Amazon S3 requests to the `S3 Accelerate` endpoint at `s3-accelerate.amazonaws.com`. To use this endpoint, you must enable your bucket to use `S3 Accelerate`. All requests are sent using the virtual style of bucket addressing: `my-bucket`.s3-accelerate.amazonaws.com. Any `ListBuckets`, `CreateBucket`, and `DeleteBucket `requests aren't sent to the S3 Accelerate endpoint as that endpoint doesn't support those operations. This behavior can also be set if the `--endpoint-url` parameter is set to `https://s3-accelerate.amazonaws.com` or `http://s3-accelerate.amazonaws.com` for any `s3` or `s3api` command. ** `use_dualstack_endpoint`** Enables the use of dual-stack endpoints to send `s3` and `s3api` requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings are `true` and `false`. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](./cli-configure-endpoints.html#endpoints-dual-stack). This is mutually exclusive with the `use_accelerate_endpoint` setting. The following settings apply only to commands in the `s3` namespace command set. ** `max_bandwidth`** Specifies the maximum bandwidth that can be consumed for uploading and downloading data to and from Amazon S3. The default is no limit. This limits the maximum bandwidth that the S3 commands can use to transfer data to and from Amazon S3. This value applies to only uploads and downloads; it doesn't apply to copies or deletes. The value is expressed as bytes per second. The value can be specified as: - An integer. For example, `1048576` sets the maximum bandwidth usage to 1 megabyte per second. - An integer followed by a rate suffix. You can specify rate suffixes using: `KB/s`, `MB/s`, or `GB/s`. For example, `300KB/s`, `10MB/s`. In general, we recommend that you first try to lower bandwidth consumption by lowering `max_concurrent_requests`. If that doesn't adequately limit bandwidth consumption to the desired rate, you can use the `max_bandwidth` setting to further limit bandwidth consumption. This is because `max_concurrent_requests` controls how many threads are currently running. If you instead first lower `max_bandwidth` but leave a high `max_concurrent_requests` setting, it can result in threads having to wait unnecessarily. This can lead to excess resource consumption and connection timeouts. ** `max_concurrent_requests`** Specifies the maximum number of concurrent requests. The default value is 10. The `aws s3` transfer commands are multithreaded. At any given time, multiple Amazon S3 requests can be running. For example, when you use the command `aws s3 cp localdir s3://bucket/ --recursive` to upload files to an S3 bucket, the AWS CLI can upload the files `localdir/file1`, `localdir/file2`, and `localdir/file3` in parallel. The setting `max_concurrent_requests` specifies the maximum number of transfer operations that can run at the same time. You might need to change this value for a few reasons: - Decreasing this value – On some environments, the default of 10 concurrent requests can overwhelm a system. This can cause connection timeouts or slow the responsiveness of the system. Lowering this value makes the S3 transfer commands less resource intensive. The tradeoff is that S3 transfers can take longer to complete. Lowering this value might be necessary if you use a tool to limit bandwidth. - Increasing this value – In some scenarios, you might want the Amazon S3 transfers to complete as quickly as possible, using as much network bandwidth as necessary. In this scenario, the default number of concurrent requests might not be sufficient to use all of the available network bandwidth. Increasing this value can improve the time it takes to complete an Amazon S3 transfer. ** `max_queue_size`** Specifies the maximum number of tasks in the task queue. The default value is 1000. The AWS CLI internally uses a model where it queues up Amazon S3 tasks that are then executed by consumers whose numbers are limited by `max_concurrent_requests`. A task generally maps to a single Amazon S3 operation. For example, a task could be a `PutObjectTask`, or a `GetObjectTask`, or an `UploadPartTask`. The rate at which tasks are added to the queue can be much faster than the rate at which consumers finish the tasks. To avoid unbounded growth, the task queue size is capped to a specific size. This setting changes the value of that maximum number. You generally don't need to change this setting. This setting also corresponds to the number of tasks that the AWS CLI is aware of that need to be run. This means that by default the AWS CLI can only see 1000 tasks ahead. Increasing this value means that the AWS CLI can more quickly know the total number of tasks needed, assuming that the queuing rate is quicker than the rate of task completion. The tradeoff is that a larger max_queue_size requires more memory. ** `multipart_chunksize`** Specifies the chunk size that the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB, with a minimum of 5 MB. When a file transfer exceeds the `multipart_threshold`, the AWS CLI divides the file into chunks of this size. This value can be specified using the same syntax as `multipart_threshold`, either as the number of bytes as an integer, or by using a size and a suffix. ** `multipart_threshold`** Specifies the size threshold the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB. When uploading, downloading, or copying a file, the Amazon S3 commands switch to multipart operations if the file exceeds this size. You can specify this value in one of two ways: - The file size in bytes. For example, `1048576`. - The file size with a size suffix. You can use `KB`, `MB`, `GB`, or `TB`. For example: `10MB`, `1GB`. ###### Note S3 can impose constraints on valid values that can be used for multipart operations. For more information, see the [S3 Multipart Upload documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html) in the *Amazon Simple Storage Service User Guide*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Configure the AWS CLI Environment Variables --- # Amazon EC2 metadata > When you run the AWS CLI from within an Amazon EC2 instance, the instance contains metadata that can be queried for temporary credentials. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-metadata.html --- # Using Amazon EC2 instance metadata as credentials in the AWS CLI When you run the AWS CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the AWS CLI automatically and securely retrieves the credentials from the instance metadata. To disable this service, use the [AWS_EC2_METADATA_DISABLED](./cli-configure-envvars.html#envvars-list-AWS_EC2_METADATA_DISABLED) environment variable. ###### Topics - [Prerequisites](#cli-configure-metadata-prereqs) - [Configuring a profile for Amazon EC2 metadata](#cli-configure-metadata-configure) ## Prerequisites To use Amazon EC2 credentials with the AWS CLI, you need to complete the following: - Install and configure the AWS CLI. For more information, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html) and [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). - You understand configuration files and named profiles. For more information, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). - You've created an AWS Identity and Access Management (IAM) role that has access to the resources needed, and attached that role to the Amazon EC2 instance when you launch it. For more information, see [IAM policies for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html) in the *Amazon EC2 User Guide* and [Granting Applications That Run on Amazon EC2 Instances Access to AWS Resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.html) in the *IAM User Guide*. ## Configuring a profile for Amazon EC2 metadata To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions. `[profile profilename`] role_arn = `arn:aws:iam::123456789012:role/rolename` credential_source = Ec2InstanceMetadata region = `region` - Create a profile in your configuration file. `[profile profilename`] - Add your IAM arn role that has access to the resources needed. `role_arn = arn:aws:iam::123456789012:role/rolename` - Specify `Ec2InstanceMetadata` as your credential source. `credential_source = Ec2InstanceMetadata` - Set your Region. `region = region` **Example** The following example assumes the `marketingadminrole` role and uses the `us-west-2` Region in an Amazon EC2 instance profile named `marketingadmin`. `[profile marketingadmin`] role_arn = `arn:aws:iam::123456789012:role/marketingadminrole` credential_source = Ec2InstanceMetadata region = `us-west-2` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) IAM users External credentials --- # Command line options > In the AWS CLI, command line options are global parameters you can use to override configuration settings for that command. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-options.html --- # Command line options in the AWS CLI In the AWS CLI, command line options are global parameters you can use to override the default configuration settings, any corresponding profile setting, or environment variable setting for that single command. You can't use command line options to directly specify credentials, although you can specify which profile to use. ###### Topics - [How to use command line options](#cli-configure-options-how) - [AWS CLI supported global command line options](#cli-configure-options-list) - [Common uses of command line options](#cli-configure-options-common) ## How to use command line options Most command line options are simple strings, such as the profile name `profile1` in the following example: `$ aws s3 ls --profile profile1` `amzn-s3-demo-bucket1 amzn-s3-demo-bucket2 ...` Each option that takes an argument requires a space or equals sign (=) separating the argument from the option name. If the argument value is a string that contains a space, you must use quotation marks around the argument. For details on argument types and formatting for parameters, see [Specifying parameter values in the AWS CLI](./cli-usage-parameters.html). ## AWS CLI supported global command line options In the AWS CLI you can use the following command line options to override the default configuration settings, any corresponding profile setting, or environment variable setting for that single command. ** --ca-bundle ``** Specifies the certificate authority (CA) certificate bundle to use when verifying SSL certificates. If defined, this option overrides the value for the profile setting `[ca_bundle](./cli-configure-files.html#cli-config-ca_bundle)` and the `[AWS_CA_BUNDLE](./cli-configure-envvars.html#envvars-list-AWS_CA_BUNDLE)` environment variable. ** --cli-auto-prompt** Enables auto-prompt mode for a single command. As the following examples show, you can specify it at any point. `$ ``aws --cli-auto-prompt` `$ ``aws dynamodb --cli-auto-prompt` `$ ``aws dynamodb describe-table --cli-auto-prompt` This option overrides the `[aws_cli_auto_prompt](./cli-configure-envvars.html#envvars-list-aws_cli_auto_prompt)` environment variable and the `[cli_auto_prompt](./cli-configure-files.html#cli-config-cli_auto_prompt)` profile setting. For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html). ** --cli-binary-format** Specifies how the AWS CLI version 2 interprets binary input parameters. It can be one of the following values: - **base64** – This is the default value. An input parameter that is typed as a binary large object (BLOB) accepts a base64-encoded string. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value. To pass base64-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value. - **raw-in-base64-out** – Default for the AWS CLI version 1. If the setting's value is `raw-in-base64-out`, files referenced using the `file://` prefix is read as text and then the AWS CLI attempts to encode it to binary. This overrides the `[cli_binary_format](./cli-configure-files.html#cli-config-cli_binary_format)` file configuration setting. `$ ``aws lambda invoke \ --cli-binary-format raw-in-base64-out \ --function-name my-function \ --invocation-type Event \ --payload '{ "name": "Bob" }' \ response.json` If you reference a binary value in a file using the `fileb://` prefix notation, the AWS CLI *always* expects the file to contain raw binary content and does not attempt to convert the value. If you reference a binary value in a file using the `file://` prefix notation, the AWS CLI handles the file according to the current `cli_binary_format` setting. If that setting's value is `base64` (the default when not explicitly set), the AWS CLI expects the file to contain base64-encoded text. If that setting's value is `raw-in-base64-out`, the AWS CLI expects the file to contain raw binary content. **--cli-connect-timeout ``** Specifies the maximum socket connect time in seconds. If the value is set to zero (0), the socket connect waits indefinitely (is blocking) and doesn't timeout. The default value is 60 seconds. **--cli-read-timeout ``** Specifies the maximum socket read time in seconds. If the value is set to zero (0) the socket read waits indefinitely (is blocking) and doesn't timeout. The default value is 60 seconds. **--color ``** Specifies support for color output. Valid values are `on`, `off`, and `auto`. The default value is `auto`. **--debug** A Boolean switch that enables debug logging. The AWS CLI by default provides cleaned up information regarding any successes or failures regarding command outcomes in the command output. The `--debug` option provides the full Python logs. This includes additional `stderr` diagnostic information about the operation of the command that can be useful when troubleshooting why a command provides unexpected results. To easily view debug logs, we suggest sending the logs to a file to more easily search the information. You can do this by using one of the following. To send **only** the `stderr` diagnostic information, append `2> debug.txt` where `debug.txt` is the name you want to use for your debug file: `$ ``aws servicename` `commandname` `options` --debug 2> `debug.txt` To send **both** the output and `stderr` diagnostic information, append `&> debug.txt` where `debug.txt` is the name you want to use for your debug file: `$ ``aws servicename` `commandname` `options` --debug &> `debug.txt` ** --endpoint-url ``** Specifies the URL to send the request to. For most commands, the AWS CLI automatically determines the URL based on the selected service and the specified AWS Region. However, some commands require that you specify an account-specific URL. You can also configure some AWS services to [host an endpoint directly within your private VPC](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-privatelink), which might then need to be specified. The following command example uses a custom Amazon S3 endpoint URL. `$ ``aws s3 ls --endpoint-url http://localhost:4567` ###### Endpoint precedence Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](./cli-configure-endpoints.html#endpoints-precedence). ** --no-cli-auto-prompt** Disables auto-prompt mode for a single command. `$ ``aws dynamodb describe-table --table-name Table1 --no-cli-auto-prompt` This option overrides the `[aws_cli_auto_prompt](./cli-configure-envvars.html#envvars-list-aws_cli_auto_prompt)` environment variable and the `[cli_auto_prompt](./cli-configure-files.html#cli-config-cli_auto_prompt)` profile setting. For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](./cli-usage-parameters-prompting.html). **--no-cli-pager** A Boolean switch that disables using a pager for the output of the command. **--no-paginate** A Boolean switch that disables the multiple calls the automatically AWS CLI makes to receive all command results that creates pagination of the output. This means only the first page of your output is displayed. **--no-sign-request** A Boolean switch that disables signing the HTTP requests to the AWS service endpoint. This prevents credentials from being loaded. **--no-verify-ssl** By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection and call, the AWS CLI verifies the SSL certificates. Using this option overrides the default behavior of verifying SSL certificates. ###### Warning This option is **not** best practice. If you use `--no-verify-ssl`, your traffic between your client and AWS services is no longer secured. This means your traffic is a security risk and vulnerable to man-in-the-middle exploits. If you're having issues with certificates, it's best to resolve those issues instead. For certificate troubleshooting steps, see [SSL certificate errors](./cli-chap-troubleshooting.html#tshoot-certificate-verify-failed). **--output ``** Specifies the output format to use for this command. You can specify any of the following values: - **[json](./cli-usage-output-format.html#json-output)** – The output is formatted as a [JSON](https://json.org/) string. - **[yaml](./cli-usage-output-format.html#yaml-output)** – The output is formatted as a [YAML](https://yaml.org/) string. - **[yaml-stream](./cli-usage-output-format.html#yaml-stream-output)** – The output is streamed and formatted as a [YAML](https://yaml.org/) string. Streaming allows for faster handling of large data types. - **[text](./cli-usage-output-format.html#text-output)** – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like `grep`, `sed`, or `awk`. - **[table](./cli-usage-output-format.html#table-output)** – The output is formatted as a table using the characters +|- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful. **--profile ``** Specifies the [named profile](./cli-configure-files.html#cli-configure-files-using-profiles) to use for this command. To set up additional named profiles, you can use the `aws configure` command with the `--profile` option. `$ ``aws configure --profile ` **--query ``** Specifies a [JMESPath query](https://jmespath.org/) to use in filtering the response data. For more information, see [Filtering output in the AWS CLI](./cli-usage-filter.html). **--region ``** Specifies which AWS Region to send this command's AWS request to. For a list of all of the Regions that you can specify, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*. **--version** A Boolean switch that displays the current version of the AWS CLI program that is running. ## Common uses of command line options Common uses for command line options include checking your resources in multiple AWS Regions, and changing the output format for legibility or ease of use when scripting. In the following examples, we run the **describe-instances** command against each Region until we find which Region our instance is in. `$ aws ec2 describe-instances --output table --region us-west-1` `------------------- |DescribeInstances| +-----------------+` $ `aws ec2 describe-instances --output table --region us-west-2` `------------------------------------------------------------------------------ | DescribeInstances | +----------------------------------------------------------------------------+ || Reservations || |+-------------------------------------+------------------------------------+| || OwnerId | 012345678901 || || ReservationId | r-abcdefgh || |+-------------------------------------+------------------------------------+| ||| Instances ||| ||+------------------------+-----------------------------------------------+|| ||| AmiLaunchIndex | 0 ||| ||| Architecture | x86_64 ||| ...` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Environment Variables Command completion --- # HTTP proxies > Learn how to configure the AWS CLI to use an HTTP proxy through environment variables using DNS domain names, IP addresses, and port numbers. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-proxy.html --- # Using an HTTP proxy for the AWS CLI To access AWS through proxy servers, you can configure the `HTTP_PROXY` and `HTTPS_PROXY` environment variables with either the DNS domain names or IP addresses and port numbers that your proxy servers use. ###### Topics - [Using the examples](#cli-configure-proxy-using) - [Authenticating to a proxy](#cli-configure-proxy-auth) - [Using a proxy on Amazon EC2 instances](#cli-configure-proxy-ec2) - [Troubleshooting](#cli-configure-proxy-tshoot) ## Using the examples ###### Note The following examples show the environment variable name in all uppercase letters. However, if you specify a variable twice using different cases, the lowercase letters take precedence. We recommend that you define each variable only once to avoid system confusion and unexpected behavior. The following examples show how you can use either the explicit IP address of your proxy or a DNS name that resolves to the IP address of your proxy. Either can be followed by a colon and the port number to which queries should be sent. ## Authenticating to a proxy ###### Note The AWS CLI doesn't support NTLM proxies. If you use an NTLM or Kerberos protocol proxy, you might be able to connect through an authentication proxy like [Cntlm](http://cntlm.sourceforge.net). The AWS CLI supports HTTP Basic authentication. Specify the username and password in the proxy URL, as follows. ## Using a proxy on Amazon EC2 instances If you configure a proxy on an Amazon EC2 instance launched with an attached IAM role, ensure that you exempt the address used to access the [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html). To do this, set the `NO_PROXY` environment variable to the IP address of the instance metadata service, 169.254.169.254. This address does not vary. ## Troubleshooting If you come across issues with the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. For the most relevant troubleshooting steps, see [SSL certificate errors](./cli-chap-troubleshooting.html#tshoot-certificate-verify-failed). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Retries Endpoints --- # Retries > Customize retries for failed AWS CLI API calls that can occur on the server side, or fail due to rate limiting from the AWS service you're calling. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-retries.html --- # AWS CLI retries in the AWS CLI This topic describes how the AWS CLI might see calls to AWS services fail due to unexpected issues. These issues can occur on the server side or might fail due to rate limiting from the AWS service you're attempting to call. These kinds of failures usually don’t require special handling and the call is automatically made again, often after a brief waiting period. The AWS CLI provides many features to assist in retrying client calls to AWS services when these kinds of errors or exceptions are experienced. ###### Topics - [Available retry modes](#cli-usage-retries-modes) - [Configuring a retry mode](#cli-usage-retries-configure) - [Viewing logs of retry attempts](#cli-usage-retries-validate) ## Available retry modes ###### The AWS CLI has multiple modes to choose from depending on your version: - [Standard retry mode (default)](#cli-usage-retries-modes-standard.title) - [Legacy retry mode](#cli-usage-retries-legacy) - [Adaptive retry mode](#cli-usage-retries-modes-adaptive) ### Standard retry mode (default) `Standard` mode is a standard set of retry rules across the AWS SDKs with more functionality than legacy and is the default mode is the default for AWS CLI. Standard mode was created for the AWS CLI version 2 and is backported to AWS CLI version 1. Standard mode’s functionality includes: - A default value of 2 for maximum retry attempts, making a total of 3 call attempts. This value can be overwritten through the `max_attempts` configuration parameter. - Retry attempts for the following expanded list of errors/exceptions: Transient errors/exceptions `RequestTimeout` - `RequestTimeoutException` - `PriorRequestNotComplete` - `ConnectionError` - `HTTPClientError` - Service-side throttling/limit errors and exceptions: `Throttling` - `ThrottlingException` - `ThrottledException` - `RequestThrottledException` - `TooManyRequestsException` - `ProvisionedThroughputExceededException` - `TransactionInProgressException` - `RequestLimitExceeded` - `BandwidthLimitExceeded` - `LimitExceededException` - `RequestThrottled` - `SlowDown` - `EC2ThrottledException` - Retry attempts on nondescriptive, transient error codes. Specifically, these HTTP status codes: 500, 502, 503, 504. - Any retry attempt will include an exponential backoff by a base factor of 2 for a maximum backoff time of 20 seconds. ### Legacy retry mode `Legacy` mode uses an older retry handler that has limited functionality which includes: - A default value of 4 for maximum retry attempts, making a total of 5 call attempts. This value can be overwritten through the `max_attempts` configuration parameter. - DynamoDB has a default value of 9 for maximum retry attempts, making a total of 10 call attempts. This value can be overwritten through the `max_attempts` configuration parameter. - Retry attempts for the following limited number of errors/exceptions: General socket/connection errors: `ConnectionError` - `ConnectionClosedError` - `ReadTimeoutError` - `EndpointConnectionError` - Service-side throttling/limit errors and exceptions: `Throttling` - `ThrottlingException` - `ThrottledException` - `RequestThrottledException` - `ProvisionedThroughputExceededException` - Retry attempts on several HTTP status codes, including 429, 500, 502, 503, 504, and 509. - Any retry attempt will include an exponential backoff by a base factor of 2. ### Adaptive retry mode ###### Warning Adaptive mode is an experimental mode and is subject to change, both in features and behavior. `Adaptive` retry mode is an experimental retry mode that includes all the features of standard mode. In addition to the standard mode features, adaptive mode also introduces client-side rate limiting through the use of a token bucket and rate-limit variables that are dynamically updated with each retry attempt. This mode offers flexibility in client-side retries that adapts to the error/exception state response from an AWS service. With each new retry attempt, adaptive mode modifies the rate-limit variables based on the error, exception, or HTTP status code presented in the response from the AWS service. These rate-limit variables are then used to calculate a new call rate for the client. Each exception/error or non-success HTTP response (provided in the list above) from an AWS service updates the rate-limit variables as retries occur until success is reached, the token bucket is exhausted, or the configured maximum attempts value is reached. ## Configuring a retry mode The AWS CLI includes a variety of both retry configurations as well as configuration methods to consider when creating your client object. ### Available configuration methods In the AWS CLI, users can configure retries in the following ways: - Environment variables - AWS CLI configuration file Users can customize the following retry options: - Retry mode - Specifies which retry mode the AWS CLI uses. As described previously, there are three retry modes available: legacy, standard, and adaptive. The default value for the AWS CLI version 2 is standard. - Max attempts - Specifies the value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the value that you provide. The default value is based on your retry mode. ### Defining a retry configuration in your environment variables To define your retry configuration for the AWS CLI, update your operating system's environment variables. The retry environment variables are: - `AWS_RETRY_MODE` - `AWS_MAX_ATTEMPTS` For more information on environment variables, see [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html). ### Defining a retry configuration in your AWS configuration file To change your retry configuration, update your global AWS configuration file. The default location for your AWS config file is ~/.aws/config. The following is an example of an AWS config file: `[default] retry_mode = standard max_attempts = 6` For more information on configuration files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). ## Viewing logs of retry attempts The AWS CLI uses Boto3's retry methodology and logging. You can use the `--debug` option on any command to receive debug logs. For more information on how to use the `--debug` option, see [Command line options in the AWS CLI](./cli-configure-options.html). If you search for "retry" in your debug logs, you'll find the retry information you need. The client log entries for retry attempts depend on which retry mode you’ve enabled. **Legacy mode:** Retry messages are generated by botocore.retryhandler. You’ll see one of three messages: - `No retry needed` - `Retry needed, action of: ` - `Reached the maximum number of retry attempts: ` **Standard or adaptive mode:** Retry messages are generated by botocore.retries.standard. You’ll see one of three messages: - `No retrying request` - `Retry needed, retrying request after delay of: ` - `Retry needed but retry quota reached, not retrying request` For the full definition file of botocore retries, see [_retry.json](https://github.com/boto/botocore/blob/develop/botocore/data/_retry.json) on the *botocore GitHub Repository*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Command completion HTTP proxies --- # IAM roles > Configure the AWS CLI to use a role defined in AWS Identity and Access Management. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html --- # Using an IAM role in the AWS CLI An [AWS Identity and Access Management (IAM) role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an authorization tool that lets a user gain additional (or different) permissions, or get permissions to perform actions in a different AWS account. ###### Topics - [Prerequisites](#cli-role-prereqs) - [Overview of using IAM roles](#cli-role-overview) - [Configuring and using a role](#cli-role-prepare) - [Using multi-factor authentication](#cli-configure-role-mfa) - [Cross-account roles and external ID](#cli-configure-role-xaccount) - [Specifying a role session name for easier auditing](#cli-configure-role-session-name) - [Assume role with web identity](#cli-configure-role-oidc) - [Clearing cached credentials](#cli-configure-role-cache) ## Prerequisites To run the `iam` commands, you need to install and configure the AWS CLI. This includes setting up a configured profile, as assuming a role is paired with another credential method. For more information, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). ## Overview of using IAM roles You can configure the AWS Command Line Interface (AWS CLI) to use an IAM role by defining a profile for the role in the `~/.aws/config` file. The following example shows a role profile named `marketingadmin`. If you run commands with `--profile marketingadmin` (or specify it with the [AWS_PROFILE environment variable](./cli-configure-envvars.html)), the AWS CLI uses the credentials defined in a separate profile `user1` to assume the role with the Amazon Resource Name (ARN) `arn:aws:iam::123456789012`:role/`marketingadminrole`. You can run any operations that are allowed by the permissions assigned to that role. `[profile marketingadmin`] role_arn = arn:aws:iam::`123456789012`:role/`marketingadminrole` source_profile = user1 You can then specify a `source_profile` that points to a separate named profile that contains user credentials with permission to use the role. In the previous example, the `marketingadmin` profile uses the credentials in the `user1` profile. When you specify that an AWS CLI command is to use the profile `marketingadmin`, the AWS CLI automatically looks up the credentials for the linked `user1` profile and uses them to request temporary credentials for the specified IAM role. The CLI uses the [sts:AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) operation in the background to accomplish this. Those temporary credentials are then used to run the requested AWS CLI command. The specified role must have attached IAM permission policies that allow the requested AWS CLI command to run. To run a AWS CLI command from within an Amazon Elastic Compute Cloud (Amazon EC2) instance or an Amazon Elastic Container Service (Amazon ECS) container, you can use an IAM role attached to the instance profile or the container. If you specify no profile or set no environment variables, that role is used directly. This enables you to avoid storing long-lived access keys on your instances. You can also use those instance or container roles only to get credentials for another role. To do this, you use `credential_source` (instead of `source_profile`) to specify how to find the credentials. The `credential_source` attribute supports the following values: - `Environment` – Retrieves the source credentials from environment variables. - `Ec2InstanceMetadata` – Uses the IAM role attached to the Amazon EC2 instance profile. - `EcsContainer` – Uses the IAM role attached to the Amazon ECS container. The following example shows the same `marketingadminrole` role used by referencing an Amazon EC2 instance profile. `[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata` When you invoke a role, you have additional options that you can require, such as the use of multi-factor authentication and an External ID (used by third-party companies to access their clients' resources). You can also specify unique role session names that can be more easily audited in AWS CloudTrail logs. ## Configuring and using a role When you run commands using a profile that specifies an IAM role, the AWS CLI uses the source profile's credentials to call AWS Security Token Service (AWS STS) and request temporary credentials for the specified role. The user in the source profile must have permission to call `sts:assume-role` for the role in the specified profile. The role must have a trust relationship that allows the user in the source profile to use the role. The process of retrieving and then using temporary credentials for a role is often referred to as *assuming the role*. You can create a role in IAM with the permissions that you want users to assume by following the procedure under [Creating a Role to Delegate Permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *AWS Identity and Access Management User Guide*. If the role and the source profile's user are in the same account, you can enter your own account ID when configuring the role's trust relationship. After creating the role, modify the trust relationship to allow the user to assume it. The following example shows a trust policy that you could attach to a role. This policy allows the role to be assumed by any user in the account 123456789012, ***if*** the administrator of that account explicitly grants the `sts:AssumeRole` permission to the user. The trust policy doesn't actually grant permissions. The administrator of the account must delegate the permission to assume the role to individual users by attaching a policy with the appropriate permissions. The following example shows a policy that you can attach to a user that allows the user to assume only the `marketingadminrole` role. For more information about granting a user access to assume a role, see [Granting a User Permission to Switch Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html) in the *IAM User Guide*. The user doesn't need to have additional permissions to run the AWS CLI commands using the role profile. Instead, the permissions to run the command come from those attached to the *role*. You attach permission policies to the role to specify which actions can be performed against which AWS resources. For more information about attaching permissions to a role (which works identically to a user), see [Changing Permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html) in the *IAM User Guide*. Now that you have the role profile, role permissions, role trust relationship, and user permissions correctly configured, you can use the role at the command line by invoking the `--profile` option. For example, the following calls the Amazon S3 `ls` command using the permissions attached to the `marketingadmin` role as defined by the example at the beginning of this topic. `$ ``aws s3 ls --profile marketingadmin` To use the role for several calls, you can set the `AWS_PROFILE` environment variable for the current session from the command line. While that environment variable is defined, you don't have to specify the `--profile` option on each command. **Linux or macOS** `$ ``export AWS_PROFILE=marketingadmin` **Windows** `C:\> ``setx AWS_PROFILE marketingadmin` For more information about configuring users and roles, see [IAM Identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id-roles.html) in the *IAM User Guide*. ## Using multi-factor authentication For additional security, you can require that users provide a one-time key generated from a multi-factor authentication (MFA) device, a U2F device, or mobile app when they attempt to make a call using the role profile. First, you can choose to modify the trust relationship on the IAM role to require MFA. This prevents anyone from using the role without first authenticating by using MFA. For an example, see the `Condition` line in the following example. This policy allows the user named `anika` to assume the role the policy is attached to, but only if they authenticate by using MFA. Next, add a line to the role profile that specifies the ARN of the user's MFA device. The following sample `config` file entries show two role profiles that both use the access keys for the user `anika` to request temporary credentials for the role `cli-role`. The user `anika` has permissions to assume the role, granted by the role's trust policy. `[profile role-without-mfa] region = us-west-2 role_arn= arn:aws:iam::128716708097:role/cli-role source_profile=cli-user [profile role-with-mfa] region = us-west-2 role_arn= arn:aws:iam::128716708097:role/cli-role source_profile = cli-user mfa_serial = arn:aws:iam::128716708097:mfa/cli-user [profile cli-user] region = us-west-2 output = json` The `mfa_serial` setting can take an ARN, as shown, or the serial number of a hardware MFA token. The first profile, `role-without-mfa`, doesn't require MFA. However, because the previous example trust policy attached to the role requires MFA, any attempt to run a command with this profile fails. `$ ``aws iam list-users --profile role-without-mfa`` An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied` The second profile entry, `role-with-mfa`, identifies an MFA device to use. When the user attempts to run a AWS CLI command with this profile, the AWS CLI prompts the user to enter the one-time password (OTP) that the MFA device provides. If the MFA authentication succeeds, the command performs the requested operation. The OTP is not displayed on the screen. `$ ``aws iam list-users --profile role-with-mfa`` Enter MFA code for arn:aws:iam::123456789012:mfa/cli-user: { "Users": [ { ...` ## Cross-account roles and external ID You can enable users to use roles that belong to different accounts by configuring the role as a cross-account role. During role creation, set the role type to **Another AWS account**, as described in [Creating a Role to Delegate Permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). Optionally, select **Require MFA**. **Require MFA** configures the appropriate condition in the trust relationship, as described in [Using multi-factor authentication](#cli-configure-role-mfa). If you use an [external ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) to provide additional control over who can use a role across accounts, you must also add the `external_id` parameter to the role profile. You typically use this only when the other account is controlled by someone outside your company or organization. `[profile crossaccountrole] role_arn = arn:aws:iam::234567890123`:role/`SomeRole` source_profile = default mfa_serial = arn:aws:iam::`123456789012`:mfa/`saanvi` `external_id = 123456` ## Specifying a role session name for easier auditing When many individuals share a role, auditing becomes more of a challenge. You want to associate each operation invoked with the individual who invoked the action. However, when the individual uses a role, the assumption of the role by the individual is a separate action from the invoking of an operation, and you must manually correlate the two. You can simplify this by specifying unique role session names when users assume a role. You do this by adding a `role_session_name` parameter to each named profile in the `config` file that specifies a role. The `role_session_name` value is passed to the `AssumeRole` operation and becomes part of the ARN for the role session. It is also included in the AWS CloudTrail logs for all logged operations. For example, you could create a role-based profile as follows. `[profile namedsessionrole] role_arn = arn:aws:iam::234567890123`:role/`SomeRole` source_profile = default role_session_name = `Session_Maria_Garcia` This results in the role session having the following ARN. `arn:aws:iam::234567890123`:assumed-role/`SomeRole`/`Session_Maria_Garcia` Also, all AWS CloudTrail logs include the role session name in the information captured for each operation. ## Assume role with web identity You can configure a profile to indicate that the AWS CLI should assume a role using [web identity federation and Open ID Connect (OIDC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html). When you specify this in a profile, the AWS CLI automatically makes the corresponding AWS STS `AssumeRoleWithWebIdentity` call for you. ###### Note When you specify a profile that uses an IAM role, the AWS CLI makes the appropriate calls to retrieve temporary credentials. These credentials are stored in `~/.aws/cli/cache`. Subsequent AWS CLI commands that specify the same profile use the cached temporary credentials until they expire. At that point, the AWS CLI automatically refreshes the credentials. To retrieve and use temporary credentials using web identity federation, you can specify the following configuration values in a shared profile. [role_arn](./cli-configure-role.html) Specifies the ARN of the role to assume. web_identity_token_file Specifies the path to a file which contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. The AWS CLI loads this file and passes its content as the `WebIdentityToken` argument of the `AssumeRoleWithWebIdentity` operation. [role_session_name](#cli-configure-role-session-name) Specifies an optional name applied to this assume-role session. The following is an example of the minimal amount of configuration needed to configure an assume role with web identity profile. `# In ~/.aws/config [profile web-identity] role_arn=arn:aws:iam:123456789012`:role/`RoleNameToAssume` web_identity_token_file=`/path/to/a/token` You can also provide this configuration by using [environment variables](./cli-configure-envvars.html). AWS_ROLE_ARN The ARN of the role to assume. AWS_WEB_IDENTITY_TOKEN_FILE The path to the web identity token file. AWS_ROLE_SESSION_NAME The name applied to this assume-role session. ###### Note These environment variables currently apply only to the assume role with web identity provider. They don't apply to the general assume role provider configuration. ## Clearing cached credentials When you use a role, the AWS CLI caches the temporary credentials locally until they expire. The next time you try to use them, the AWS CLI attempts to renew them on your behalf. If your role's temporary credentials are [revoked](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html), they are not renewed automatically, and attempts to use them fail. However, you can delete the cache to force the AWS CLI to retrieve new credentials. **Linux or macOS** `$ ``rm -r ~/.aws/cli/cache` **Windows** `C:\> ``del /s /q %UserProfile%\.aws\cli\cache` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Short-term credentials IAM users --- # Console credentials **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html --- # Login for AWS local development using console credentials You can use your existing AWS Management Console sign-in credentials for programmatic access to AWS services. After a browser-based authentication flow, AWS generates temporary credentials that work across local development tools like the AWS CLI, AWS Tools for PowerShell and AWS SDKs. This feature simplifies the process of configuring and managing AWS CLI credentials, especially if you prefer interactive authentication over managing long-term access keys. With this process, you can authenticate using root credentials created during initial account set up, an IAM user, or a federated identity from your identity provider, and the AWS CLI automatically manages the temporary credentials for you. This approach enhances security by eliminating the need to store long-term credentials locally. When you run the `aws login` command, you can select from your active console sessions, or sign in through the browser-based authentication flow and this will automatically generate temporary credentials. The CLI will automatically refresh these credentials for up to 12 hours. Once configured, your session can be used in the AWS CLI and other AWS SDKs and Tools. ###### Topics - [Prerequisites](#cli-configure-sign-in-prerequisites) - [Log in to the AWS CLI with the aws login command.](#cli-configure-sign-in-login-command) - [Run a command with your profile](#cli-configure-sign-in-with-profile) - [Sign out of your session using the aws logout command](#cli-configure-sign-in-sign-out) - [Troubleshooting](#cli-configure-sign-in-troubleshooting) - [Related resources](#cli-configure-sign-in-resources) ## Prerequisites - Install the AWS CLI. For more information, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). A minimum version of 2.32.0 is required to use the `aws login` command. - Access to sign into the AWS Management Console as a root user, IAM user, or through federation with IAM. If you use IAM Identity Center, go to [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html) instead. - Ensure the IAM identity has the appropriate permissions. Attach the [SignInLocalDevelopmentAccess](https://docs.aws.amazon.com/signin/latest/userguide/security-iam-awsmanpol.html) managed policy to your IAM user, role, or group. If you sign in as a root user, no additional permissions are required. ## Log in to the AWS CLI with the `aws login` command. Run the `aws login` command to authenticate using your existing AWS Management Console credentials. If you have not previously configured a profile, you're prompted for additional information. To sign in or configure a profile follow the below steps. - In your preferred terminal, run the `aws login` command. `$ aws login` To sign in to a named profile or create a new one, use the `--profile` option. `$ aws login --profile my-dev-profile` If this is a new profile or no AWS Region has been specified, the AWS CLI prompts you to provide a region. `No AWS region has been configured. The AWS region is the geographic location of your AWS resources. If you've used AWS before and already have resources in your account, tell us which region they were created in. If you haven't created resources in your account before, you can pick the region closest to you: https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html. You are able to change the region in the CLI at any time with the command `aws configure set region NEW_REGION`. AWS Region [us-east-1]:` - If the device using the AWS CLI does not have a browser, you can use the `--remote` option to provide a url for you to open on a browser-enabled device. `$ aws login --remote` - The AWS CLI attempts to open your default browser for the sign in process of your AWS account. `Attempting to open the login page for `us-east-1` in your default browser. If the browser does not open, use the following URL to complete your login: https://signin.us-east-1.amazonaws.com/authorize? If you cannot connect to this URL, make sure that you have specified a valid region.` If you used the `--remote` option, instructions to manually start the sign in process are displayed based on the type of authorization you are using. The URL displayed is a unique URL starting with: https://us-east-1.signin.amazonaws.com/authorize. Once you complete the browser log in, you will need to copy and paste the resulting authorization code back in the CLI. `Browser will not be automatically opened. Please visit the following URL: https://region`.signin.amazonaws.com/authorize? Please enter the authorization code displayed in the browser: - In the browser, select your credentials to use from the displayed list and then return to your terminal. If the profile you are configuring has a previously configured login session that does not match your new session, the AWS CLI prompts you to confirm that you are switching the session that corresponds to the existing profile. `Profile signin is already configured to use session arn:aws:iam::0123456789012`:`user/ReadOnly`. Do you want to overwrite it to use arn:aws:iam::`0123456789012`:`user/Admin` instead? (y/n):. - A final message describes the completed profile configuration. You can now use this profile to request credentials. Use the `aws login` command to request and retrieve the credentials needed to run commands. The authentication token is cached to disk under the `.aws/login/cache` directory with a filename based on the resolved profile. ### Generated configuration file These steps result in creating the `default` profile in the `config` file that looks like the following: `[default] login_session = arn:aws:iam::0123456789012`:`user/username` region = us-east-1 ## Run a command with your profile Once signed in, you can use your credentials to invoke AWS CLI commands with the associated profile. The following example calls the `get-caller-identity` command using the `default` profile: `$ aws sts get-caller-identity` To sign in to a specific session, use the `--profile` option. `$ aws sts get-caller-identity --profile my`-dev-profile The AWS CLI and SDKs will automatically refresh the cached credentials every 15 minutes as needed. The overall session will be valid for up to the set session duration of the IAM principal (maximum of 12 hours), after which you must run `aws login` again. ## Sign out of your session using the aws logout command When you are done using your session, you can let your credentials expire, or run the `aws logout` command to delete your cached credentials. If no profile is specified on the command line or in the `AWS_PROFILE` environment variable, the command signs you out of your default profile. The following example signs you out of your default profile. `$ aws logout` To sign out of a specific session, use the `--profile` option. `$ aws logout --profile my`-dev-profile To sign out of all profiles that use login credentials, use the `--all` option. `$ aws logout --all` ### Cached Credentials The temporary cached credentials, as well as the metadata required to refresh them are stored by default in `~/.aws/login/cache` on Linux and macOS, or `%USERPROFILE%\.aws\login\cache` on Windows. To store the short-term credentails cache in an alternative location, set the `AWS_LOGIN_CACHE_DIRECTORY` environment variable. #### Sharing Login credentials as process credentials Older versions of the AWS SDKs or other development tools may not support console credentials yet. As a workaround, you can configure the AWS CLI to serve as a process credentials provider. The CLI will continue to refresh the credentials as needed, while sharing them with tools configured to use the credential_process profile. In this example, use the AWS CLI to login first for profile signin: `$ aws login --profile signin` Then, manually configure a profile with the credential_process option, which points back at the signin profile. Now you can configure SDKs or tools to use the process profile, which will invoke the CLI to share the credentials from the signin profile. `[profile signin] login_session = arn:aws:iam::0123456789012`:`user/username` region = us-east-1 [profile process] credential_process = aws configure export-credentials --profile signin --format process region = us-east-1 ## Troubleshooting This page contains recommendations for toubleshooting issues with logging in for AWS local development using console credentials for the AWS CLI. ###### Note To troubleshoot other issues you may come across using the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html). ### ExpiredToken or AccessDeniedException errors after using "aws login" When running an AWS CLI command after running `aws login` for a given profile, you may encounter an expired or invalid credentials error. `$ aws s3 ls An error occurred (ExpiredToken) when calling the ListBuckets operation: The provided token has expired.` **Possible cause:** You have a mix of existing credentials and the new login credentials in that profile Run `aws configure list` or `aws configure list --profile ` to print where the CLI is resolving credentials from for either the default or the given profile. If the TYPE column is something other than login, this means that there is still a different type of credentials set in the target profile. In this example, credentials are being resolved from the shared credentials file in your home directory, which has precedence over the login credentials. `$ aws configure list NAME : VALUE : TYPE : LOCATION profile : : None : None access_key : ****************MPLE : shared-credentials-file : secret_key : ****************EKEY : shared-credentials-file : region : us-east-1 : config-file : ~/.aws/config` To address this, manually remove any existing credentials from your config and credentials file for the target profile. Once you do so, you should see login credentials when running `aws configure list` again. `$ aws configure list NAME : VALUE : TYPE : LOCATION profile : : None : None access_key : ****************MPLE : login : secret_key : ****************EKEY : login : region : us-east-1 : config-file : ~/.aws/config` Alternatively using the `--debug` option will show where the CLI is resolving credentials from. ### Firewall blocking network access when running "aws login" When running `aws login` you may encounter a popup or message from your firewall software that prevents the AWS CLI from accessing your network **Possible cause:** Your firewall or security software is preventing the AWS CLI from opening the port used to handle the OAuth callback. To avoid this issue, use the `--remote` option instead. This will prompt you to copy and paste the authorization code instead of using the OAuth callback. `$ aws login --remote` ## Related resources Additional resources are as follows. - [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html) - [`aws login` in the AWS CLI version 2 Reference](https://docs.aws.amazon.com/cli/latest/reference/) - [`aws logout` in the AWS CLI version 2 Reference](https://docs.aws.amazon.com/cli/latest/reference/) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Authentication and access credentials IAM Identity Center authentication --- # External credentials > Sourcing external credentials that isn't directly supported by the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html --- # Sourcing credentials with an external process in the AWS CLI ###### Warning This topic discusses sourcing credentials from an external process. This could be a security risk if the command to generate the credentials becomes accessible by non-approved processes or users. We recommend that you use the supported, secure alternatives provided by the AWS CLI and AWS to reduce the risk of compromising your credentials. Ensure that you secure the `config` file and any supporting files and tools to prevent disclosure. Ensure that your custom credential tool does not write any secret information to `StdErr` because the SDKs and AWS CLI can capture and log such information, potentially exposing it to unauthorized users. If you have a method to generate or look up credentials that isn't directly supported by the AWS CLI, you can configure the AWS CLI to use it by configuring the `credential_process` setting in the `config` file. For example, you might include an entry similar to the following in the `config` file. `[profile developer] credential_process = /opt/bin/awscreds-custom --username helen` ###### Syntax To create this string in a way that is compatible with any operating system, follow these rules: - If the path or file name contains a space, surround the complete path and file name with double-quotation marks (" "). The path and file name can consist of only the characters: A-Z a-z 0-9 - _ . space - If a parameter name or a parameter value contains a space, surround that element with double-quotation marks (" "). Surround only the name or value, not the pair. - Do not include any environment variables in the strings. For example, you can't include `$HOME` or `%USERPROFILE%`. - Do not specify the home folder as `~`. You must specify the full path. **Example for Windows** `credential_process = "C:\Path\To\credentials.cmd" parameterWithoutSpaces "parameter with spaces"`**Example for Linux or macOS** `credential_process = "/Users/Dave/path/to/credentials.sh" parameterWithoutSpaces "parameter with spaces"`**Expected output from the Credentials program** The AWS CLI runs the command as specified in the profile and then reads data from `STDOUT`. The command you specify must generate JSON output on `STDOUT` that matches the following syntax. `{ "Version": 1, "AccessKeyId": "an AWS access key`", "SecretAccessKey": "`your AWS secret access key`", "SessionToken": "`the AWS session token for temporary credentials`", "Expiration": "`ISO8601 timestamp when the credentials expire`" } ###### Note As of this writing, the `Version` key must be set to `1`. This might increment over time as the structure evolves. The `Expiration` key is an [ISO8601](https://en.wikipedia.org/wiki/ISO_8601) formatted timestamp. If the `Expiration` key is not present in the tool's output, the CLI assumes that the credentials are long-term credentials that do not refresh. Otherwise the credentials are considered temporary credentials and are refreshed automatically by rerunning the `credential_process` command before they expire. ###### Note The AWS CLI does ***not*** cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process. The external process can return a non-zero return code to indicate that an error occurred while retrieving the credentials. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Amazon EC2 metadata Using the AWS CLI --- # IAM Identity Center authentication > This section directs you to instructions to configure the AWS CLI to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html --- # Configuring IAM Identity Center authentication with the AWS CLI This topic provides instructions on how to configure the AWS CLI with AWS IAM Identity Center (IAM Identity Center) to retrieve credentials to run AWS CLI commands. There are primarily two ways to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands through the `config` file: - **(Recommended)** SSO token provider configuration. - Legacy non-refreshable configuration. For information on using bearer auth, which uses no account ID and role, see [Setting up to use the AWS CLI with CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/set-up-cli.html) in the *Amazon CodeCatalyst User Guide*. ###### Note For a guided process of using IAM Identity Center with AWS CLI commands, see [Tutorial: Using IAM Identity Center to run Amazon S3 commands in the AWS CLI](./cli-configure-sso-tutorial.html). **Topics** - [Prerequisites](#cli-configure-sso-prereqs) - [Configure your profile with the aws configure sso wizard](#cli-configure-sso-configure) - [Configure only your sso-session section with aws configure sso-session wizard](#cli-configure-sso-session) - [Manual configuration using the config file](#cli-configure-sso-manual) - [Sign in to an IAM Identity Center session](#cli-configure-sso-login) - [Run a command with your IAM Identity Center profile](#cli-configure-sso-use) - [Sign out of your IAM Identity Center sessions](#cli-configure-sso-logout) - [Troubleshooting](#cli-configure-sso-tshoot) - [Related resources](#cli-configure-sso-resources) ## Prerequisites - Install the AWS CLI. For more information, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). - You must first have access to SSO authentication within IAM Identity Center. Choose one of the following methods to access your AWS credentials. Follow the instructions in [Getting started](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) in the *AWS IAM Identity Center User Guide*. This process activates IAM Identity Center, creates an administrative user, and adds an appropriate least-privilege permission set. ###### Note Create a permission set that applies least-privilege permissions. We recommend using the predefined `PowerUserAccess` permission set, unless your employer has created a custom permission set for this purpose. Exit the portal and sign in again to see your AWS accounts, programmatic access details, and options for `Administrator` or `PowerUserAccess`. Select `PowerUserAccess` when working with the SDK. Sign in to AWS through your identity provider’s portal. If your Cloud Administrator has granted you `PowerUserAccess` (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set. Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help. Sign in to AWS through your AWS access portal. If your Cloud Administrator has granted you `PowerUserAccess` (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set. Contact your IT team for help. After gaining access to IAM Identity Center, gather your IAM Identity Center information by performing the following: - Gather your `SSO Start URL` and `SSO Region` values that you need to run `aws configure sso` In your AWS access portal, select the permission set you use for development, and select the **Access keys** link. - In the **Get credentials** dialog box, choose the tab that matches your operating system. - Choose the **IAM Identity Center credentials** method to get the `SSO Start URL` and `SSO Region` values. - Alternatively, starting with version 2.22.0, you can use the Issuer URL instead of the Start URL. The Issuer URL is located in the AWS IAM Identity Center console in one of the following locations: On the **Dashboard** page, the Issuer URL is in the settings summary. - On the **Settings** page, the Issuer URL is in the **Identity source** settings. - For information on which scopes value to register, see [OAuth 2.0 Access scopes](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-oauth2.html#oidc-concept) in the *IAM Identity Center User Guide*. ## Configure your profile with the `aws configure sso` wizard ###### To configure an IAM Identity Center profile for your AWS CLI: - In your preferred terminal, run the `aws configure sso` command. - The AWS CLI attempts to open your default browser for the sign in process of your IAM Identity Center account. This process may prompt you to allow the AWS CLI access to your data. Since the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of the `botocore` name. **If the AWS CLI cannot open the browser**, instructions to manually start the sign in process are displayed based on the type of authorization you are using. [Show moreShow less](#) - Select the AWS account to use from the displayed list. If you are authorized to use only one account, the AWS CLI automatically selects that account and skips the prompt. `There are 2 AWS accounts available to you. > DeveloperAccount, developer-account-admin@example.com (123456789011`) ProductionAccount, production-account-admin@example.com (`123456789022`) - Select the IAM role to use from the displayed list. If there is only one role available, the AWS CLI automatically selects that role and skips the prompt. `Using the account ID 123456789011` There are 2 roles available to you. > ReadOnly FullAccess - Specify the [default output format](./cli-configure-files.html#cli-config-output), the [default AWS Region](./cli-configure-files.html#cli-config-region) to send commands to, and a [name for the profile](./cli-configure-files.html). If you specify `default` as the profile name, this profile becomes the default profile used. In the following example, the user enters a default Region, default output format, and the name of the profile. `Default client Region [None]: ``us-west-2`**** `CLI default output format (json if not specified) [None]: ``json`**** `Profile name [123456789011_ReadOnly]: ``my-dev-profile`**** - A final message describes the completed profile configuration. You can now use this profile to request credentials. Use the `aws sso login` command to request and retrieve the credentials needed to run commands. For instructions, see [Sign in to an IAM Identity Center session](#cli-configure-sso-login). These steps result in creating the `sso-session` section and named profile in the `config` file that looks like the following: ## Configure only your `sso-session` section with `aws configure sso-session` wizard ###### Note This configuration is not compatible with the legacy IAM Identity Center. The `aws configure sso-session` command updates the `sso-session` sections in the `~/.aws/config` file. Run the `aws configure sso-session` command and provide your IAM Identity Center start URL or issuer URL and the AWS Region that hosts the IAM Identity Center directory. `$ ``aws configure sso-session`` SSO session name: ``my-sso` `SSO start URL [None]: ``https://my-sso-portal.awsapps.com/start` `SSO region [None]: ``us-east-1` `SSO registration scopes [None]: ``sso:account:access` ## Manual configuration using the `config` file IAM Identity Center configuration information is stored in the `config` file and can be edited using a text editor. To manually add IAM Identity Center support to a named profile, you must add keys and values to the `config` file. The `sso-session` section of the `config` file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used: - **(Required)** `[sso_start_url](./cli-configure-files.html#cli-config-sso_start_url)` - **(Required)** `[sso_region](./cli-configure-files.html#cli-config-sso_region)` - `[sso_account_id](./cli-configure-files.html#cli-config-sso_account_id)` - `[sso_role_name](./cli-configure-files.html#cli-config-sso_role_name)` - `[sso_registration_scopes](./cli-configure-files.html#cli-config-sso_registration_scopes)` You define an `sso-session` section and associate it to a profile. The `sso_region` and `sso_start_url` settings must be set within the `sso-session` section. Typically, `sso_account_id` and `sso_role_name` must be set in the `profile` section so that the SDK can request SSO credentials. The following example configures the SDK to request SSO credentials and supports automated token refresh: `[profile dev`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole` [sso-session `my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start`This also allows `sso-session` configurations to be reused across multiple profiles: `[profile dev`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole` [profile `prod`] sso_session = `my-sso` sso_account_id = `111122223333` sso_role_name = `SampleRole2` [sso-session `my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start`However, `sso_account_id` and `sso_role_name` aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario, `sso_account_id` and `sso_role_name` aren't required. See the individual guide for your AWS service to determine if it supports bearer token authorization. Additionally, registration scopes can be configured as part of a `sso-session`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application will be limited to the scopes granted. These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. The following example sets `sso_registration_scopes` to provide access for listing accounts/roles: `[sso-session my-sso`] sso_region = `us-east-1` sso_start_url = `https://my-sso-portal.awsapps.com/start` sso_registration_scopes = `sso:account:access`The authentication token is cached to disk under the `sso/cache` directory with a filename based on the session name. ###### Note Automated token refresh isn't supported using the legacy non-refreshable configuration. We recommend using the SSO token configuration. To manually add IAM Identity Center support to a named profile, you must add the following keys and values to the profile definition in the `config` file. - `[sso_start_url](./cli-configure-files.html#cli-config-sso_start_url)` - `[sso_region](./cli-configure-files.html#cli-config-sso_region)` - `[sso_account_id](./cli-configure-files.html#cli-config-sso_account_id)` - `[sso_role_name](./cli-configure-files.html#cli-config-sso_role_name)` You can include any other keys and values that are valid in the `.aws/config` file. The following example is an IAM Identity Center profile: `[profile my-sso-profile`] sso_start_url = `https://my-sso-portal.awsapps.com/start` sso_region = `us-west-2` sso_account_id = `111122223333` sso_role_name = `SSOReadOnlyRole` region = `us-west-2` output = `json` To run commands, you must first [Sign in to an IAM Identity Center session](#cli-configure-sso-login) to request and retrieve your temporary credentials. For more information on the `config` and `credentials` files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). ## Sign in to an IAM Identity Center session ###### Note The sign in process may prompt you to allow the AWS CLI access to your data. Since the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of the `botocore` name. To retrieve and cache a set of IAM Identity Center credentials, run the following command for the AWS CLI to open your default browser and verify your IAM Identity Center log in. `$ ``aws sso login --profile my-dev-profile` `SSO authorization page has automatically been opened in your default browser. Follow the instructions in the browser to complete this authorization request. Successfully logged into Start URL: https://my-sso-portal.awsapps.com/start` Your IAM Identity Center session credentials are cached and the AWS CLI uses them to securely retrieve AWS credentials for the IAM role specified in the profile. If the AWS CLI cannot automatically open your browser, instructions to manually start the sign in process are displayed based on the type of authorization you are using. You can also specify which `sso-session` profile to use when logging in using the `--sso-session` parameter of the `aws sso login` command. The `sso-session` option is not available for legacy IAM Identity Center. `$ ``aws sso login --sso-session my-dev-session` Starting with version 2.22.0, PKCE authorization is the default. To use device authorization for signing in, add the `--use-device-code` option. `$ ``aws sso login --profile my-dev-profile` --use-device-code The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a filename based on the `sso_start_url`. ## Run a command with your IAM Identity Center profile Once logged in, you can use your credentials to invoke AWS CLI commands with the associated named profile. The following example shows a command using a profile: `$ ``aws sts get-caller-identity --profile my-dev-profile` As long as you are signed in to IAM Identity Center and those cached credentials are not expired, the AWS CLI automatically renews expired AWS credentials when needed. However, if your IAM Identity Center credentials expire, you must explicitly renew them by logging in to your IAM Identity Center account again. ## Sign out of your IAM Identity Center sessions When you are done using your IAM Identity Center profile, you can let your credentials expire or run the following command to delete your cached credentials. `$ ``aws sso logout`` Successfully signed out of all SSO profiles.` ## Troubleshooting If you come across issues using the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. ## Related resources Additional resources are as follows. - [AWS IAM Identity Center concepts for the AWS CLI](./cli-configure-sso-concepts.html) - [Tutorial: Using IAM Identity Center to run Amazon S3 commands in the AWS CLI](./cli-configure-sso-tutorial.html) - [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html) - [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html) - [`aws configure sso`](https://docs.aws.amazon.com/cli/latest/reference/configure/sso.html) in the *AWS CLI version 2 Reference* - [`aws configure sso-session`](https://docs.aws.amazon.com/cli/latest/reference/configure/sso-session.html) in the *AWS CLI version 2 Reference* - [`aws sso login`](https://docs.aws.amazon.com/cli/latest/reference/sso/login.html) in the *AWS CLI version 2 Reference* - [`aws sso logout`](https://docs.aws.amazon.com/cli/latest/reference/sso/logout.html) in the *AWS CLI version 2 Reference* - [Setting up to use the AWS CLI with CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/set-up-cli.html) in the *Amazon CodeCatalyst User Guide* - [OAuth 2.0 Access scopes](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-oauth2.html#oidc-concept) in the *IAM Identity Center User Guide* - [Getting started tutorials](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html) in the *IAM Identity Center User Guide* **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Console credentials IAM Identity Center concepts --- # Enforcing a minimum TLS version > Learn how to enforce a minimum version of TLS 1.2 for the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-security-enforcing-tls.html --- # Enforcing a minimum version of TLS for the AWS CLI When using the AWS Command Line Interface (AWS CLI), the Transport Layer Security (TLS) protocol plays a crucial role in securing communication between the AWS CLI and AWS services. To add increased security when communicating with AWS services, you should use TLS 1.2 or later. AWS CLI version 2 uses an internal Python script that's compiled to use a minimum of TLS 1.2 when the service it's talking to supports it. As long as you use version 2 of the AWS CLI, no further steps are needed to enforce this minimum. To ensure you're getting increased security, be sure to update to a recent version of the AWS CLI. The AWS CLI and AWS service can exchange data securely, with the TLS protocol providing encryption, authentication, and data integrity. By leveraging the TLS protocol, the AWS CLI ensures that your interactions with AWS services are protected from unauthorized access and data breaches, enhancing the overall security of your AWS ecosystem. The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Command Line Interface. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS services. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data protection, see [Data protection in the AWS CLI](./data-protection.html). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Infrastructure Security Migration guide --- # Aliases > Aliases are shortcuts you can create in the AWS Command Line Interface to shorten commands or scripts that you frequently use. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-alias.html --- # Creating and using aliases in the AWS CLI Aliases are shortcuts you can create in the AWS Command Line Interface (AWS CLI) to shorten commands or scripts that you frequently use. You create aliases in the `alias` file located in your configuration folder. ###### Topics - [Prerequisites](#cli-usage-alias-prepreqs) - [Step 1: Creating the alias file](#cli-usage-alias-create-file) - [Step 2: Creating an alias](#cli-usage-alias-create-alias) - [Step 3: Calling an alias](#cli-usage-alias-call-alias) - [Alias repository examples](#cli-usage-alias-examples) - [Resources](#cli-usage-alias-references) ## Prerequisites To use alias commands, you need to complete the following: - Install and configure the AWS CLI. For more information, see [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html) and [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). - Use a minimum AWS CLI version of 1.11.24 or 2.0.0. - (Optional) To use AWS CLI alias bash scripts, you must use a bash-compatible terminal. ## Step 1: Creating the alias file To create the `alias` file, you can use your file navigation and a text editor, or use your preferred terminal by using the step-by-step procedure. To quickly create your alias file, use the following command block. ###### To create the alias file - Create a folder named `cli` in your AWS CLI configuration folder. By default the configuration folder is `~/.aws/` on Linux or macOS and `%USERPROFILE%\.aws\` on Windows. You can create this through your file navigation or by using the following command. The resulting `cli` folder default path is `~/.aws/cli/` on Linux or macOS and `%USERPROFILE%\.aws\cli` on Windows. - In the `cli` folder, create a text file named `alias` with no extension and add `[toplevel]` to the first line. You can create this file through your preferred text editor or use the following command. ## Step 2: Creating an alias You can create an alias using basic commands or bash scripting. ### Creating a basic command alias You can create your alias by adding a command using the following syntax in the `alias` file you created in the previous step. **Syntax** `aliasname` = `command` [`--options`] The `aliasname` is what you call your alias. The `command` is the command you want to call, which can include other aliases. You can include options or parameters in your alias, or add them when calling your alias. The following example creates an alias named `aws whoami` using the [`aws sts get-caller-identity`](https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html) command. Since this alias calls an existing AWS CLI command, you can write the command without the `aws` prefix. `whoami = sts get-caller-identity` The following example takes the previous `whoami` example and adds the `Account` filter and text `output` options. `whoami2 = sts get-caller-identity --query Account` --output text ### Creating a sub-command alias ###### Note The sub-command alias feature requires a minimum AWS CLI version of 1.11.24 or 2.0.0 You can create an alias for sub-commands by adding a command using the following syntax in the `alias` file you created in the previous step. **Syntax** `[command commandGroup`] `aliasname` = `command` [`--options`] The `commandGroup` is the command namespace, e.g. The command `aws ec2 describe-regions` is under the `ec2` command group. The `aliasname` is what you call your alias. The `command` is the command you want to call, which can include other aliases. You can include options or parameters in your alias, or add them when calling your alias. The following example creates an alias named `aws ec2 regions` using the [`aws ec2 describe-regions`](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-regions.html) command. Since this alias calls an existing AWS CLI command under the `ec2` command namespace, you can write the command without the `aws ec2` prefix. `[command ec2] regions = describe-regions --query Regions[].RegionName` To create aliases from commands outside of the command namespace, prefix the full command with an exclamation mark. The following example creates an alias named `aws ec2 instance-profiles` using the [`aws iam list-instance-profiles`](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html) command. `[command ec2] instance-profiles = !aws iam list-instance-profiles` ###### Note Aliases only use existing command namespaces and you cannot create new ones. e.g. You can't create an alias with the `[command johnsmith]` section as the `johnsmith` command namespace does not already exist. ### Creating a bash scripting alias ###### Warning To use AWS CLI alias bash scripts, you must use a bash-compatible terminal You can create an alias using bash scripts for more advanced processes using the following syntax. **Syntax** `aliasname` = !f() { `script content` }; f The `aliasname` is what you call your alias and `script content` is the script you want to run when you call the alias. The following example uses `opendns` to output your current IP address. Since you can use aliases in other aliases, the following `myip` alias is useful to allow or revoke access for your IP address from within other aliases. `myip = !f() { dig +short myip.opendns.com @resolver1.opendns.com }; f` The following script example calls the previous `aws myip` alias to authorize your IP address for an Amazon EC2 security group ingress. `authorize-my-ip = !f() { ip=$(aws myip) aws ec2 authorize-security-group-ingress --group-id ${1} --cidr $ip/32 --protocol tcp --port 22 }; f` When you call aliases that use bash scripting, the variables are always passed in the order that you entered them. In bash scripting, the variable names are not taken into consideration, only the order they appear. In the following `textalert` alias example, the variable for the `--message` option is first and `--phone-number` option is second. `textalert = !f() { aws sns publish --message "${1}" --phone-number ${2} }; f` ## Step 3: Calling an alias To run the alias you created in your `alias` file use the following syntax. You can add additional options when you call your alias. **Syntax** `**$ ``aws aliasname`** The following example uses the `aws whoami` command alias. `**$ ``aws whoami` `{ "UserId": "A12BCD34E5FGHI6JKLM", "Account": "1234567890987", "Arn": "arn:aws:iam::1234567890987:user/userName" }`** The following example uses the `aws whoami` alias with additional options to only return the `Account` number in `text` output. `**$ ``aws whoami --query Account --output text` `1234567890987`** The following example uses the `aws ec2 regions`[ sub-command alias](#cli-usage-alias-create-alias-sub-command). `**$ ``aws ec2 regions` `[ "ap-south-1", "eu-north-1", "eu-west-3", "eu-west-2", ...`** ### Calling an alias using bash scripting variables When you call aliases that use bash scripting, variables are passed in the order they are entered. In bash scripting, the name of the variables are not taken into consideration, only the order they appear. For example, in the following `textalert` alias, the variable for the option `--message` is first and `--phone-number` is second. `textalert = !f() { aws sns publish --message "${1}" --phone-number ${2} }; f` When you call the `textalert` alias, you need to pass variables in the same order as they are run in the alias. In the following example we use the variables `$message` and `$phone`. The `$message` variable is passed as `${1}` for the `--message` option and the `$phone` variable is passed as `${2}` for the `--phone-number` option. This results in successfully calling the `textalert` alias to send a message. `**$ ``aws textalert $message $phone` `{ "MessageId": "1ab2cd3e4-fg56-7h89-i01j-2klmn34567" }`** In the following example, the order is switched when calling the alias to `$phone` and `$message`. The `$phone` variable is passed as `${1}` for the `--message` option and the `$message` variable is passed as `${2}` for the `--phone-number` option. Since the variables are out of order, the alias passes the variables incorrectly. This causes an error because the contents of `$message` do not match the phone number formatting requirements for the `--phone-number` option. `**$ ``aws textalert $phone $message` `usage: aws [options] [ ...] [parameters] To see help text, you can run: aws help aws help aws help Unknown options: text`** ## Alias repository examples The [AWS CLI alias repository](https://github.com/awslabs/awscli-aliases) on *GitHub* contains AWS CLI alias examples created by the AWS CLI developer team and community. You can use the entire `alias` file example or take individual aliases for your own use. ###### Warning Running the commands in this section deletes your existing `alias` file. To avoid overwriting your existing alias file, change your download location. ###### To use aliases from the repository - Install Git. For installation instructions, see [Getting Started - Installing Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) in the *Git Documentation*. - Install the `jp` command. The `jp` command is used in the `tostring` alias. For installation instructions, see the [JMESPath (jp) README.md](https://github.com/jmespath/jp) on *GitHub*. - Install the `jq` command. The `jq` command is used in the `tostring-with-jq` alias. For installation instructions, see the [JSON processor (jq)](https://stedolan.github.io/jq/download/) on *GitHub*. - Download the `alias` file by doing one of the following: Run the following commands that downloads from the repository and copies the `alias` file to your configuration folder. - Download directly from the repository and save to the `cli` folder in your AWS CLI configuration folder. By default the configuration folder is `~/.aws/` on Linux or macOS and `%USERPROFILE%\.aws\` on Windows. - To verify the aliases are working, run the following alias. `$ ``aws whoami` This displays the same response as the `aws sts get-caller-identity` command: `{ "Account": "012345678901", "UserId": "AIUAINBADX2VEG2TC6HD6", "Arn": "arn:aws:iam::012345678901:user/myuser" }` ## Resources - The [AWS CLI alias repository](https://github.com/awslabs/awscli-aliases) on *GitHub* contains AWS CLI alias examples created by the AWS CLI developer team and the contribution of the AWS CLI community. - The alias feature announcement from [AWS re:Invent 2016: The Effective AWS CLI User](https://www.youtube.com/watch?t=1590&v=Xc1dHtWa9-Q) on *YouTube*. - [`aws sts get-caller-identity`](https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html) - [`aws ec2 describe-instances`](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html) - [`aws sns publish`](https://docs.aws.amazon.com/cli/latest/reference/sns/publish.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Wizards Troubleshoot errors --- # Command Structure > Learn how to structure a multipart command and "wait" commands for the AWS Command Line Interface to communicate with AWS services. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-commandstructure.html --- # Command structure in the AWS CLI This topic covers how AWS Command Line Interface (AWS CLI) command is structured, and how to use wait commands. ###### Topics - [Command structure](#cli-usage-commandstructure-structure.title) - [Wait commands](#cli-usage-commandstructure-wait) ## Command structure The AWS CLI uses a multipart structure on the command line that must be specified in this order: - The base call to the `aws` program. - The top-level *command*, which typically corresponds to an AWS service supported by the AWS CLI. - The *subcommand* that specifies which operation to perform. - General AWS CLI options or parameters required by the operation. You can specify these in any order as long as they follow the first three parts. If an exclusive parameter is specified multiple times, only the *last value* applies. `$ ``aws <`subcommand`> [`options and parameters`] Parameters can take various types of input values, such as numbers, strings, lists, maps, and JSON structures. What is supported is dependent upon the command and subcommand you specify. **Amazon S3** The following example lists all of your Amazon S3 buckets. `$ ``aws s3 ls`` 2018-12-11 17:08:50 amzn-s3-demo-bucket1 2018-12-14 14:55:44 amzn-s3-demo-bucket2`For more information on the Amazon S3 commands, see [`aws s3`](https://docs.aws.amazon.com/cli/latest/reference/s3/index.html) in the *AWS CLI Command Reference*. **AWS CloudFormation** The following [`create-change-set`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html)command example changes the cloudformation stack name to `my-change-set`. `$ ``aws cloudformation create-change-set --stack-name my-stack` --change-set-name `my-change-set`For more information on the AWS CloudFormation commands, see [`aws cloudformation`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/index.html) in the *AWS CLI Command Reference*. ## Wait commands Some AWS services have `wait` commands available. Any command that uses `aws wait` usually waits until a command is complete before it moves on to the next step. This is especially useful for multipart commands or scripting, as you can use a wait command to prevent moving to subsequent steps if the wait command fails. The AWS CLI uses a multipart structure on the command line for the `wait` command that must be specified in this order: - The base call to the `aws` program. - The top-level *command*, which typically corresponds to an AWS service supported by the AWS CLI. - The `wait` command. - The *subcommand* that specifies which operation to perform. - General CLI options or parameters required by the operation. You can specify these in any order as long as they follow the first three parts. If an exclusive parameter is specified multiple times, only the *last value* applies. `$ ``aws wait <`subcommand`> [`options and parameters`] Parameters can take various types of input values, such as numbers, strings, lists, maps, and JSON structures. What is supported is dependent upon the command and subcommand you specify. ###### Note Not every AWS service supports `wait` commands. See the [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html) to see if your service supports `wait` commands. **AWS CloudFormation** The following [`wait change-set-create-complete`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/wait/change-set-create-complete.html) command examples pauses and resumes only after it can confirm that the `my-change-set` change set in the `my-stack` stack is ready to run. `$ ``aws cloudformation wait change-set-create-complete --stack-name my-stack` --change-set-name `my-change-set`For more information on the AWS CloudFormation `wait` commands, see [`wait`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/wait/index.html) in the *AWS CLI Command Reference*. **AWS CodeDeploy** The following [`wait deployment-successful`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/wait/change-set-create-complete.html) command examples pauses until the `d-A1B2C3111` deployment completes successfully. `$ ``aws deploy wait deployment-successful --deployment-id d-A1B2C3111`For more information on the AWS CodeDeploy `wait` commands, see [`wait`](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/wait/index.html) in the *AWS CLI Command Reference*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Get Help Specify Parameter Values --- # Get Help > Learn how to access help content for the AWS CLI including the built-in help command, online reference documentation, and community resources. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-help.html --- # Accessing help and resources for the AWS CLI This topic describes how to access help content for the AWS Command Line Interface (AWS CLI). ###### Topics - [The built-in AWS CLI help command](#cli-usage-help-command) - [AWS CLI reference guide](#cli-reference) - [API documentation](#api-reference) - [Troubleshooting errors](#help-tshoot) - [Additional help](#help-additional) ## The built-in AWS CLI help command You can get help with any command when using the AWS Command Line Interface (AWS CLI). To do so, simply type `help` at the end of a command name. For example, the following command displays help for the general AWS CLI options and the available top-level commands. `$ ``aws help` The following command displays the available Amazon Elastic Compute Cloud (Amazon EC2) specific commands. `$ ``aws ec2 help` The following example displays detailed help for the Amazon EC2 `DescribeInstances` operation. The help includes descriptions of its input parameters, available filters, and what is included as output. It also includes examples showing how to type common variations of the command. `$ ``aws ec2 describe-instances help` As of version `2.31.0` The display for the `help` command is configured by the `cli_help_output` setting, and has the following values: - **(default)** `terminal` ‐ Open the man page in the terminal. - `browser` ‐ Open the man page as a local HTML file in your default browser. A notice is printed to your terminal when your default browser is being opened, and an error message if the AWS CLI cannot open your browser. - `url` ‐ Print the URL to the online AWS CLI Reference Guide for the version of the AWS CLI you have installed. Settings for client-side paging, such as the `AWS_PAGER` environment variable, is respected. The help content for each command is divided into six sections: Name The name of the command. `NAME describe-instances -` Description A description of the API operation that the command invokes. `DESCRIPTION Describes one or more of your instances. If you specify one or more instance IDs, Amazon EC2 returns information for those instances. If you do not specify instance IDs, Amazon EC2 returns information for all relevant instances. If you specify an instance ID that is not valid, an error is returned. If you specify an instance that you do not own, it is not included in the returned results. ...` Synopsis The basic syntax for using the command and its options. If an option is shown in square brackets, it's optional, has a default value, or has an alternative option that you can use. `SYNOPSIS describe-instances [--dry-run | --no-dry-run] [--instance-ids ] [--filters ] [--cli-input-json ] [--starting-token ] [--page-size ] [--max-items ] [--generate-cli-skeleton]` For example, `describe-instances` has a default behavior that describes ***all*** instances in the current account and AWS Region. You can optionally specify a list of `instance-ids` to describe one or more instances; `dry-run` is an optional Boolean flag that doesn't take a value. To use a Boolean flag, specify either shown value, in this case `--dry-run` or `--no-dry-run`. Likewise, `--generate-cli-skeleton` doesn't take a value. If there are conditions on an option's use, they are described in the `OPTIONS` section, or shown in the examples. Options A description of each of the options shown in the synopsis. `OPTIONS --dry-run | --no-dry-run (boolean) Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRun- Operation . Otherwise, it is UnauthorizedOperation . --instance-ids (list) One or more instance IDs. Default: Describes all your instances. ...` Examples Examples showing the usage of the command and its options. If no example is available for a command or use case that you need, request one using the feedback link on this page, or in the AWS CLI command reference on the help page for the command. ` EXAMPLES **To describe an Amazon EC2 instance** Command: aws ec2 describe-instances --instance-ids i-5203422c **To describe all instances with the instance type m1.small** Command: aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small" **To describe all instances with an Owner tag** Command: aws ec2 describe-instances --filters "Name=tag-key,Values=Owner" ...` Output Descriptions of each of the fields and data types included in the response from AWS. For `describe-instances`, the output is a list of reservation objects, each of which contains several fields and objects that contain information about the instances associated with it. This information comes from the [API documentation for the reservation data type](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Reservation.html) used by Amazon EC2. `OUTPUT Reservations -> (list) One or more reservations. (structure) Describes a reservation. ReservationId -> (string) The ID of the reservation. OwnerId -> (string) The ID of the AWS account that owns the reservation. RequesterId -> (string) The ID of the requester that launched the instances on your behalf (for example, AWS Management Console or Auto Scaling). Groups -> (list) One or more security groups. (structure) Describes a security group. GroupName -> (string) The name of the security group. GroupId -> (string) The ID of the security group. Instances -> (list) One or more instances. (structure) Describes an instance. InstanceId -> (string) The ID of the instance. ImageId -> (string) The ID of the AMI used to launch the instance. State -> (structure) The current state of the instance. Code -> (integer) The low byte represents the state. The high byte is an opaque internal value and should be ignored. ...` When the AWS CLI renders the output into JSON, it becomes an array of reservation objects, similar to the following example. `{ "Reservations": [ { "OwnerId": "012345678901", "ReservationId": "r-4c58f8a0", "Groups": [], "RequesterId": "012345678901", "Instances": [ { "Monitoring": { "State": "disabled" }, "PublicDnsName": "ec2-52-74-16-12.us-west-2.compute.amazonaws.com", "State": { "Code": 16, "Name": "running" }, ...` Each reservation object contains fields describing the reservation and an array of instance objects, each with its own fields (for example, `PublicDnsName`) and objects (for example, `State`) that describe it. ###### Windows users You can *pipe* (|) the output of the help command to the `more` command to view the help file one page at a time. Press the space bar or **PgDn** to view more of the document, and `q` to quit. `C:\> ``aws ec2 describe-instances help | more` ## AWS CLI reference guide The help files contain links that cannot be viewed or navigated to from the command line. You can view and interact with these links by using the online [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html). The reference also contains the help content for all AWS CLI commands. The descriptions are presented for easy navigation and viewing on mobile, tablet, or desktop screens. ## API documentation All commands in the AWS CLI correspond to requests made to an AWS service's public API. Each service with a public API has an API reference that can be found on the service's home page on the [AWS Documentation website](https://docs.aws.amazon.com/). The content for an API reference varies based on how the API is constructed and which protocol is used. Typically, an API reference contains detailed information about the operations supported by the API, the data sent to and from the service, and any error conditions that the service can report. ###### API Documentation Sections - **Actions** – Detailed information on each operation and its parameters (including constraints on length or content, and default values). It lists the errors that can occur for this operation. Each operation corresponds to a subcommand in the AWS CLI. - **Data Types** – Detailed information about structures that a command might require as a parameter, or return in response to a request. - **Common Parameters** – Detailed information about the parameters that are shared by all of action for the service. - **Common Errors** – Detailed information about errors that can be returned by any of the service's operations. The name and availability of each section can vary, depending on the service. ###### Service-specific CLIs Some services have a separate CLI that dates from before a single AWS CLI was created to work with all services. These service-specific CLIs have separate documentation that is linked from the service's documentation page. Documentation for service-specific CLIs do not apply to the AWS CLI. ## Troubleshooting errors For help diagnosing and fixing AWS CLI errors, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html). ## Additional help For additional help with your AWS CLI issues, visit the [AWS CLI community](https://github.com/aws/aws-cli/issues) on *GitHub*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Using the AWS CLI Command Structure --- # Control Command Output > Control the format of the output from the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output.html --- # Controlling command output in the AWS CLI This section describes the different ways to control the output from the AWS Command Line Interface (AWS CLI). Customizing the AWS CLI output in your terminal can improve readability, streamline scripting automation and provide easier navigation through larger data sets. The AWS CLI supports multiple [output formats](./cli-usage-output-format.html), including [json](./cli-usage-output-format.html#json-output), [text](./cli-usage-output-format.html#text-output), [yaml](./cli-usage-output-format.html#yaml-output), and [table](./cli-usage-output-format.html#table-output). Some services have server-side [pagination](./cli-usage-pagination.html) for their data and the AWS CLI provides it's own client-side features for additional pagination options. Lastly, the AWS CLI has both[ server-side and client-side filtering](./cli-usage-filter.html) that you can use individually or together to filter your AWS CLI output. ###### Topics - [Sensitive output](#cli-usage-output-sensitive) - [Server-side vs client-side output options](#cli-usage-output-server-client) - [Setting the output format in the AWS CLI](./cli-usage-output-format.html) - [Using the pagination options in the AWS CLI](./cli-usage-pagination.html) - [Filtering output in the AWS CLI](./cli-usage-filter.html) ## Sensitive output Some operations of the AWS CLI might return information that could be considered sensitive, including information from environment variables. The exposure of this information might represent a security risk in certain scenarios; for example, the information could be included in continuous integration and continuous deployment (CI/CD) logs. It is therefore important that you review when you are including such output as part of your logs, and suppress the output when not needed. For additional information about protecting sensitive data, see [Data protection in the AWS CLI](./data-protection.html). Consider the following best practices: - Consider programmatically retrieving your secrets from a secrets store, such as AWS Secrets Manager. - Review the contents of your build logs to ensure they do not contain sensitive information. Consider approaches such as piping to `/dev/null` or capturing the output as a bash or PowerShell variable to suppress command outputs. The following is a bash example for redirecting output, but not errors, to `/dev/null`: `$ ``aws s3 ls > /dev/null` For specifics on suppressing output for your terminal, see the user documentation of the terminal you use. - Consider the access of your logs and scope the access appropriately for your use case. ## Server-side vs client-side output options The AWS CLI has both[ server-side and client-side filtering](./cli-usage-filter.html) that you can use individually or together to filter your AWS CLI output. Server-side filtering is processed first and returns your output for client-side filtering. Server-side filtering is supported by the service API. Client-side filtering is supported by the AWS CLI client using the `--query` parameter. **Server-side** output options are features directly supported by the AWS service API. Any data that is filtered or paged out is not sent to the client, which can speed up HTTP response times and improve bandwidth for larger data sets. **Client-side** output options are features created by the AWS CLI. All data is sent to the client, then the AWS CLI filters or pages the content displayed. Client-side operations do not save on speed or bandwidth for larger datasets. When server-side and client-side options are used together, server-side operations are completed first and then sent to the client for client-side operations. This uses the potential speed and bandwidth savings of server-side options, while using additional AWS CLI features to get your desired output. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Auto-prompt Output Format --- # Auto-prompt > How to get the AWS CLI to dynamically prompt you for parameters. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-prompting.html --- # Enabling and using command prompts in the AWS CLI You can have the AWS CLI version 2 prompt you commands, parameters, and resources when you run an `aws` command. ###### Topics - [How it works](#cli-usage-auto-prompt-about) - [Auto-prompt features](#cli-usage-auto-prompt-features) - [Auto-prompt modes](#cli-usage-auto-prompt-modes) - [Configure auto-prompt](#cli-usage-auto-prompt-configure) ## How it works If enabled, the auto-prompt enables you to use the **ENTER** key to complete a partially entered command. After pressing the **ENTER** key, commands, parameters, and resources are suggested based on what you continue to type. The suggestions list the name of the command, parameter, or resource on the left and a description of it on the right. To select and use a suggestion, use the arrows keys to highlight a row, and then press the **SPACE** key. When you've finished entering in your command, press **ENTER** to use the command. The following example demonstrates what a suggested list from auto-prompt looks like. `$ ``aws` `> aws` `a` ` accessanalyzer Access Analyzer acm AWS Certificate Manager acm-pca AWS Certificate Manager Private Certificate Authority alexaforbusiness Alexa For Business amplify AWS Amplify` ## Auto-prompt features The auto-prompt contains the following useful features: **Documentation panel** Provides the help documentation for the current command. To open the documentation, press the **F3** key. **Command completion** Suggests `aws` commands to use. To see a list, partially enter the command. The following example is searching for a service starting with the letter `a`. `$ ``aws` `> aws` `a` ` accessanalyzer Access Analyzer acm AWS Certificate Manager acm-pca AWS Certificate Manager Private Certificate Authority alexaforbusiness Alexa For Business amplify AWS Amplify` **Parameter completion** After a command is typed, auto-prompt starts to suggest parameters. The descriptions for the parameters include the value type, and a description of what the parameter is. Required parameters are listed first, and are labeled as required. The following example shows the auto-prompt list of parameters for `aws dynamodb describe-table`. `$ ``aws dynamodb describe-table` `> aws dynamodb describe-table` ` --table-name (required) [string] The name of the table to describe. --cli-input-json [string] Reads arguments from the JSON string provided. The JSON string follows the format provide... --cli-input-yaml [string] Reads arguments from the YAML string provided. The YAML string follows the format provide... --generate-cli-skeleton [string] Prints a JSON skeleton to standard output without sending an API request. If provided wit...` **Resource completion** The auto-prompt makes AWS API calls using available AWS resource properties to suggest resource values. This allows for auto-prompt to suggest possible resources you own when entering in parameters. In the following example auto-prompt lists your table names when filling in the `--table-name` parameter for the `aws dynamodb describe-table` command. `$ ``aws dynamodb describe-table` `> aws dynamodb describe-table` `--table-name ` ` Table1 Table2 Table3` **Shorthand completion** For parameters that use shorthand syntax, auto-prompt suggests values to use. In the following example, auto-prompt lists shorthand syntax values for the `--placement` parameter in the `aws ec2 run-instances` command. `$ ``aws ec2 run-instances` `> aws ec2 run-instances` `--placement ` ` AvailabilityZone= [string] The Availability Zone of the instance. If not specified, an Availability Zone wil... Affinity= [string] The affinity setting for the instance on the Dedicated Host. This parameter is no... GroupName= [string] The name of the placement group the instance is in. PartitionNumber= [integer] The number of the partition the instance is in. Valid only if the placement grou...` **File completion** When filling out parameters in `aws` commands, auto-complete suggests local filenames after using the prefix `file://` or `fileb://`. In the following example, auto-prompt suggests local files after entering in `--item file://` for the `aws ec2 run-instances` command. `$ ``aws ec2 run-instances` `> aws ec2 run-instances` `--item file:// ` ` item1.txt file1.json file2.json` **Region completion** When using the global parameter `--region`, auto-prompt lists possible Regions to select from. In the following example, auto-prompt suggests Regions in alphabetical order after entering in `--region` for the `aws dynamodb list-tables` command. `$ ``aws dynamodb list-tables` `> aws dynamodb list-tables` `--region ` ` af-south-1 ap-east-1 ap-northeast-1 ap-northeast-2` **Profile completion** When using the global parameter `--profile`, auto-prompt lists your profiles. In the following example, auto-prompt suggests your profiles after entering in `--profile` for the `aws dynamodb list-tables` command. `$ ``aws dynamodb list-tables` `> aws dynamodb list-tables` `--profile ` ` profile1 profile2 profile3` **Fuzzy searching** Complete commands and values that contain a specific set of characters. In the following example, auto-prompt suggests Regions that contain `eu` after entering in `--region eu` for the `aws dynamodb list-tables` command. `$ ``aws dynamodb list-tables` `> aws dynamodb list-tables` `--region west` ` eu-west-1 eu-west-2 eu-west-3 us-west-1` **History** To view and run previously used commands in auto-prompt mode, press **CTRL + R**. History lists previous commands that you can select by using the arrow keys. In the following example, the auto-prompt mode history is displayed. `$ ``aws` `> aws` ` dynamodb list-tables s3 ls` ## Auto-prompt modes Auto-prompt for the AWS CLI version 2 has 2 modes that can be configured: - **Full mode:** Uses auto-prompt each time you attempt to run an `aws` command, whether you manually call it using the `--cli-auto-prompt` parameter or permanently enabled it. This includes pressing **ENTER** after both a complete command or incomplete command. - **Partial mode:** Uses auto-prompt if a command is incomplete or cannot be run due to client-side validation errors. This mode is particular useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command. ## Configure auto-prompt To configure auto-prompt you can use the following methods in order of precedence: - **Command line options** enable or disable auto-prompt for a single command. Use `[--cli-auto-prompt](./cli-configure-options.html#cli-configure-options-cli-auto-prompt)` to call auto-prompt and `[--no-cli-auto-prompt](./cli-configure-options.html#cli-configure-options-no-cli-auto-prompt)` to disable auto-prompt. - **Environment variables** use the `[aws_cli_auto_prompt](./cli-configure-envvars.html#envvars-list-aws_cli_auto_prompt)` variable. - **Shared config files** use the `[cli_auto_prompt](./cli-configure-files.html#cli-config-cli_auto_prompt)` setting. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Shorthand Syntax Control Command Output --- # Specify Parameter Values > Specify and pass parameters as values for the AWS CLI command options. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html --- # Specifying parameter values in the AWS CLI Many parameters used in the AWS Command Line Interface (AWS CLI) are simple string or numeric values, such as the key-pair name `my-key-pair` in the following `aws ec2 create-key-pair` command example. `$ ``aws ec2 create-key-pair --key-name my-key-pair`Formatting for command can vary between terminals. For example, most terminals are case sensitive but Powershell is case insensitive. This means the two following command examples would yield different results for case sensitive terminals as they view `MyFile*.txt` and `myfile*.txt` as **different** parameters. However, PowerShell would process these requests as the same as it sees `MyFile*.txt` and `myfile*.txt` as the **same** parameters. The following command example demonstrates these paramaters using the `aws s3 cp` command: `$ ``aws s3 cp . s3://amzn-s3-demo-bucket/path --include "MyFile*.txt"` `$ ``aws s3 cp . s3://amzn-s3-demo-bucket/path --include "myfile*.txt"`For more information on PowerShell's case insensitivy, see [about_Case-Sensitivity](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_case-sensitivity) in the *PowerShell documentation*. Sometimes you need to use quotation marks or literals around strings that include special or space characters. The rules around this formatting can also vary between terminals. For more information about using quotation marks around complex parameters, see [Using quotation marks and literals with strings in the AWS CLI](./cli-usage-parameters-quoting-strings.html). These topics cover the most common terminal formatting rules. If you are having issues with your terminal recognizing your parameter values, be sure to review the topics in this section and also to check your terminal's documentation for their specific syntax rules. ###### Parameter topics - [Common parameter types in the AWS CLI](./cli-usage-parameters-types.html) - [Using quotation marks and literals with strings in the AWS CLI](./cli-usage-parameters-quoting-strings.html) - [Loading a parameter from a file in the AWS CLI](./cli-usage-parameters-file.html) - [AWS CLI skeletons and input files in the AWS CLI](./cli-usage-skeleton.html) - [Using shorthand syntax in the AWS CLI](./cli-usage-shorthand.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Command Structure Common Parameter Types --- # Return Codes > Understand the return codes provided by the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-returncodes.html --- # Command line return codes in the AWS CLI The return code is usually a hidden code sent after running a AWS Command Line Interface (AWS CLI) command which describes the status of the command. You can use the `echo` command to display the code sent from the last AWS CLI command and use these codes to determine if a command was successful or if it failed, and why a command might have an error. In addition to the return codes, you can view more details about a failure by running your commands with the `--debug` switch. This switch produces a detailed report of the steps the AWS CLI uses to process the command, and what the result of each step was. To determine the return code of an AWS CLI command, run one of the following commands immediately after running the CLI command. The following are the return code values that can be returned at the end of running an AWS Command Line Interface (AWS CLI) command. Code Meaning 0 The service responded with an HTTP response status code of 200 indicating that there were no errors generated by the AWS CLI and AWS service the request was sent to. 1 One or more Amazon S3 transfer operations failed. *Limited to S3 commands.* 2 The meaning of this return code depends on the command: - *Applicable to all AWS CLI commands* – the command entered couldn't be parsed. Parsing failures can be caused by, but aren't limited to, missing required subcommands or arguments, or using unknown commands or arguments. - *Limited to S3 commands* – One or more files marked for transfer were skipped during the transfer process. However, all other files marked for transfer were successfully transferred. Files that are skipped during the transfer process include: files that don't exist; files that are character special devices, block special device, FIFO queues, or sockets; and files that the user doesn't have read permissions to. 130 The command was interrupted by a SIGINT. This is the signal sent by you to cancel a command with `Ctrl`+`C`. 252 Command syntax was invalid, an unknown parameter was provided, or a parameter value was incorrect and prevented the command from running. 253 The system environment or configuration was invalid. While the command provided might be syntactically valid, missing configuration or credentials prevented the command from running. 254 The command successfully parsed and a request made to the specified service but the service returned an error. This will generally indicate incorrect API usage or other service specific issues. 255 The command failed. There were errors generated by the AWS CLI or by the AWS service to which the request was sent. --- # Wizards > Use the wizard subcommand to guide you through the input for a command in the AWS Command Line Interface. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-wizard.html --- # Using custom wizards to run interactive commands in the AWS CLI The AWS Command Line Interface (AWS CLI) provides the ability to use a wizard for some commands. To contribute or view the full list of available AWS CLI wizards, see the [AWS CLI wizards folder](https://github.com/aws/aws-cli/tree/v2/awscli/customizations/wizard/wizards) on GitHub. ## How it works Similar to the AWS console, the AWS CLI has a UI wizard that guides you through managing your AWS resources. To use the wizard, you call the `wizard` subcommand and the wizard name after the service name in a command. The command structure is as follows: **Syntax:** `$ ``aws wizard <`wizardName`> The following example is calling the wizard to create a new `dynamodb` table. `$ ``aws dynamodb wizard new-table` `aws configure` is the only wizard that does not have a wizard name. When running the wizard, run the `aws configure wizard` command as the following example demonstrates: `$ ``aws configure wizard` After calling a wizard, a form in the shell is displayed. For each parameter, you are either provided a list of options to select from or prompted to enter in a string. To select from a list, use your up and down arrow keys and press **ENTER**. To view details on an option, press the right arrow key. When you've finished filling out a parameter, press **ENTER**. `$ ``aws configure wizard` `What would you like to configure > Static Credentials Assume Role Process Provider Additional CLI configuration Enter the name of the profile: Enter your Access Key Id: Enter your Secret Access Key: ` To edit previous prompts, use **SHIFT** + **TAB**. For some wizards, after filling in all prompts, you can preview an AWS CloudFormation template or the AWS CLI command filled with your information. This preview mode is useful to learn the AWS CLI, service APIs, and creating templates for scripts. Press **ENTER** after previewing or the last prompt to run the final command. `$ ``aws configure wizard` `What would you like to configure Enter the name of the profile: testWizard Enter your Access Key Id: AB1C2D3EF4GH5I678J90K Enter your Secret Access Key: ab1c2def34gh5i67j8k90l1mnop2qr3s45tu678v90` **** **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Return Codes Aliases --- # Command examples > Code examples that show how to use AWS Command Line Interface with AWS. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cli_code_examples.html --- # AWS CLI command examples The code examples in this topic show you how to use the AWS Command Line Interface with AWS. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Some services contain additional example categories that show how to leverage libraries or functions specific to the service. ###### Services - [ACM](./cli_acm_code_examples.html) - [API Gateway](./cli_api-gateway_code_examples.html) - [API Gateway HTTP and WebSocket API](./cli_apigatewayv2_code_examples.html) - [API Gateway Management API](./cli_apigatewaymanagementapi_code_examples.html) - [App Mesh](./cli_app-mesh_code_examples.html) - [App Runner](./cli_apprunner_code_examples.html) - [AWS AppConfig](./cli_appconfig_code_examples.html) - [Application Auto Scaling](./cli_application-auto-scaling_code_examples.html) - [Application Discovery Service](./cli_application-discovery-service_code_examples.html) - [Application Signals](./cli_application-signals_code_examples.html) - [AppRegistry](./cli_service-catalog-appregistry_code_examples.html) - [Athena](./cli_athena_code_examples.html) - [Amazon EC2 Auto Scaling](./cli_auto-scaling_code_examples.html) - [Auto Scaling Plans](./cli_auto-scaling-plans_code_examples.html) - [AWS Backup](./cli_backup_code_examples.html) - [AWS Batch](./cli_batch_code_examples.html) - [AWS Budgets](./cli_budgets_code_examples.html) - [Amazon Chime](./cli_chime_code_examples.html) - [Cloud Control API](./cli_cloudcontrol_code_examples.html) - [AWS Cloud Map](./cli_servicediscovery_code_examples.html) - [AWS Cloud9](./cli_cloud9_code_examples.html) - [CloudFormation](./cli_cloudformation_code_examples.html) - [CloudFront](./cli_cloudfront_code_examples.html) - [Amazon CloudSearch](./cli_cloudsearch-domain_code_examples.html) - [CloudTrail](./cli_cloudtrail_code_examples.html) - [CloudWatch](./cli_cloudwatch_code_examples.html) - [CloudWatch Logs](./cli_cloudwatch-logs_code_examples.html) - [CloudWatch Network Monitoring](./cli_networkmonitor_code_examples.html) - [CloudWatch Observability Access Monitor](./cli_oam_code_examples.html) - [CloudWatch Observability Admin](./cli_observabilityadmin_code_examples.html) - [CloudWatch Synthetics](./cli_synthetics_code_examples.html) - [CodeArtifact](./cli_codeartifact_code_examples.html) - [CodeBuild](./cli_codebuild_code_examples.html) - [CodeCommit](./cli_codecommit_code_examples.html) - [CodeDeploy](./cli_codedeploy_code_examples.html) - [CodeGuru Reviewer](./cli_codeguru-reviewer_code_examples.html) - [CodePipeline](./cli_codepipeline_code_examples.html) - [AWS CodeStar Notifications](./cli_codestar-notifications_code_examples.html) - [CodeConnections](./cli_codestar-connections_code_examples.html) - [Amazon Cognito Identity](./cli_cognito-identity_code_examples.html) - [Amazon Cognito Identity Provider](./cli_cognito-identity-provider_code_examples.html) - [Amazon Comprehend](./cli_comprehend_code_examples.html) - [Amazon Comprehend Medical](./cli_comprehendmedical_code_examples.html) - [AWS Config](./cli_config-service_code_examples.html) - [Amazon Connect](./cli_connect_code_examples.html) - [AWS Cost and Usage Report](./cli_cost-and-usage-report-service_code_examples.html) - [Cost Explorer Service](./cli_cost-explorer_code_examples.html) - [Firehose](./cli_firehose_code_examples.html) - [Amazon Data Lifecycle Manager](./cli_dlm_code_examples.html) - [AWS Data Pipeline](./cli_data-pipeline_code_examples.html) - [DataSync](./cli_datasync_code_examples.html) - [DAX](./cli_dax_code_examples.html) - [Detective](./cli_detective_code_examples.html) - [Device Farm](./cli_device-farm_code_examples.html) - [Direct Connect](./cli_direct-connect_code_examples.html) - [Directory Service](./cli_directory-service_code_examples.html) - [Directory Service Data](./cli_directory-service-data_code_examples.html) - [AWS DMS](./cli_database-migration-service_code_examples.html) - [Amazon DocumentDB](./cli_docdb_code_examples.html) - [DynamoDB](./cli_dynamodb_code_examples.html) - [DynamoDB Streams](./cli_dynamodb-streams_code_examples.html) - [Amazon EC2](./cli_ec2_code_examples.html) - [Amazon EC2 Instance Connect](./cli_ec2-instance-connect_code_examples.html) - [Amazon ECR](./cli_ecr_code_examples.html) - [Amazon ECR Public](./cli_ecr-public_code_examples.html) - [Amazon ECS](./cli_ecs_code_examples.html) - [Amazon EFS](./cli_efs_code_examples.html) - [Amazon EKS](./cli_eks_code_examples.html) - [Elastic Beanstalk](./cli_elastic-beanstalk_code_examples.html) - [ELB - Version 1](./cli_elastic-load-balancing_code_examples.html) - [ELB - Version 2](./cli_elastic-load-balancing-v2_code_examples.html) - [Elastic Transcoder](./cli_elastic-transcoder_code_examples.html) - [ElastiCache](./cli_elasticache_code_examples.html) - [MediaStore](./cli_mediastore_code_examples.html) - [Amazon EMR](./cli_emr_code_examples.html) - [Amazon EMR on EKS](./cli_emr-containers_code_examples.html) - [EventBridge](./cli_eventbridge_code_examples.html) - [EventBridge Pipes](./cli_pipes_code_examples.html) - [Firewall Manager](./cli_fms_code_examples.html) - [AWS FIS](./cli_fis_code_examples.html) - [Amazon GameLift Servers](./cli_gamelift_code_examples.html) - [Amazon Glacier](./cli_glacier_code_examples.html) - [Global Accelerator](./cli_global-accelerator_code_examples.html) - [AWS Glue](./cli_glue_code_examples.html) - [GuardDuty](./cli_guardduty_code_examples.html) - [AWS Health](./cli_health_code_examples.html) - [HealthImaging](./cli_medical-imaging_code_examples.html) - [HealthLake](./cli_healthlake_code_examples.html) - [HealthOmics](./cli_omics_code_examples.html) - [IAM](./cli_iam_code_examples.html) - [IAM Access Analyzer](./cli_accessanalyzer_code_examples.html) - [Image Builder](./cli_imagebuilder_code_examples.html) - [Incident Manager](./cli_ssm-incidents_code_examples.html) - [Incident Manager Contacts](./cli_ssm-contacts_code_examples.html) - [Amazon Inspector](./cli_inspector2_code_examples.html) - [AWS IoT](./cli_iot_code_examples.html) - [AWS IoT Analytics](./cli_iotanalytics_code_examples.html) - [Device Advisor](./cli_iotdeviceadvisor_code_examples.html) - [AWS IoT data](./cli_iot-data-plane_code_examples.html) - [AWS IoT Events](./cli_iot-events_code_examples.html) - [AWS IoT Events-Data](./cli_iot-events-data_code_examples.html) - [AWS IoT Greengrass](./cli_greengrass_code_examples.html) - [AWS IoT Greengrass V2](./cli_greengrassv2_code_examples.html) - [AWS IoT Jobs SDK release](./cli_iot-jobs-data-plane_code_examples.html) - [AWS IoT SiteWise](./cli_iotsitewise_code_examples.html) - [AWS IoT Things Graph](./cli_iotthingsgraph_code_examples.html) - [AWS IoT Wireless](./cli_iot-wireless_code_examples.html) - [Amazon IVS](./cli_ivs_code_examples.html) - [Amazon IVS Chat](./cli_ivschat_code_examples.html) - [Amazon IVS Real-Time Streaming](./cli_ivs-realtime_code_examples.html) - [Amazon Kendra](./cli_kendra_code_examples.html) - [Kinesis](./cli_kinesis_code_examples.html) - [AWS KMS](./cli_kms_code_examples.html) - [Lake Formation](./cli_lakeformation_code_examples.html) - [Lambda](./cli_lambda_code_examples.html) - [License Manager](./cli_license-manager_code_examples.html) - [Lightsail](./cli_lightsail_code_examples.html) - [Macie](./cli_macie2_code_examples.html) - [Amazon Managed Grafana](./cli_grafana_code_examples.html) - [MediaConnect](./cli_mediaconnect_code_examples.html) - [MediaConvert](./cli_mediaconvert_code_examples.html) - [MediaLive](./cli_medialive_code_examples.html) - [MediaPackage](./cli_mediapackage_code_examples.html) - [MediaPackage VOD](./cli_mediapackage-vod_code_examples.html) - [MediaStore Data Plane](./cli_mediastore-data_code_examples.html) - [MediaTailor](./cli_mediatailor_code_examples.html) - [MemoryDB](./cli_memorydb_code_examples.html) - [Amazon MSK](./cli_kafka_code_examples.html) - [Network Flow Monitor](./cli_networkflowmonitor_code_examples.html) - [Network Manager](./cli_networkmanager_code_examples.html) - [OpenSearch Service](./cli_elasticsearch-service_code_examples.html) - [Organizations](./cli_organizations_code_examples.html) - [AWS Outposts](./cli_outposts_code_examples.html) - [AWS Payment Cryptography](./cli_payment-cryptography_code_examples.html) - [AWS Payment Cryptography Data Plane](./cli_payment-cryptography-data_code_examples.html) - [Amazon Pinpoint](./cli_pinpoint_code_examples.html) - [Amazon Polly](./cli_polly_code_examples.html) - [AWS Price List](./cli_pricing_code_examples.html) - [AWS Private CA](./cli_acm-pca_code_examples.html) - [AWS Proton](./cli_proton_code_examples.html) - [Amazon RDS](./cli_rds_code_examples.html) - [Amazon RDS Data Service](./cli_rds-data_code_examples.html) - [Amazon RDS Performance Insights](./cli_pi_code_examples.html) - [Amazon Redshift](./cli_redshift_code_examples.html) - [Amazon Rekognition](./cli_rekognition_code_examples.html) - [AWS RAM](./cli_ram_code_examples.html) - [Resource Explorer](./cli_resource-explorer-2_code_examples.html) - [Resource Groups](./cli_resource-groups_code_examples.html) - [Resource Groups Tagging API](./cli_resource-groups-tagging-api_code_examples.html) - [Route 53](./cli_route-53_code_examples.html) - [Route 53 domain registration](./cli_route-53-domains_code_examples.html) - [Route 53 Profiles](./cli_route53profiles_code_examples.html) - [Route 53 Resolver](./cli_route53resolver_code_examples.html) - [Amazon S3](./cli_s3_code_examples.html) - [Amazon S3 Control](./cli_s3-control_code_examples.html) - [Secrets Manager](./cli_secrets-manager_code_examples.html) - [Security Hub](./cli_securityhub_code_examples.html) - [Security Lake](./cli_securitylake_code_examples.html) - [AWS Serverless Application Repository](./cli_serverlessapplicationrepository_code_examples.html) - [Service Catalog](./cli_service-catalog_code_examples.html) - [Service Quotas](./cli_service-quotas_code_examples.html) - [Amazon SES](./cli_ses_code_examples.html) - [Shield](./cli_shield_code_examples.html) - [Signer](./cli_signer_code_examples.html) - [Snowball Edge](./cli_snowball_code_examples.html) - [Amazon SNS](./cli_sns_code_examples.html) - [Amazon SQS](./cli_sqs_code_examples.html) - [Storage Gateway](./cli_storage-gateway_code_examples.html) - [AWS STS](./cli_sts_code_examples.html) - [Support](./cli_support_code_examples.html) - [Amazon SWF](./cli_swf_code_examples.html) - [Systems Manager](./cli_ssm_code_examples.html) - [Amazon Textract](./cli_textract_code_examples.html) - [Amazon Transcribe](./cli_transcribe_code_examples.html) - [Amazon Translate](./cli_translate_code_examples.html) - [Trusted Advisor](./cli_trustedadvisor_code_examples.html) - [Verified Permissions](./cli_verifiedpermissions_code_examples.html) - [VPC Lattice](./cli_vpc-lattice_code_examples.html) - [AWS WAF Classic](./cli_waf_code_examples.html) - [AWS WAF Classic Regional](./cli_waf-regional_code_examples.html) - [AWS WAFV2](./cli_wafv2_code_examples.html) - [WorkDocs](./cli_workdocs_code_examples.html) - [Amazon WorkMail](./cli_workmail_code_examples.html) - [Amazon WorkMail Message Flow](./cli_workmailmessageflow_code_examples.html) - [WorkSpaces](./cli_workspaces_code_examples.html) - [X-Ray](./cli_xray_code_examples.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Amazon SNS ACM --- # New features and changes > Learn about new features and changes in behavior between AWS CLI version 1 and AWS CLI version 2. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-changes.html --- # New features and changes in the AWS CLI version 2 This topic describes new features and changes in behavior between AWS CLI version 1 and AWS CLI version 2. These changes might require you to update your scripts or commands to get the same behavior in version 2 as you did in version 1. ###### Topics - [AWS CLI version 2 new features](#cliv2-migration-changes-features) - [Breaking changes between AWS CLI version 1 and AWS CLI version 2](#cliv2-migration-changes-breaking) ## AWS CLI version 2 new features The AWS CLI version 2 is the most recent major version of the AWS CLI and supports all of the latest features. Some features introduced in version 2 are not backported to version 1 and you must upgrade to access those features. These features include the following: **Python interpreter not needed** The AWS CLI version 2 doesn't need a separate install of Python. It includes an embedded version. **[Wizards](./cli-usage-wizard.html)** You can use a wizard with the AWS CLI version 2. The wizard guides you through constructing certain commands. **[IAM Identity Center authentication](./cli-configure-sso.html)** If your organization uses AWS IAM Identity Center (IAM Identity Center), your users can sign in to Active Directory, a built-in IAM Identity Center directory, or [another IdP connected to IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html). Then, they are mapped to an AWS Identity and Access Management (IAM) role that allows you to run AWS CLI commands. **[Auto-prompt](./cli-usage-parameters-prompting.html)** When enabled, the AWS CLI version 2 can prompt you for commands, parameters, and resources when you run an `aws` command. **[Running the official Amazon ECR Public or Docker images for the AWS CLI](./getting-started-docker.html)** The official Docker image for the AWS CLI provides isolation, portability, and security that AWS directly supports and maintains. This way, you can use the AWS CLI version 2 in a container-based environment without having to manage the installation yourself. **[Client-side pager](./cli-usage-pagination.html#cli-usage-pagination-clientside)** The AWS CLI version 2 provides the use of a client-side pager program for output. By default, this feature is turned on and returns all output through your operating system’s default pager program. **[aws configure import](./cli-configure-files.html#cli-config-aws_configure_import)** Import `.csv` credentials generated from the AWS Management Console. A `.csv` file is imported with the profile name matching the IAM user name. **[`aws configure list-profiles`](https://docs.aws.amazon.com/cli/latest/reference/configure/list-profiles.html)** Lists the names of all profiles you have configured. **[YAML stream output format](./cli-usage-output-format.html#yaml-stream-output)** The `yaml` and `yaml-stream` format takes advantage of the [YAML](https://yaml.org) format while providing more responsive viewing of large datasets by streaming the data to you. You can start viewing and using YAML data before the entire query downloads. **[New high-level `ddb` commands for DynamoDB](https://docs.aws.amazon.com/cli/latest/reference/ddb/index.html)** The AWS CLI version 2 has the high-level Amazon DynamoDB commands [`ddb put`](https://docs.aws.amazon.com/cli/latest/reference/api/latest/reference/ddb/put.html) and [`ddb select`](https://docs.aws.amazon.com/cli/latest/reference/api/latest/reference/ddb/select.html). These commands provide a simplified interface for putting items in DynamoDB tables and searching in a DynamoDB table or index. **[`aws logs tail`](https://docs.aws.amazon.com/cli/latest/reference/logs/tail.html)** The AWS CLI version 2 has a custom `aws logs tail` command that tails the logs for an Amazon CloudWatch Logs group. By default, the command returns logs from all associated CloudWatch Logs streams during the past ten minutes. **[Added metadata support for high-level s3 commands](./cli-services-s3-commands.html#using-s3-commands-before-large)** The AWS CLI version 2 adds the `--copy-props` parameter to the high-level `s3` commands. With this parameter, you can configure additional metadata and tags for Amazon Simple Storage Service (Amazon S3). **[AWS_REGION](./cli-configure-envvars.html#envvars-list-AWS_REGION)** The AWS CLI version 2 has an AWS SDK-compatible environment variable called `AWS_REGION`. This variable specifies the AWS Region to send requests to. It overrides the `AWS_DEFAULT_REGION` environment variable, which is only applicable in the AWS CLI. ## Breaking changes between AWS CLI version 1 and AWS CLI version 2 This sections describes all of the changes in behavior between AWS CLI version 1 and AWS CLI version 2. These changes might require you to update your scripts or commands to get the same behavior in version 2 as you did in version 1. ###### Topics - [Environment variable added to set text file encoding](#cliv2-migration-encodingenvvar) - [Binary parameters are passed as base64-encoded strings by default](#cliv2-migration-binaryparam) - [Improved Amazon S3 handling of file properties and tags for multipart copies ](#cliv2-migration-s3-copy-metadata) - [No automatic retrieval of http:// or https:// URLs for parameters](#cliv2-migration-paramfile) - [Pager used for all output by default](#cliv2-migration-output-pager) - [Timestamp output values are standardized to ISO 8601 format](#cliv2-migration-timestamp) - [Improved handling of CloudFormation deployments that result in no changes](#cliv2-migration-cfn) - [Changed default behavior for Regional Amazon S3 endpoint for us-east-1 Region](#cliv2-migration-s3-regional-endpoint) - [ Changed default behavior for Regional AWS STS endpoints](#cliv2-migration-sts-regional-endpoint) - [ecr get-login removed and replaced with ecr get-login-password](#cliv2-migration-ecr-get-login) - [AWS CLI version 2 support for plugins is changing](#cliv2-migration-profile-plugins) - [Hidden alias support removed](#cliv2-migration-aliases) - [The api_versions configuration file setting is not supported](#cliv2-migration-api-versions) - [AWS CLI version 2 uses only Signature v4 to authenticate Amazon S3 requests](#cliv2-migration-sigv4) - [AWS CLI version 2 is more consistent with paging parameters](#cliv2-migration-skeleton-paging) - [AWS CLI version 2 provides more consistent return codes across all commands](#cliv2-migration-return-codes) ### Environment variable added to set text file encoding By default, text files for [Blob](./cli-usage-parameters-types.html#parameter-type-blob) use the same encoding as the installed locale. Because the AWS CLI version 2 uses an embedded version of Python, the `PYTHONUTF8` and `PYTHONIOENCODING` environment variables are not supported. To set encoding for text files to be different from the locale, use the `AWS_CLI_FILE_ENCODING` environment variable. The following example sets the AWS CLI to open text files using `UTF-8` on Windows. `AWS_CLI_FILE_ENCODING=UTF-8` For more information, see [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html) . ### Binary parameters are passed as base64-encoded strings by default In the AWS CLI, some commands required [base64](https://wikipedia.org/wiki/Base64)-encoded strings, while others required UTF-8-encoded byte strings. In the AWS CLI version 1, passing data between two encoded string types often required some intermediate processing. The AWS CLI version 2 makes handling binary parameters more consistent, which helps pass values from one command to another more reliably. By default, the AWS CLI version 2 passes all binary input and binary output parameters as the base64-encoded string `blobs` (binary large object). For more information, see [Blob](./cli-usage-parameters-types.html#parameter-type-blob). To revert to the AWS CLI version 1 behavior, use the `[cli_binary_format](./cli-configure-files.html#cli-config-cli_binary_format)` file configuration or the `[--cli-binary-format](./cli-configure-options.html#cli-configure-options-cli-binary-format)` parameter. ### Improved Amazon S3 handling of file properties and tags for multipart copies When you use the AWS CLI version 1 commands in the `aws s3` namespace to copy a file from one S3 bucket location to another, and that operation uses [multipart copy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CopyingObjctsMPUapi.html), no file properties from the source object are copied to the destination object. By default, the corresponding commands in the AWS CLI version 2 transfer all tags and some of the properties from the source to the destination copy. Compared to the AWS CLI version 1, this can result in more AWS API calls being made to the Amazon S3 endpoint. To change the default behavior for `s3` commands in AWS CLI version 2 , use the `--copy-props` parameter. For more information, see [File properties and tags in multipart copies](./cli-services-s3-commands.html#using-s3-commands-before-tags). ### No automatic retrieval of `http://` or `https://` URLs for parameters The AWS CLI version 2 does not perform a `GET` operation when a parameter value begins with `http://` or `https://`, and does not use the returned content as the parameter value. As a result, the associated command line option `cli_follow_urlparam` is removed from the AWS CLI version 2. If you need to retrieve a URL and pass the URL contents into a parameter value, we recommend that you use `curl` or a similar tool to download the contents of the URL to a local file. Then, use the `file://` syntax to read the contents of that file and use it as the parameter value. For example, the following command no longer tries to retrieve the contents of the page found at `http://www.example.com` and pass those contents as the parameter. Instead, it passes the literal text string `https://example.com` as the parameter. `$ `aws ssm put-parameter \ --value http://www.example.com \ --name prod.microservice1.db.secret \ --type String 2 If you need to retrieve and use the contents of a web URL as a parameter, you can do the following in version 2. `$ `curl https://my.example.com/mypolicyfile.json -o mypolicyfile.json `$ `aws iam put-role-policy \ --policy-document file://./mypolicyfile.json \ --role-name MyRole \ --policy-name MyReadOnlyPolicy In the preceding example, the `-o` parameter tells `curl` to save the file in the current folder with the same name as the source file. The second command retrieves the content of that downloaded file and passes the content as the value of `--policy-document`. ### Pager used for all output by default By default, the AWS CLI version 2 returns all output through your operating system’s default pager program. This program is the [`less`](https://ss64.com/bash/less.html) program on Linux or macOS, and the [`more`](https://docs.microsoft.com/windows-server/administration/windows-commands/more) program on Windows. This can help you navigate a large amount of output from a service by displaying that output one page at a time. You can configure the AWS CLI version 2 to use a different paging program or none at all. For more information, see [Client-side pager](./cli-usage-pagination.html#cli-usage-pagination-clientside). ### Timestamp output values are standardized to ISO 8601 format By default, the AWS CLI version 2 returns all timestamp response values in the [ISO 8601 format](https://wikipedia.org/wiki/ISO_8601). In AWS CLI version 1, commands returned timestamp values in whatever format was returned by the HTTP API response, which could vary from service to service. To see timestamps in the format returned by the HTTP API response, use the `wire` value in your `config` file. For more information, see `[cli_timestamp_format](./cli-configure-files.html#cli-config-cli_timestamp_format)`. ### Improved handling of CloudFormation deployments that result in no changes By default in the AWS CLI version 1, if you deploy a CloudFormation template that results in no changes, the AWS CLI returns a failed error code. This causes problems if you don't consider that to be an error and you want your script to continue. You can work around this in the AWS CLI version 1 by adding the flag `-–no-fail-on-empty-changeset`, which returns `0`. Since this is a common use case, the AWS CLI version 2 defaults to returning a successful exit code of `0` when there is no change caused by a deployment and the operation returns an empty changeset. To revert to the original behavior, add the flag `--fail-on-empty-changeset`. ### Changed default behavior for Regional Amazon S3 endpoint for `us-east-1` Region When you configure theAWS CLI version 1 to use the `us-east-1` Region, the AWS CLI uses the global `s3.amazonaws.com` endpoint that is physically hosted in the `us-east-1` Region. The AWS CLI version 2 uses the true Regional endpoint `s3.us-east-1.amazonaws.com` when that Region is specified. To force the AWS CLI version 2 to use the global endpoint, you can set the Region for a command to `aws-global`. ### Changed default behavior for Regional AWS STS endpoints By default, the AWS CLI version 2 sends all AWS Security Token Service (AWS STS) API requests to the Regional endpoint for the currently configured AWS Region. By default, any release before `1.42.0` for AWS CLI version 1 sends AWS STS requests to the global AWS STS endpoint. You can control this default behavior in version 1 by using the [`sts_regional_endpoints`](https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-files.html#cli-config-sts_regional_endpoints) setting. Any releases on or after `1.42.0` uses the Regional endpoint as the default, if you are migrating to AWS CLI version 2 from these newer releases this behavior remains unchanged. ### `ecr get-login` removed and replaced with `ecr get-login-password` The AWS CLI version 2 replaces the command `aws ecr get-login` with the `aws ecr get-login-password` command that improves automated integration with container authentication. The `aws ecr get-login-password` command reduces the risk of exposing your credentials in the process list, shell history, or other log files. It also improves compatibility with the `docker login` command for better automation. The `aws ecr get-login-password` command is available in the AWS CLI version 1.17.10 and later, and the AWS CLI version 2. The earlier `aws ecr get-login` command is still available in the AWS CLI version 1 for backward compatibility. With the `aws ecr get-login-password` command, you can replace the following code that retrieves a password. `$ ``(aws ecr get-login --no-include-email)` To reduce the risk of exposing the password to the shell history or logs, use the following example command instead. In this example, the password is piped directly to the `docker login` command, where it is assigned to the password parameter by the `--password-stdin` option. `$ ``aws ecr get-login-password | docker login --username AWS --password-stdin` MY-REGISTRY-URL For more information, see [`aws ecr get-login-password`](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html) in the *AWS CLI version 2 Reference Guide*. ### AWS CLI version 2 support for plugins is changing Plugin support in the AWS CLI version 2 is completely provisional and is intended to help users migrate from AWS CLI version 1 until a stable, updated plugin interface is released. There are no guarantees that a particular plugin or even the AWS CLI plugin interface will be supported in future versions of the AWS CLI version 2. If you rely on plugins, be sure to lock into a particular version of the AWS CLI and test the functionality of your plugin when you do upgrade. To enable plugin support, create a `[plugins]` section in your `~/.aws/config`. `[plugins] cli_legacy_plugin_path = `/python3.7/site-packages `` = `` In the `[plugins]` section, define the `cli_legacy_plugin_path` variable and set its value to the Python site packages path where your plugin module is. Then, you can configure a plugin by providing a name for the plugin (`plugin-name`) and the file name of the Python module (`plugin-module`) that contains the source code for your plugin. The AWS CLI loads each plugin by importing its `plugin-module` and calling its `awscli_initialize` function. ### Hidden alias support removed AWS CLI version 2 no longer supports the following hidden aliases that were supported in version 1. In the following table, the first column displays the service, command, and parameter that work in all versions, including the AWS CLI version 2. The second column displays the alias that no longer works in the AWS CLI version 2. Working service, command, and parameter Obsolete alias cognito-identity create-identity-pool open-id-connect-provider-arns open-id-connect-provider-ar-ns storagegateway describe-tapes tape-arns tape-ar-ns storagegateway.describe-tape-archives.tape-arns tape-ar-ns storagegateway.describe-vtl-devices.vtl-device-arns vtl-device-ar-ns storagegateway.describe-cached-iscsi-volumes.volume-arns volume-ar-ns storagegateway.describe-stored-iscsi-volumes.volume-arns volume-ar-ns route53domains.view-billing.start-time start deploy.create-deployment-group.ec2-tag-set ec-2-tag-set deploy.list-application-revisions.s3-bucket s-3-bucket deploy.list-application-revisions.s3-key-prefix s-3-key-prefix deploy.update-deployment-group.ec2-tag-set ec-2-tag-set iam.enable-mfa-device.authentication-code1 authentication-code-1 iam.enable-mfa-device.authentication-code2 authentication-code-2 iam.resync-mfa-device.authentication-code1 authentication-code-1 iam.resync-mfa-device.authentication-code2 authentication-code-2 importexport.get-shipping-label.street1 street-1 importexport.get-shipping-label.street2 street-2 importexport.get-shipping-label.street3 street-3 lambda.publish-version.code-sha256 code-sha-256 lightsail.import-key-pair.public-key-base64 public-key-base-64 opsworks.register-volume.ec2-volume-id ec-2-volume-id ### The `api_versions` configuration file setting is not supported The AWS CLI version 2 doesn't support calling earlier versions of AWS service APIs by using the `api_versions` configuration file setting. All AWS CLI commands now call the latest version of the service APIs that are currently supported by the endpoint. ### AWS CLI version 2 uses only Signature v4 to authenticate Amazon S3 requests The AWS CLI version 2 doesn't support earlier signature algorithms to cryptographically authenticate service requests sent to Amazon S3 endpoints. This signing happens automatically with every Amazon S3 request and only the [Signature Version 4 Signing Process](https://docs.aws.amazon.com/AmazonS3/latest/userguide/reference_aws-signing.html) is supported. You can't configure the signature version. All Amazon S3 bucket presigned URLs now use only SigV4 and have a maximum expiration duration of one week. ### AWS CLI version 2 is more consistent with paging parameters In the AWS CLI version 1, if you specify pagination parameters on the command line, then automatic pagination is turned off as expected. However, when you specify pagination parameters by using a file with the `‐‐cli-input-json` parameter, automatic pagination was not turned off, which could result in unexpected output. The AWS CLI version 2 turns off automatic pagination regardless of how you provide the parameters. ### AWS CLI version 2 provides more consistent return codes across all commands The AWS CLI version 2 is more consistent across all commands and properly returns an appropriate exit code compared to the AWS CLI version 1. We also added exit codes 252, 253, and 254. For more information on exit codes, see [Command line return codes in the AWS CLI](./cli-usage-returncodes.html). If you have a dependency on how the AWS CLI version 1 uses return code values, we recommend checking the exit codes to make sure that you're getting the values you expect. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Migration guide Migration instructions --- # Migration instructions > Learn how to migrate from AWS CLI version 1 to AWS CLI version 2. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-instructions.html --- # Installing AWS CLI version 2 from AWS CLI version 1 This topic provides instructions for migrating from AWS CLI version 1 to AWS CLI version 2. AWS CLI versions 1 and 2 use the same `aws` command name. If you have both versions installed, your computer uses the first one found in your search path. If you previously installed AWS CLI version 1, we recommend that you do one of the following to use AWS CLI version 2: - ** Recommended** – [Uninstall AWS CLI version 1 and use only AWS CLI version 2](#cliv2-migration-instructions-migrate). - [To have both version installed](#cliv2-migration-instructions-side-by-side), use your operating system's ability to create a symbolic link (symlink) or alias with a different name for one of the two `aws` commands. For information on breaking changes between version 1 and version 2, see [New features and changes in the AWS CLI version 2](./cliv2-migration-changes.html). ## Replacing version 1 with version 2 Perform the following steps to replace AWS CLI version 1 with AWS CLI version 2. ###### To replace AWS CLI version 1 with AWS CLI version 2 - Prepare any existing scripts you have for the migration by confirming any breaking changes between version 1 and version 2 in [New features and changes in the AWS CLI version 2](./cliv2-migration-changes.html). - Uninstall the AWS CLI version 1 by following the uninstall instructions for your operating system in [Installing, updating, and uninstalling the AWS CLI version 1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-install.html). - Confirm that the AWS CLI is completely uninstalled by using the following command. `$ `aws --version Complete one of the following based on the output: **No version returned:** You've successfully uninstalled the AWS CLI version 1 and can proceed to the next step. - **A version is returned:** You still have an install of the AWS CLI version 1. For troubleshooting steps, see [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1). Perform troubleshooting steps until no version output is received. - Install the AWS CLI version 2 by following the appropriate install instructions for your operating system in [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). ## Side-by-side install To have both versions installed, use your operating system's ability to create a symbolic link (symlink) or alias with a different name for one of the two `aws` commands. - Install the AWS CLI version 2 by following the appropriate install instructions for your operating system in [Installing or updating to the latest version of the AWS CLI](./getting-started-install.html). - Use your operating system's ability to create a symlink or alias with a different name for one of the two `aws` commands, such as using `aws2` for AWS CLI version 2. The following are symlink examples for AWS CLI version 2. Replace the `PATH` with your install location. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) New features and changes Uninstall --- # Migration guide > Learn how to update the AWS CLI version 1 to AWS CLI version 2, and learn about the differences between the versions. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html --- # Migration guide for the AWS CLI version 2 This section contains instructions for updating the AWS CLI version 1 to AWS CLI version 2. The AWS CLI version 2 builds on AWS CLI version 1 and includes features and enhancements based on community feedback. The AWS CLI version 2 is the most recent major version of the AWS CLI and supports all of the latest features. Some features that were introduced in version 2 are not backported to version 1 and you must upgrade to access those features. To prevent unexpected issues, before you migrate to version 2, [learn about the differences between the versions](./cliv2-migration-changes.html). The AWS CLI version 2 includes new features and changes that might require you to update your scripts or commands for backwards compatibility. AWS CLI versions 1 and 2 use the same `aws` command name. If you have both versions installed, your computer uses the first one found in your search path. This could result in your `aws` command name calling your old AWS CLI version, even when you have the new one installed. To update to the AWS CLI version 2, follow one of the below instructions: - If you previously installed AWS CLI version 1, follow the instructions in [Installing AWS CLI version 2 from AWS CLI version 1](./cliv2-migration-instructions.html). - If you have not previously installed AWS CLI version 1, follow the instructions in [Getting started with the AWS CLI](./cli-chap-getting-started.html). ###### Topics - [New features and changes in the AWS CLI version 2](./cliv2-migration-changes.html) - [Installing AWS CLI version 2 from AWS CLI version 1](./cliv2-migration-instructions.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Enforcing a minimum TLS version New features and changes --- # Compliance Validation > Provides information about compliance validation for this AWS product or service. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/compliance-validation.html --- # Compliance Validation for this AWS Product or Service To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html). Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/). This AWS product or service follows the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) through the specific Amazon Web Services (AWS) services it supports. For AWS service security information, see the [AWS service security documentation page](https://docs.aws.amazon.com/security/?id=docs_gateway#aws-security) and [AWS services that are in scope of AWS compliance efforts by compliance program](https://aws.amazon.com/compliance/services-in-scope/). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Identity and Access Management Resilience --- # Data Protection > Learn how the AWS shared responsibility model applies to data protection when using the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/data-protection.html --- # Data protection in the AWS CLI The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Command Line Interface. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: - Use multi-factor authentication (MFA) with each account. - Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. - Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. - Use AWS encryption solutions, along with all default security controls within AWS services. - Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. - If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with AWS CLI or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. ## Data encryption A key feature of any secure service is that information is encrypted when it is not being actively used. ### Encryption at rest The AWS CLI does not itself store any customer data other than the credentials it needs to interact with the AWS services on the user's behalf. If you use the AWS CLI to invoke an AWS service that transmits customer data to your local computer for storage, then refer to the Security & Compliance chapter in that service's User Guide for information on how that data is stored, protected, and encrypted. ### Encryption in transit By default, all data transmitted from the client computer running the AWS CLI and AWS service endpoints is encrypted by sending everything through a HTTPS/TLS connection. You don't need to do anything to enable the use of HTTPS/TLS. It is always enabled unless you explicitly disable it for an individual command by using the `--no-verify-ssl` command line option. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Security Identity and Access Management --- # Resilience > Provides information about resilience for this AWS Product or Service. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/disaster-recovery-resiliency.html --- # Resilience for this AWS Product or Service The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). This AWS product or service follows the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) through the specific Amazon Web Services (AWS) services it supports. For AWS service security information, see the [AWS service security documentation page](https://docs.aws.amazon.com/security/?id=docs_gateway#aws-security) and [AWS services that are in scope of AWS compliance efforts by compliance program](https://aws.amazon.com/compliance/services-in-scope/). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Compliance Validation Infrastructure Security --- # Document History > Find the revision dates, related releases, and important changes to the AWS Command Line Interface User Guide. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/document-history.html --- # AWS CLI user guide document history The following table describes important additions to the *AWS Command Line Interface User Guide*, beginning in January 2019. For notification about updates to this documentation, you can subscribe to the RSS feed. ChangeDescriptionDate [Account-based endpoint support added to the AWS CLI version 2](https://docs.aws.amazon.com/en_us/cli/latest/userguide/cli-configure-endpoints.html#endpoints-accountid) Account-based endpoints using your AWS account ID are now supported in the AWS CLI version 2. March 20, 2025 [Account-based endpoint support added to the AWS CLI version 1](https://docs.aws.amazon.com/en_us/cli/v1/userguide/cli-configure-endpoints.html#endpoints-accountid) Account-based endpoints using your AWS account ID are now supported in the AWS CLI version 2. February 24, 2025 Updated credential and authentication information. Updated credential and authentication method instructions and examples. This includes updating relevant Getting started pages and configuration pages. To accommodate this increase in documentation, relevant credential topics were moved to the new [Authentication and access credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html) section. March 31, 2023 [Token provider configuration with automatic authentication refresh for AWS IAM Identity Center added](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html) The new process to configure the AWS CLI to authenticate users with AWS IAM Identity Center (IAM Identity Center) using the SSO token provider configuration, which can automatically retrieve refreshed authentication tokens. December 7, 2022 [Official Amazon ECR Public image for the AWS CLI version 2 released](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-docker.html) The official supported Amazon ECR Public image for the AWS CLI version 2 is released for Linux, macOS, and Windows. November 18, 2022 [Updated the guide for migrating from AWS CLI V1 to V2](https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html) Expanded the breaking changes guide to include migration instructions to going from AWS CLI version 1 to the AWS CLI version 2. Includes updates to the Troubleshooting page to help with installation issues. May 13, 2022 [New process to build a AWS CLI installer from source.](https://docs.aws.amazon.com/en_us/cli/latest/userguide/getting-started-source-install.html) New process to install or update from source to the latest release of the AWS CLI on supported operating systems. February 17, 2022 Content for the AWS CLI V1 and V2 are now separated into their respective guides For clarity and ease, the AWS CLI version 1 and AWS CLI version 2 content is now separated into their own guides. For AWS CLI version 1, see the [AWS CLI version 1 User Guide.](https://docs.aws.amazon.com/cli/v1/userguide/) November 2, 2021 [Added AWS CLI alias information](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-alias.html) Added AWS CLI alias information. Aliases are shortcuts you can create in the AWS Command Line Interface (AWS CLI) to shorten commands or scripts that you frequently use. March 11, 2021 [Updated filter output information](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html) Updated information for filters and moved to their own page. February 1, 2021 [Added information for Wizards](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-wizard.html) Added AWS CLI version 2 wizard information. November 20, 2020 [Updated auto-prompt](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-prompting.html) Updated the AWS CLI version 2 auto-prompt information with current features. November 10, 2020 [Added Amazon S3 scripting example](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-lifecycle-example.html) Added an Amazon S3 lifecycle scripting example. October 15, 2020 [Added Amazon EC2 scripting example](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-instance-type-script.html) Added an Amazon EC2 instance type scripting example. October 15, 2020 [Added retries information](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-retries.html) Added a retries page for features and behavior of retries in the AWS CLI. September 17, 2020 [Server-side and client-side pagination page](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-pagination.html) Updated pagination information and centralized on a single page. August 17, 2020 [Updated s3 commands page](https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html) Updated the high-level s3 commands page with new examples and resources. July 30, 2020 [Updated installation information](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) The install, update, and uninstall information for Linux, macOS, and Windows are updated. May 19, 2020 [Added information for text file encoding on the AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html) By default, AWS CLI version 2 uses the same text file encoding as the local. You can now use environment variables to set text file encoding. May 14, 2020 [Official Docker image for the AWS CLI version 2 released](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-docker.html) The official support Docker image for the AWS CLI version 2 is released for all Linux, macOS, and Windows. March 31, 2020 [Added information regarding client-side pagers for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-pagination.html) By default, AWS CLI version 2 uses the pager program `less` for all client-side output. February 19, 2020 [AWS Command Line Interface (AWS CLI) Version 2 is officially released](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html) The AWS CLI version 2 is generally available and is the recommended version for customers to install. February 10, 2020 [macOS installer for AWS CLI version 2 is now an Apple Package installer `.pkg` file. ](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html) The macOS installer for AWS CLI version 2 has been updated from a `.zip` file with a shell script to full macOS Installer package. This simplifies installation and makes it compatible with the newest macOS releases. February 3, 2020 [Added content for AWS CLI version 2's improved default handling of S3 and STS Regional endpoints](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-config-sts_regional_endpoints) By default, AWS CLI version 2 now directs requests for the Amazon S3 and AWS STS services to the currently configured Regional endpoint instead of the global endpoint. January 13, 2020 [Developer preview release for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) Announcing preview release of AWS CLI version 2. Added instructions about installing version 2. Add Migration topic to discuss differences between versions 1 and 2. November 7, 2019 [Added support for AWS IAM Identity Center to AWS CLI named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) AWS CLI version 2 adds support for creating a named profile that can directly login to IAM Identity Center and get AWS temporary credentials for use in subsequent AWS CLI commands. November 7, 2019 [New MFA section](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa) Added a new section describing how to access the CLI using multi-factor authentication and roles. May 3, 2019 [Update to "Using the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html) Major improvements and additions to the usage instructions and procedures. March 7, 2019 [Update to "Installing the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) Major improvements and additions to the AWS CLI installation instructions and procedures. March 7, 2019 [Update to "Configuring the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) Major improvements and additions to the AWS CLI configuration instructions and procedures. March 7, 2019 --- # Amazon ECR Public/Docker > This topic describes how to run, version control, and configure the AWS CLI version 2 on Docker using either the official Amazon ECR Public or Docker Hub image. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-docker.html --- # Running the official Amazon ECR Public or Docker images for the AWS CLI This topic describes how to run, version control, and configure the AWS CLI version 2 on Docker using either the official Amazon Elastic Container Registry Public (Amazon ECR Public) or Docker Hub image. For more information on how to use Docker, see [Docker's documentation](https://docs.docker.com/). Official images provide isolation, portability, and security that AWS directly supports and maintains. This enables you to use the AWS CLI version 2 in a container-based environment without having to manage the installation yourself. ###### Topics - [Prerequisites](#cliv2-docker-prereq) - [Deciding between Amazon ECR Public and Docker Hub](#cliv2-docker-versus) - [Run the official AWS CLI version 2 images](#cliv2-docker-install) - [Notes on interfaces and backwards compatibility of the official images](#cliv2-docker-install-notes) - [Use specific versions and tags](#cliv2-docker-upgrade) - [Update to the latest official image](#cliv2-docker-update) - [Share host files, credentials, environment variables, and configuration](#cliv2-docker-share-files) - [Shorten the docker run command](#cliv2-docker-aliases) ## Prerequisites You must have Docker installed. For installation instructions, see the [Docker website](https://docs.docker.com/install/). To verify your installation of Docker, run the following command and confirm there is an output. `$ ``docker --version` `Docker version 19.03.1` ## Deciding between Amazon ECR Public and Docker Hub We recommend using Amazon ECR Public over Docker Hub for AWS CLI images. Docker Hub has stricter rate limiting for public consumers which can cause throttling issues. In addition, Amazon ECR Public replicates images in more than one region to provide strong availability and handle region outage issues. For more information on Docker Hub rate limiting see [Understanding Docker Hub Rate Limiting](https://www.docker.com/increase-rate-limits/) on the *Docker* website. ## Run the official AWS CLI version 2 images The first time you use the `docker run` command, the latest image is downloaded to your computer. Each subsequent use of the `docker run` command runs from your local copy. To run the AWS CLI version 2 Docker images, use the `docker run` command. This is how the command functions: - `docker run --rm -it repository/name` – The equivalent of the `aws` executable. Each time you run this command, Docker spins up a container of your downloaded image, and executes your `aws` command. By default, the image uses the latest version of the AWS CLI version 2. For example, to call the `aws --version` command in Docker, you run the following. - `--rm` – Specifies to clean up the container after the command exits. - `-it` – Specifies to open a pseudo-TTY with `stdin`. This enables you to provide input to the AWS CLI version 2 while it's running in a container, for example, by using the `aws configure` and `aws help` commands. When choosing whether to omit `-it`, consider the following: If you are running scripts, `-it` is not needed. - If you are experiencing errors with your scripts, omitting `-it` from your Docker call might fix the issue. - If you are trying to pipe output, `-it` might cause errors and omitting `-it` from your Docker call might resolve this issue. If you'd like to keep the `-it` flag, but still would like to pipe output, disabling the [client-side pager](./cli-usage-pagination.html#cli-usage-pagination-clientside) the AWS CLI uses by default should resolve the issue. For more information about the `docker run` command, see the [Docker reference guide](https://docs.docker.com/engine/reference/run/). ## Notes on interfaces and backwards compatibility of the official images - The only tool supported on the image is the AWS CLI. Only the `aws` executable should ever be directly run. For example, even though `less` and `groff` are explicitly installed on the image, they should not be executed directly outside of an AWS CLI command. - The `/aws` working directory is user controlled. The image will not write to this directory, unless instructed by the user in running an AWS CLI command. - There are no backwards compatibility guarantees in relying on the latest tag. To guarantee backwards compatibility, you must pin to a specific `` tag as those tags are immutable; they will only ever be pushed to once. ## Use specific versions and tags The official AWS CLI version 2 image has multiple versions you can use, starting with version `2.0.6`. To run a specific version of the AWS CLI version 2, append the appropriate tag to your `docker run` command. The first time you use the `docker run` command with a tag, the latest image for that tag is downloaded to your computer. Each subsequent use of the `docker run` command with that tag runs from your local copy. You can use two types of tags: - `latest` – Defines the latest version of the AWS CLI version 2 for the image. We recommend you use the `latest` tag when you want the latest version of the AWS CLI version 2. However, there are no backward-compatibility guarantees when relying on this tag. The `latest` tag is used by default in the `docker run` command. To explicitly use the `latest` tag, append the tag to the container image name. - `` – Defines a specific version of the AWS CLI version 2 for the image. If you plan to use an official image in production, we recommend you use a specific version of the AWS CLI version 2 to ensure backward compatibility. For example, to run version `2.0.6`, append the version to the container image name. ## Update to the latest official image Because the latest image is downloaded to your computer only the first time you use the `docker run` command, you need to manually pull an updated image. To manually update to the latest version, we recommend you pull the `latest` tagged image. Pulling the image downloads the latest version to your computer. ## Share host files, credentials, environment variables, and configuration Because the AWS CLI version 2 is run in a container, by default the CLI can't access the host file system, which includes configuration and credentials. To share the host file system, credentials, and configuration to the container, mount the host system’s `~/.aws` directory to the container at `/root/.aws` with the `-v` flag to the `docker run` command. This allows the AWS CLI version 2 running in the container to locate host file information. For more information about the `-v` flag and mounting, see the [Docker reference guide](https://docs.docker.com/storage/volumes/). ###### Note For information on `config` and `credentials` files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). ### Example 1: Providing credentials and configuration In this example, we're providing host credentials and configuration when running the `s3 ls` command to list your buckets in Amazon Simple Storage Service (Amazon S3). The below examples use the default location for AWS CLI credentials and configuration files, to use a different location, change the file path. You can call specific system's environment variables using the `-e` flag. To use an environment variable, call it by name. ### Example 2: Downloading an Amazon S3 file to your host system For some AWS CLI version 2 commands, you can read files from the host system in the container or write files from the container to the host system. In this example, we download the `S3` object `s3://aws-cli-docker-demo/hello` to your local file system by mounting the current working directory to the container's `/aws` directory. By downloading the `hello` object to the container's `/aws` directory, the file is saved to the host system’s current working directory also. To confirm the downloaded file exists in the local file system, run the following. **Linux and macOS** `$ ``cat hello` `Hello from Docker!` **Windows PowerShell** `$ ``type hello` `Hello from Docker!` ### Example 3: Using your AWS_PROFILE environment variable You can call specific system's environment variables using the `-e` flag. Call each environment variable you'd like to use. In this example, we're providing host credentials, configuration, and the `AWS_PROFILE` environment variable when running the `s3 ls` command to list your buckets in Amazon Simple Storage Service (Amazon S3). ## Shorten the docker run command To shorten the `docker run` command, we suggest you use your operating system's ability to create a [`symbolic link`](https://www.linux.com/topic/desktop/understanding-linux-links/) (symlink) or [`alias`](https://www.linux.com/topic/desktop/aliases-diy-shell-commands/) in Linux and macOS, or [`doskey`](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/doskey) in Windows. To set the `aws` alias, you can run one of the following commands. - For basic access to `aws` commands, run the following. - For access to the host file system and configuration settings when using `aws` commands, run the following. - To assign a specific version to use in your `aws` alias, append your version tag. After setting your alias, you can run the AWS CLI version 2 from within a container as if it's installed on your host system. `$ ``aws --version`` aws-cli/2.27.41 Python/3.7.3 Linux/4.9.184-linuxkit botocore/2.4.5dev10` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Build and install from source Setup --- # Install/Update > Instructions to install or update the AWS CLI on your system. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html --- # Installing or updating to the latest version of the AWS CLI This topic describes how to install or update the latest release of the AWS Command Line Interface (AWS CLI) on supported operating systems. For information on the latest releases of AWS CLI, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on GitHub. To install a past release of the AWS CLI, see [Installing past releases of the AWS CLI version 2](./getting-started-version.html). For uninstall instructions, see [Uninstalling the AWS CLI version 2](./uninstall.html). ###### Important AWS CLI versions 1 and 2 use the same `aws` command name. If you previously installed AWS CLI version 1, see [Migration guide for the AWS CLI version 2](./cliv2-migration.html). ###### Topics - [AWS CLI install and update instructions](#getting-started-install-instructions) - [Troubleshooting AWS CLI install and uninstall errors](#install-tshoot) - [Next steps](#install-next-steps) ## AWS CLI install and update instructions For installation instructions, expand the section for your operating system. #### Install and update requirements - You must be able to extract or "unzip" the downloaded package. If your operating system doesn't have the built-in `unzip` command, use an equivalent. - The AWS CLI uses `glibc`, `groff`, and `less`. These are included by default in most major distributions of Linux. - We support the AWS CLI on 64-bit versions of recent distributions of CentOS, Fedora, Ubuntu, Amazon Linux 1, Amazon Linux 2, Amazon Linux 2023, and Linux ARM. - Because AWS doesn't maintain third-party repositories other than `snap`, we can’t guarantee that they contain the latest version of the AWS CLI. #### Install or update the AWS CLI ###### Warning If this is your first time updating on Amazon Linux, to install the latest version of the AWS CLI, you must uninstall the pre-installed `yum` version using the following command: `$ ``sudo yum remove awscli`After the `yum` installation of the AWS CLI is removed, follow the below Linux install instructions. You can install the AWS CLI by using one of the following methods: - **The command line installer** is good option for version control, as you can specify the version to install. This option does not auto-update and you must download a new installer each time you update to overwrite previous version. - **The officially supported `snap` package** is a good option to always have the latest version of the AWS CLI as snap packages automatically refresh. There is no built-in support for selecting minor versions of AWS CLI and therefore is not an optimal install method if your team needs to pin versions. #### Install and update requirements - We support the AWS CLI on macOS versions 11 and later. For more information, see [macOS support policy updates for the AWS CLI v2](https://aws.amazon.com/blogs/developer/macos-support-policy-updates-for-the-aws-cli-v2/) on the *AWS Developer Tools Blog*. - Because AWS doesn't maintain third-party repositories, we can’t guarantee that they contain the latest version of the AWS CLI. **macOS version support matrix** AWS CLI version Supported macOS version 2.21.0 – current 11+ 2.17.0 –2.20.0 10.15+ 2.0.0 – 2.16.12 10.14 and below #### Install or update the AWS CLI If you are updating to the latest version, use the same installation method that you used in your current version. You can install the AWS CLI on macOS in the following ways. #### Install and update requirements - We support the AWS CLI on Microsoft-supported versions of 64-bit Windows. - Admin rights to install software #### Install or update the AWS CLI To update your current installation of AWS CLI on Windows, download a new installer each time you update to overwrite previous versions. AWS CLI is updated regularly. To see when the latest version was released, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. - Download and run the AWS CLI MSI installer for Windows (64-bit): [https://awscli.amazonaws.com/AWSCLIV2.msi](https://awscli.amazonaws.com/AWSCLIV2.msi) Alternatively, you can run the `msiexec` command to run the MSI installer. `C:\> ``msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi` For various parameters that can be used with `msiexec`, see [msiexec](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec) on the *Microsoft Docs* website. For example, you can use the `/qn` flag for a silent installation. `C:\> ``msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi /qn` - To confirm the installation, open the **Start** menu, search for `cmd` to open a command prompt window, and at the command prompt use the `aws --version` command. `C:\> ``aws --version`` aws-cli/2.27.41 Python/3.11.6 Windows/10 exe/AMD64 prompt/off` If Windows is unable to find the program, you might need to close and reopen the command prompt window to refresh the path, or follow the troubleshooting in [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html). ## Troubleshooting AWS CLI install and uninstall errors If you come across issues after installing or uninstalling the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. For the most relevant troubleshooting steps, see [Command not found errors](./cli-chap-troubleshooting.html#tshoot-install-not-found), [The "aws --version" command returns a different version than you installed](./cli-chap-troubleshooting.html#tshoot-install-wrong-version), and [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1). ## Next steps After you successfully install the AWS CLI, you can safely delete your downloaded installer files. After completing the steps in [Prerequisites to use the AWS CLI version 2](./getting-started-prereqs.html) and installing the AWS CLI, you should perform a [Setting up the AWS CLI](./getting-started-quickstart.html). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Prerequisites Past releases --- # Prerequisites > Before you install the AWS Command Line Interface version 2 on your system you need an AWS account and IAM credentials. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-prereqs.html --- # Prerequisites to use the AWS CLI version 2 To access AWS services with the AWS CLI, you need an AWS account with IAM or IAM Identity Center credentials. When running AWS CLI commands, the AWS CLI needs to have access to those AWS credentials. To increase the security of your AWS account, we recommend that you only use short-lived credentials when using root or IAM users. You should create a user with least privilege to provide access credentials to the tasks you'll be running in AWS. For information about best practices, see [Security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the IAM User Guide. ###### Topics - [Create an IAM or IAM Identity Center administrative account](#getting-started-prereqs-iam) - [Next steps](#getting-started-prereqs-next) ## Create an IAM or IAM Identity Center administrative account Before you can configure the AWS CLI, you need to create an IAM or IAM Identity Center account. Account creation options Choose a way to manage your credentials To How to create an account How to configure programmatic access to the account AWS Management Console credentials Use short-term credentials corresponding to the root user created during initial account set up, an IAM user, or a federated identity from your identity provider. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup) and follow the online instructions. No additional steps are necessary. To sign in to the AWS CLI with your AWS account, see [Login for AWS local development using console credentials](./cli-configure-sign-in.html) IAM Identity Center Use short-term credentials to access AWS services. Following the instructions in Getting started in the AWS IAM Identity Center User Guide. Configure programmatic access by Configuring the to use in the AWS IAM Identity Center User Guide. AWS Identity and Access Management (Not recommended) Use long-term credentials to access AWS services. Following the instructions in Create an for emergency access in the IAM User Guide. Configure programmatic access by Manage access keys for users in the IAM User Guide. ## Next steps After creating an AWS account and IAM credentials, to use the AWS CLI you can do one of the following: - [Install the latest release](./getting-started-install.html) of the AWS CLI version 2 on your computer. - [Install a past release](./getting-started-version.html) of the AWS CLI version 2 on your computer. - Access the AWS CLI version 2 from your computer [using a Docker image.](./getting-started-docker.html) - Access the AWS CLI version 2 in the AWS console from your browser using AWS CloudShell. For more information see the [AWS CloudShell User Guide](https://docs.aws.amazon.com/cloudshell/latest/userguide/). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Get started Install/Update --- # Setup > Learn how to quickly configure basic settings that the AWS Command Line Interface uses to interact with your resources on AWS services. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html --- # Setting up the AWS CLI This topic explains how to quickly configure basic settings that the AWS Command Line Interface (AWS CLI) uses to interact with AWS. These include your security credentials, the default output format, and the default AWS Region. ###### Topics - [Gather your credential information for programmatic access](#getting-started-prereqs-keys) - [Setting up new configuration and credentials](#getting-started-quickstart-new) - [Using existing configuration and credentials files](#getting-started-quickstart-existing) ## Gather your credential information for programmatic access You'll need programmatic access if you want to interact with AWS outside of the AWS Management Console. For authentication and credential instructions, choose one of the following options: Authentication type Purpose Instructions AWS Management Console credentials **(Recommended)**Use short-term credentials by logging into the AWS CLI with your console credentials. Recommended if you use root, IAM users, or federation with IAM for AWS account access [Login for AWS local development using console credentials](./cli-configure-sign-in.html) IAM Identity Center workforce users short-term credentials Use short-term credentials for an IAM Identity Center workforce user. Security best practice is to use AWS Organizations with IAM Identity Center. It combines short-term credentials with a user directory, such as the built-in IAM Identity Center directory or Active Directory. [Configuring IAM Identity Center authentication with the AWS CLI](./cli-configure-sso.html) IAM user short-term credentials Use IAM user short-term credentials, which are more secure than long-term credentials. If your credentials are compromised, there is a limited time they can be used before they expire. [Authenticating with short-term credentials for the AWS CLI](./cli-authentication-short-term.html) IAM or IAM Identity Center users on an Amazon EC2 instance. Use Amazon EC2 instance metadata to query for temporary credentials using the role assigned to the Amazon EC2 instance. [Using Amazon EC2 instance metadata as credentials in the AWS CLI](./cli-configure-metadata.html) Assume roles for permissions Pair another credential method and assume a role for temporary access to AWS services your user might not have access to. [Using an IAM role in the AWS CLI](./cli-configure-role.html) IAM user long-term credentials **(Not recommended)** Use long-term credentials, which have no expiration. [Authenticating using IAM user credentials for the AWS CLI](./cli-authentication-user.html) External storage of IAM or IAM Identity Center workforce users **(Not recommended)** Pair another credential method but store credential values in a location outside of the AWS CLI. This method is only as secure as the external location the credentials are stored. [Sourcing credentials with an external process in the AWS CLI](./cli-configure-sourcing-external.html) ## Setting up new configuration and credentials The AWS CLI stores your configuration and credential information in a *profile* (a collection of settings) in the `credentials` and `config` files. ###### There are primarily two methods to quickly get setup: - [Configuring using AWS CLI commands](#getting-started-quickstart-new-command) - [Manually editing the credentials and config files](#getting-started-quickstart-new-file) The following examples use sample values for each of the authentication methods. Replace sample values with your own. ### Configuring using AWS CLI commands For general use, the `aws configure` or `aws configure sso` commands in your preferred terminal are the fastest way to set up your AWS CLI installation. Based on the credential method you prefer, the AWS CLI prompts you for the relevant information. By default, the information in this profile is used when you run an AWS CLI command that doesn't explicitly specify a profile to use. For more information on the `credentials` and `config` files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). For more detailed information on authentication and credential methods see [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). ### Manually editing the credentials and config files When copy and pasting information, we suggest manually editing the `config` and `credentials` file. Based on the credential method you prefer, the files are setup in a different way. The files are stored in your home directory under the `.aws` folder. Where you find your home directory location varies based on the operating system, but is referred to using the environment variables `%UserProfile%` in Windows and `$HOME` or `~` (tilde) in Unix-based systems. For more information on where these settings are stored, see [Where are configuration settings stored?](./cli-configure-files.html#cli-configure-files-where). The following examples show a `default` profile and a profile named `user1` and use sample values. Replace sample values with your own. For more information on the `credentials` and `config` files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). For more detailed information on authentication and credential methods see [Authentication and access credentials for the AWS CLI](./cli-chap-authentication.html). ## Using existing configuration and credentials files If you have existing configuration and credentials files, these can be used for the AWS CLI. To use the `config` and `credentials` files, move them to the folder named `.aws` in your home directory. Where you find your home directory location varies based on the operating system, but is referred to using the environment variables `%UserProfile%` in Windows and `$HOME` or `~` (tilde) in Unix-based systems. You can specify a non-default location for the `config` and `credentials` files by setting the `AWS_CONFIG_FILE` and `AWS_SHARED_CREDENTIALS_FILE` environment variables to another local path. See [Configuring environment variables for the AWS CLI](./cli-configure-envvars.html) for details. For more detailed information on configuration and credentials files, see [Configuration and credential file settings in the AWS CLI](./cli-configure-files.html). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Amazon ECR Public/Docker Configure the AWS CLI --- # Build and install from source > Install the AWS CLI from the GitHub source on your system. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-source-install.html --- # Building and installing the AWS CLI from source This topic describes how to install or update from source to the latest release of the AWS Command Line Interface (AWS CLI) on supported operating systems. For information on the latest releases of AWS CLI, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on GitHub. ###### Important AWS CLI versions 1 and 2 use the same `aws` command name. If you previously installed AWS CLI version 1, see [Migration guide for the AWS CLI version 2](./cliv2-migration.html). ###### Topics - [Why build from source?](#source-getting-started-install-why) - [Quicksteps](#source-getting-started-install-quicksteps) - [Step 1: Setup all requirements](#source-getting-started-install-reqs) - [Step 2: Configuring the AWS CLI source installation ](#source-getting-started-install-config) - [Step 3: Building the AWS CLI](#source-getting-started-install-build) - [Step 4: Installing the AWS CLI](#source-getting-started-install-instructions) - [Step 5: Verifying the AWS CLI installation](#source-getting-started-install-verify) - [Workflow examples](#source-getting-started-install-workflows) - [Troubleshooting AWS CLI install and uninstall errors](#source-install-tshoot) - [Next steps](#source-install-next-steps) ## Why build from source? The AWS CLI is [available as pre-built installers](./getting-started-install.html) for most platforms and environments as well as a Docker image. Generally, these installers provide coverage for most use-cases. The instructions for installing from source are to help with the use-cases our installers do not cover. Some of these use-cases include the following: - The pre-built installers do not support your environment. For example, ARM 32-bit is not supported by the pre-built installers. - The pre-built installers have dependencies your environment lacks. For example, Alpine Linux uses [`musl`](https://musl.libc.org/), but the current installers require `glibc` causing the pre-built installers to not immediately work. - The pre-built installers require resources your environment restricts access to. For example, security hardened systems might not give permissions to shared memory. This is needed for the frozen `aws` installer. - The pre-built installers are often blockers for maintainers in package managers, as full control over the building process for code and packages is preferred. Building from source enables distribution maintainers a more streamlined process to keep the AWS CLI updated. Enabling maintainers provides customers more up-to-date versions of the AWS CLI when installing from a 3rd party package manager such as`brew`, `yum`, and `apt`. - Customers that patch AWS CLI functionality require building and installing the AWS CLI from source. This is especially important for community members that want to test changes they've made to the source prior to contributing the change to the AWS CLI GitHub repository. ## Quicksteps ###### Note All code examples are assumed to run from the root of the source directory. To build and install the AWS CLI from source, follow the steps in this section. The AWS CLI leverages [GNU Autotools](https://www.gnu.org/software/automake/faq/autotools-faq.html) to install from source. In the simplest case, the AWS CLI can be installed from source by running the default example commands from the root of the AWS CLI GitHub repository. - [Setup all requirements for your environment.](#source-getting-started-install-reqs) This includes being able to run [GNU Autotools](https://www.gnu.org/software/automake/faq/autotools-faq.html) generated files and Python 3.8 or later is installed. - In your terminal, navigate to the top level of the AWS CLI source folder and run the `./configure` command. This command checks the system for all required dependencies and generates a `Makefile` for building and installing the AWS CLI based on detected and specified configurations. For details, available configuration options, and default setting information, see the [Step 2: Configuring the AWS CLI source installation ](#source-getting-started-install-config) section. - Run the `make` command. This command builds the AWS CLI according to your configuration settings. The following `make` command example builds with default options using your existing `./configure` settings. For details and available build options, see the [Step 3: Building the AWS CLI](#source-getting-started-install-build) section. - Run the `make install` command. This command installs your built AWS CLI to the configured location on your system. The following `make install` command example installs your built AWS CLI and creates symlinks in your configured locations using default command settings. For details and available install options, see the [Step 4: Installing the AWS CLI](#source-getting-started-install-instructions) section. - Confirm the AWS CLI successfully installed using the following command: `$ ``aws --version`` aws-cli/2.27.41 Python/3.11.6 Windows/10 exe/AMD64 prompt/off` For troubleshooting steps for install errors see the [Troubleshooting AWS CLI install and uninstall errors](#source-install-tshoot) section. ## Step 1: Setup all requirements To build the AWS CLI from source you need the following completed beforehand: ###### Note All code examples are assumed to run from the root of the source directory. - Download the AWS CLI source by either forking the AWS CLI GitHub repository or downloading the source tarball. The instructions is one of the following: Fork and clone the [AWS CLI repository](https://github.com/aws/aws-cli) from *GitHub*. For more information, see [Fork a repo](https://docs.github.com/en/get-started/quickstart/fork-a-repo) in the *GitHub Docs*. - Download the latest source tarball at [https://awscli.amazonaws.com/awscli.tar.gz](https://awscli.amazonaws.com/awscli.tar.gz) extract the contents using the following commands: `$ ``curl "https://awscli.amazonaws.com/awscli.tar.gz" -o "awscli.tar.gz"` `$ ``tar -xzf awscli.tar.gz` ###### Note To download a specific version, use the following link format: [https://awscli.amazonaws.com/awscli-`versionnumber`.tar.gz](https://awscli.amazonaws.com/awscli.tar.gz) For example, for version 2.10.0 the link is the following: [https://awscli.amazonaws.com/awscli-`2.10.0`.tar.gz](https://awscli.amazonaws.com/awscli.tar.gz) Source versions are available starting with version **2.10.0** of the AWS CLI. **(Optional) Verifying the integrity of your downloaded zip file by completing the following steps:** You can use the following steps to verify the signatures by using the `GnuPG` tool. The AWS CLI installer package `.zip` files are cryptographically signed using PGP signatures. If there is any damage or alteration of the files, this verification fails and you should not proceed with installation. - Download and install the `gpg` command using your package manager. For more information about `GnuPG`, see the [GnuPG website](https://www.gnupg.org/). - To create the public key file, create a text file and paste in the following text. `-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG 94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC aGveYQUJDMpiLAAKCRCmMQrMRnJHXKBYD/9Ab0qQdGiO5hObchG8xh8Rpb4Mjyf6 0JrVo6m8GNjNj6BHkSc8fuTQJ/FaEhaQxj3pjZ3GXPrXjIIVChmICLlFuRXYzrXc Pw0lniybypsZEVai5kO0tCNBCCFuMN9RsmmRG8mf7lC4FSTbUDmxG/QlYK+0IV/l uJkzxWa+rySkdpm0JdqumjegNRgObdXHAQDWlubWQHWyZyIQ2B4U7AxqSpcdJp6I S4Zds4wVLd1WE5pquYQ8vS2cNlDm4QNg8wTj58e3lKN47hXHMIb6CHxRnb947oJa pg189LLPR5koh+EorNkA1wu5mAJtJvy5YMsppy2y/kIjp3lyY6AmPT1posgGk70Z CmToEZ5rbd7ARExtlh76A0cabMDFlEHDIK8RNUOSRr7L64+KxOUegKBfQHb9dADY qqiKqpCbKgvtWlds909Ms74JBgr2KwZCSY1HaOxnIr4CY43QRqAq5YHOay/mU+6w hhmdF18vpyK0vfkvvGresWtSXbag7Hkt3XjaEw76BzxQH21EBDqU8WJVjHgU6ru+ DJTs+SxgJbaT3hb/vyjlw0lK+hFfhWKRwgOXH8vqducF95NRSUxtS4fpqxWVaw3Q V2OWSjbne99A5EPEySzryFTKbMGwaTlAwMCwYevt4YT6eb7NmFhTx0Fis4TalUs+ j+c7Kg92pDx2uQ== =OBAt -----END PGP PUBLIC KEY BLOCK-----` For reference, the following are the details of the public key. `Key ID: A6310ACC4672 Type: RSA Size: 4096/4096 Created: 2019-09-18 Expires: 2026-07-07 User ID: AWS CLI Team Key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C` - Import the AWS CLI public key with the following command, substituting `public-key-file-name` with the file name of the public key you created. `$ ``gpg --import public-key-file-name`` gpg: /home/username`/.gnupg/trustdb.gpg: trustdb created gpg: key A6310ACC4672475C: public key "AWS CLI Team " imported gpg: Total number processed: 1 gpg: imported: 1 - Download the AWS CLI signature file for the package you downloaded at [https://awscli.amazonaws.com/awscli.tar.gz.sig](https://awscli.amazonaws.com/awscli.tar.gz.sig). It has the same path and name as the tarball file it corresponds to, but has the extension `.sig`. Save it in the same path as the tarball file. Or use the following command block: `$ ``curl awscliv2.sig https://awscli.amazonaws.com/ -o awscli.tar.gz.sig` - Verify the signature, passing both the downloaded `.sig` and `.zip` file names as parameters to the `gpg` command. `$ ``gpg --verify awscliv2.sig awscli.tar.gz` The output should look similar to the following. `gpg: Signature made Mon Nov 4 19:00:01 2019 PST gpg: using RSA key FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C gpg: Good signature from "AWS CLI Team " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C` ###### Important The warning in the output is expected and doesn't indicate a problem. It occurs because there isn't a chain of trust between your personal PGP key (if you have one) and the AWS CLI PGP key. For more information, see [Web of trust](https://wikipedia.org/wiki/Web_of_trust). [Show moreShow less](#) - You have an environment that can run [GNU Autotools](https://www.gnu.org/software/automake/faq/autotools-faq.html) generated files such as `configure` and `Makefile`. These files are widely portable across POSIX platforms. - A Python 3.8 or later interpreter is installed. The minimum Python version required follows the same timelines as the official[ Python support policy for AWS SDKs and Tools](https://aws.amazon.com/blogs/developer/python-support-policy-updates-for-aws-sdks-and-tools/). An interpreter is only supported 6 months after its end-of-support date. - **(Optional)** Install all build and runtime Python library dependencies of the AWS CLI. The `./configure` command informs you if you are missing any dependencies and how to install them. You can automatically install and use these dependencies through configuration, see [Downloading dependencies](#source-getting-started-install-config-dependencies) for more information. ## Step 2: Configuring the AWS CLI source installation Configuration for building and installing the AWS CLI is specified using the `configure` script. For the documentation of all configuration options, run the `configure` script with the `--help` option: ###### The most important options are the following: - [Install location](#source-getting-started-install-config-location) - [Python interpreter](#source-getting-started-install-config-interpreter) - [Downloading dependencies](#source-getting-started-install-config-dependencies) - [Install type](#source-getting-started-install-config-type) ### Install location The source installation of the AWS CLI uses two configurable directories to install the AWS CLI: - `libdir` - Parent directory where the AWS CLI will be installed. The path to the AWS CLI installation is ``/aws-cli. The default `libdir` value for Linux and macOS is `/usr/local/lib` making the default installation directory `/usr/local/lib`/aws-cli - `bindir` - Directory where the AWS CLI executables are installed. The default location is `/usr/local/bin`. The following `configure` options control the directories used: - `--prefix` - Sets the directory prefix to use for the installation. The default value for Linux and macOS is `/usr/local`. - `--libdir` - Sets the `libdir` to use for installing the AWS CLI. The default value is `/lib`. If both `--libdir` and `--prefix` are not specified, the default for Linux and macOS is `/usr/local/lib/`. - `--bindir` - Sets the `bindir` to use for installing the AWS CLI `aws` and `aws_completer` executables. The default value is `/bin`. If both `bindir` and `--prefix` are not specified, the default for Linux and macOS is `/usr/local/bin/`. ### Python interpreter ###### Note It is highly recommended to specify the Python interpreter when installing for Windows. The `./configure` script automatically selects an installed Python 3.8 or later interpreter to use in building and running the AWS CLI using the [`AM_PATH_PYTHON`](https://www.gnu.org/software/automake/manual/html_node/Python.html) Autoconf macro. The Python interpreter to use can be explicitly set using the `PYTHON` environment variable when running the `configure` script: ### Downloading dependencies By default, it is required that all build and runtime dependencies of the AWS CLI are already installed on the system. This includes any Python library dependencies. All dependencies are checked when the `configure` script is run, and if the system is missing any Python dependencies, the `configure` script errors out. The following code example errors out when your system is missing dependencies: To automatically install the required Python dependencies, use the `--with-download-deps` option. When using this flag, the build process does the following: - Skips the Python library dependencies check. - Configures the settings to download all required Python dependencies and use **only** the downloaded dependencies to build the AWS CLI during the `make` build. The following configure command example uses the `--with-download-deps` option to download and use the Python dependencies: ### Install type The source install process supports the following installation types: - `system-sandbox` - **(Default)** Creates an isolated Python virtual environment, installs the AWS CLI into the virtual environment, and symlinks to the `aws` and `aws_completer` executable in the virtual environment. This install of the AWS CLI depends directly on the selected Python interpreter for its runtime. This is a lightweight install mechanism to get the AWS CLI installed on a system and follows best Python practices by sandboxing the installation in a virtual environment. This installation is intended for customers that want to install the AWS CLI from source in the most frictionless way possible with the installation coupled to your installation of Python. - `portable-exe` - Freezes the AWS CLI into a standalone executable that can be distributed to environments of similar architectures. This is the same process used to generate the official pre-built executables of the AWS CLI. The `portable-exe` freezes in a copy of the Python interpreter chosen in the `configure` step to use for the runtime of the AWS CLI. This allows it to be moved to other machines that may not have a Python interpreter. This type of builds is useful because you can ensure your AWS CLI installation isn't coupled to the environment's installed Python version and you can distribute a build to other system that may not already have Python installed. This enables you to control the dependencies and security on the AWS CLI executables you use. To configure the installation type, use the `--with-install-type` option and specify a value of `portable-exe` or `system-sandbox`. The following `./configure` command example specifies a value of `portable-exe`: ## Step 3: Building the AWS CLI Use the `make` command to build the AWS CLI using your configuration settings: ###### Note ###### When using the `make` command, the following steps are completed behind the scenes: - A virtual environment is created in the build directory using the Python [`venv`](https://docs.python.org/3/library/venv.html) module. The virtual environment is bootstraped with a [version of pip that is vendored in the Python standard library](https://docs.python.org/3/library/ensurepip.html). - Copies Python library dependencies. Depending on if the `--with-download-deps` flag is specified in the `configure` command, this step does one of the following: The `--with-download-deps` **is** specified. Python dependencies are pip installed. This includes `wheel`, `setuptools`, and all AWS CLI runtime dependencies. If you are building the `portable-exe`, `pyinstaller` is installed. These requirements are all specified in lock files generated from [`pip-compile`](https://github.com/jazzband/pip-tools). - The `--with-download-deps` **is not** specified. Python libraries from the Python interpreter's site package plus any scripts (e.g. `pyinstaller`) are copied into the virtual environment being used for the build. - Runs `pip install` directly on the AWS CLI codebase to do an offline, in-tree build and install of the AWS CLI into the build virtual environment. This install uses the pip flags [--no-build-isolation ](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-no-build-isolation), [--use-feature=in-tree-build ](https://pip.pypa.io/en/stable/cli/pip_install/#local-project-installs), [--no-cache-dir ](https://pip.pypa.io/en/stable/cli/pip_install/#caching), and [`--no-index`](https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-no-index). - **(Optional)** If the `--install-type` is set to `portable-exe` in the `configure` command, builds a standalone executable using [`pyinstaller`](https://www.pyinstaller.org/). [Show moreShow less](#) ## Step 4: Installing the AWS CLI The `make install` command installs your built AWS CLI to the configured location on the system. The `make install` rule supports the [`DESTDIR`](https://www.gnu.org/software/make/manual/html_node/DESTDIR.html#DESTDIR) variable. When specified, this variable prefixes the specified path to the already configured installation path when installing the AWS CLI. By default, no value is set for this variable. ###### Note ###### When running `make install`, the following steps are completed behind the scenes - Moves one of the following to the configured install directory: If the install type is `system-sandbox`, moves your built virtual environment. - If the install type is a `portable-exe`, moves your built standalone executable. - Creates symlinks for both the `aws` and `aws_completer` executables in your configured bin directory. [Show moreShow less](#) ## Step 5: Verifying the AWS CLI installation Confirm the AWS CLI successfully installed by using the following command: `$ ``aws --version`` aws-cli/2.27.41 Python/3.11.6 Windows/10 exe/AMD64 prompt/off` If the `aws` command is not recognized, you may need to restart your terminal for new symlinks to update. If you come across additional issues after installing or uninstalling the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for common troubleshooting steps ## Workflow examples This section provides some basic workflow examples for installing from source. ### Basic Linux and macOS install The following example is a basic installation workflow where the AWS CLI is installed in the default location of `/usr/local/lib/aws-cli`. `$ ``cd path/to/cli/respository/` `$ ``./configure` `$ ``make` `$ ``make install` ### Automated Windows install ###### Note You must run PowerShell as an Administrator to use this workflow. MSYS2 can be used in an automated fashion in a CI setting, see [Using MSYS2 in CI](https://www.msys2.org/docs/ci/) in the *MSYS2 Documentation*. ### Alpine Linux container Below is an example Dockerfile that can be used to get a working installation of the AWS CLI in an Alpine Linux container as an [alternative to pre-built binaries for Alpine](https://github.com/aws/aws-cli/issues/4685). When using this example, replace `AWSCLI_VERSION` with you desired AWS CLI version number: `FROM python:3.8-alpine AS builder ENV AWSCLI_VERSION=2.10.1 RUN apk add --no-cache \ curl \ make \ cmake \ gcc \ g++ \ libc-dev \ libffi-dev \ openssl-dev \ && curl https://awscli.amazonaws.com/awscli-${AWSCLI_VERSION}.tar.gz | tar -xz \ && cd awscli-${AWSCLI_VERSION} \ && ./configure --prefix=/opt/aws-cli/ --with-download-deps \ && make \ && make install FROM python:3.8-alpine RUN apk --no-cache add groff COPY --from=builder /opt/aws-cli/ /opt/aws-cli/ ENTRYPOINT ["/opt/aws-cli/bin/aws"]` This image is built and the AWS CLI invoked from a container similar to the one that is built on Amazon Linux 2: `$ ``docker build --tag awscli-alpine .` `$ ``docker run --rm -it awscli-alpine --version`` aws-cli/2.2.1 Python/3.8.11 Linux/5.10.25-linuxkit source-sandbox/x86_64.alpine.3 prompt/off` The final size of this image is smaller than the size of the official AWS CLI Docker image. For information on the official Docker image, see [Running the official Amazon ECR Public or Docker images for the AWS CLI](./getting-started-docker.html). ## Troubleshooting AWS CLI install and uninstall errors For troubleshooting steps for install errors, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for common troubleshooting steps. For the most relevant troubleshooting steps, see [Command not found errors](./cli-chap-troubleshooting.html#tshoot-install-not-found), [The "aws --version" command returns a different version than you installed](./cli-chap-troubleshooting.html#tshoot-install-wrong-version), and [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1). For any issues not covered in the troubleshooting guides, search the issues with the `source-distribution` label in the [AWS CLI Repository](https://github.com/aws/aws-cli/labels/source-distribution) on *GitHub*. If no existing issues cover your errors, [create a new issue](https://github.com/aws/aws-cli/issues/new?assignees=&labels=source-distribution%2Cneeds-triage&template=source-distribution.yml&title=%28short+issue+description%29) to receive help from the AWS CLI maintainers. ## Next steps After installing the AWS CLI, you should perform a [Setting up the AWS CLI](./getting-started-quickstart.html). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Past releases Amazon ECR Public/Docker --- # Past releases > Install past releases of the AWS Command Line Interface version 2 on support operating systems. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/getting-started-version.html --- # Installing past releases of the AWS CLI version 2 This topic describes how to install the past releases of the AWS Command Line Interface version 2 (AWS CLI) on supported operating systems. For information on the AWS CLI version 2 releases, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on GitHub. AWS CLI version 2 installation instructions: ### Installation requirements - You know which release of the AWS CLI version 2 you'd like to install. For a list of versions, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. - You must be able to extract or "unzip" the downloaded package. If your operating system doesn't have the built-in `unzip` command, use an equivalent. - The AWS CLI version 2 uses `glibc`, `groff`, and `less`. These are included by default in most major distributions of Linux. - We support the AWS CLI version 2 on 64-bit versions of recent distributions of CentOS, Fedora, Ubuntu, Amazon Linux 1, Amazon Linux 2 and Linux ARM. - Because AWS doesn't maintain third-party repositories, we can’t guarantee that they contain the latest version of the AWS CLI. ### Installation instructions Follow these steps from the command line to install the AWS CLI on Linux. We provide the steps in one easy to copy and paste group based on whether you use 64-bit Linux or Linux ARM. See the descriptions of each line in the steps that follow. - Download the installation file in one of the following ways: - **(Optional) Verifying the integrity of your downloaded zip file** If you chose to manually download the AWS CLI installer package `.zip` in the above steps, you can use the following steps to verify the signatures by using the `GnuPG` tool. The AWS CLI installer package `.zip` files are cryptographically signed using PGP signatures. If there is any damage or alteration of the files, this verification fails and you should not proceed with installation. Download and install the `gpg` command using your package manager. For more information about `GnuPG`, see the [GnuPG website](https://www.gnupg.org/). - To create the public key file, create a text file and paste in the following text. `-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG 94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC aGveYQUJDMpiLAAKCRCmMQrMRnJHXKBYD/9Ab0qQdGiO5hObchG8xh8Rpb4Mjyf6 0JrVo6m8GNjNj6BHkSc8fuTQJ/FaEhaQxj3pjZ3GXPrXjIIVChmICLlFuRXYzrXc Pw0lniybypsZEVai5kO0tCNBCCFuMN9RsmmRG8mf7lC4FSTbUDmxG/QlYK+0IV/l uJkzxWa+rySkdpm0JdqumjegNRgObdXHAQDWlubWQHWyZyIQ2B4U7AxqSpcdJp6I S4Zds4wVLd1WE5pquYQ8vS2cNlDm4QNg8wTj58e3lKN47hXHMIb6CHxRnb947oJa pg189LLPR5koh+EorNkA1wu5mAJtJvy5YMsppy2y/kIjp3lyY6AmPT1posgGk70Z CmToEZ5rbd7ARExtlh76A0cabMDFlEHDIK8RNUOSRr7L64+KxOUegKBfQHb9dADY qqiKqpCbKgvtWlds909Ms74JBgr2KwZCSY1HaOxnIr4CY43QRqAq5YHOay/mU+6w hhmdF18vpyK0vfkvvGresWtSXbag7Hkt3XjaEw76BzxQH21EBDqU8WJVjHgU6ru+ DJTs+SxgJbaT3hb/vyjlw0lK+hFfhWKRwgOXH8vqducF95NRSUxtS4fpqxWVaw3Q V2OWSjbne99A5EPEySzryFTKbMGwaTlAwMCwYevt4YT6eb7NmFhTx0Fis4TalUs+ j+c7Kg92pDx2uQ== =OBAt -----END PGP PUBLIC KEY BLOCK-----` For reference, the following are the details of the public key. `Key ID: A6310ACC4672 Type: RSA Size: 4096/4096 Created: 2019-09-18 Expires: 2026-07-07 User ID: AWS CLI Team Key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C` - Import the AWS CLI public key with the following command, substituting `public-key-file-name` with the file name of the public key you created. `$ ``gpg --import public-key-file-name`` gpg: /home/username`/.gnupg/trustdb.gpg: trustdb created gpg: key A6310ACC4672475C: public key "AWS CLI Team " imported gpg: Total number processed: 1 gpg: imported: 1 - Download the AWS CLI signature file for the package you downloaded. It has the same path and name as the `.zip` file it corresponds to, but has the extension `.sig`. In the following examples, we save it to the current directory as a file named `awscliv2.sig`. - Verify the signature, passing both the downloaded `.sig` and `.zip` file names as parameters to the `gpg` command. `$ ``gpg --verify awscliv2.sig awscliv2.zip` The output should look similar to the following. `gpg: Signature made Mon Nov 4 19:00:01 2019 PST gpg: using RSA key FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C gpg: Good signature from "AWS CLI Team " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C` ###### Important The warning in the output is expected and doesn't indicate a problem. It occurs because there isn't a chain of trust between your personal PGP key (if you have one) and the AWS CLI PGP key. For more information, see [Web of trust](https://en.wikipedia.org/wiki/Web_of_trust). - Unzip the installer. If your Linux distribution doesn't have a built-in `unzip` command, use an equivalent to unzip it. The following example command unzips the package and creates a directory named `aws` under the current directory. `$ ``unzip awscliv2.zip` - Run the install program. The installation command uses a file named `install` in the newly unzipped `aws` directory. By default, the files are all installed to `/usr/local/aws-cli`, and a symbolic link is created in `/usr/local/bin`. The command includes `sudo` to grant write permissions to those directories. `$ ``sudo ./aws/install` You can install without `sudo` if you specify directories that you already have write permissions to. Use the following instructions for the `install` command to specify the installation location: Ensure that the paths you provide to the `-i` and `-b` parameters contain no volume name or directory names that contain any space characters or other white space characters. If there is a space, the installation fails. - `--install-dir` or `-i` – This option specifies the directory to copy all of the files to. The default value is `/usr/local/aws-cli`. - `--bin-dir` or `-b` – This option specifies that the main `aws` program in the install directory is symbolically linked to the file `aws` in the specified path. You must have write permissions to the specified directory. Creating a symlink to a directory that is already in your path eliminates the need to add the install directory to the user's `$PATH` variable. The default value is `/usr/local/bin`. `$ ``./aws/install -i /usr/local/aws-cli` -b `/usr/local/bin` ###### Note To update your current installation of the AWS CLI version 2 to a newer version, add your existing symlink and installer information to construct the `install` command with the `--update` parameter. `$ ``sudo ./aws/install --bin-dir /usr/local/bin` --install-dir `/usr/local/aws-cli` --updateTo locate the existing symlink and installation directory, use the following steps: - Use the `which` command to find your symlink. This gives you the path to use with the `--bin-dir` parameter. `$ ``which aws`` /usr/local/bin`/aws - Use the `ls` command to find the directory that your symlink points to. This gives you the path to use with the `--install-dir` parameter. `$ ``ls -l /usr/local/bin/aws`` lrwxrwxrwx 1 ec2-user ec2-user 49 Oct 22 09:49 /usr/local/bin/aws -> /usr/local/aws-cli`/v2/current/bin/aws - Confirm the installation with the following command. `$ ``aws --version`` aws-cli/2.27.41 Python/3.11.6 Linux/5.10.205-195.807.amzn2.x86_64 ` If the `aws` command cannot be found, you might need to restart your terminal or follow the troubleshooting in [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html). ### Installation requirements - You know which release of the AWS CLI version 2 you'd like to install. For a list of versions, see the [AWS CLI version 2 Changelog](https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst?plain=1) on *GitHub*. - We support the AWS CLI version 2 on Apple-supported versions of 64-bit macOS. - Because AWS doesn't maintain third-party repositories, we can’t guarantee that they contain the latest version of the AWS CLI. ### Installation instructions You can install the AWS CLI version 2 on macOS in the following ways. ### Installation requirements - You know which release of the AWS CLI version 2 you'd like to install. For a list of versions, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. - We support the AWS CLI on Microsoft-supported versions of 64-bit Windows. - Admin rights to install software ### Installation instructions To update your current installation of AWS CLI version 2 on Windows, download a new installer each time you update to overwrite previous versions. AWS CLI is updated regularly. To see when the latest version was released, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. - Download and run the AWS CLI MSI installer for Windows (64-bit) in one of the following ways: **Downloading and running the MSI installer:** To create your download link for a specific version of the AWS CLI, append a hyphen and the version number to the filename. `https://awscli.amazonaws.com/AWSCLIV2-version.number`.msi For this example the filename for version `2.0.30` would be `AWSCLIV2-2.0.30.msi` resulting in the following link: [https://awscli.amazonaws.com/AWSCLIV2-2.0.30.msi](https://awscli.amazonaws.com/AWSCLIV2-2.0.30.msi). - **Using the msiexec command:** Alternatively, you can use the MSI installer by adding the link to the `msiexec` command. For a specific version of the AWS CLI, append a hyphen and the version number to the filename. `C:\> ``msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2-version.number`.msi For this example the filename for version `2.0.30` would be `AWSCLIV2-2.0.30.msi` resulting in the following link [https://awscli.amazonaws.com/AWSCLIV2-2.0.30.msi](https://awscli.amazonaws.com/AWSCLIV2-2.0.30.msi). `C:\> ``msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2-2.0.30.msi` For various parameters that can be used with `msiexec`, see [msiexec](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec) on the *Microsoft Docs* website. For a list of versions, see the [AWS CLI version 2 Changelog](https://raw.githubusercontent.com/aws/aws-cli/v2/CHANGELOG.rst) on *GitHub*. - To confirm the installation, open the **Start** menu, search for `cmd` to open a command prompt window, and at the command prompt use the `aws --version` command. `C:\> ``aws --version`` aws-cli/2.27.41 Python/3.11.6 Windows/10 exe/AMD64 prompt/off` If Windows is unable to find the program, you might need to close and reopen the command prompt window to refresh the path, or follow the troubleshooting in [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html). ## Troubleshooting AWS CLI install and uninstall errors If you come across issues after installing or uninstalling the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. For the most relevant troubleshooting steps, see [Command not found errors](./cli-chap-troubleshooting.html#tshoot-install-not-found), [The "aws --version" command returns a different version than you installed](./cli-chap-troubleshooting.html#tshoot-install-wrong-version), and [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1). ## Next steps After completing the steps in [Prerequisites to use the AWS CLI version 2](./getting-started-prereqs.html) and installing the AWS CLI, you should perform a [Setting up the AWS CLI](./getting-started-quickstart.html). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Install/Update Build and install from source --- # Infrastructure Security > Provides information about infrastructure security for this AWS product or service. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/infrastructure-security.html --- # Infrastructure Security for this AWS Product or Service This AWS product or service uses managed services, and therefore is protected by the AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*. You use AWS published API calls to access this AWS Product or Service through the network. Clients must support the following: - Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. - Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests. This AWS product or service follows the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) through the specific Amazon Web Services (AWS) services it supports. For AWS service security information, see the [AWS service security documentation page](https://docs.aws.amazon.com/security/?id=docs_gateway#aws-security) and [AWS services that are in scope of AWS compliance efforts by compliance program](https://aws.amazon.com/compliance/services-in-scope/). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Resilience Enforcing a minimum TLS version --- # Identity and Access Management > How to authenticate requests and manage access to your AWS resources. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/security-iam.html --- # Identity and Access Management AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS resources. IAM is an AWS service that you can use with no additional charge. ###### Topics - [Audience](#security_iam_audience) - [Authenticating with identities](#security_iam_authentication) - [Managing access using policies](#security_iam_access-manage) - [How AWS services work with IAM](#security_iam_service-with-iam) - [Troubleshooting AWS identity and access](#security_iam_troubleshoot) ## Audience How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in AWS. **Service user** – If you use AWS services to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more AWS features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in AWS, see [Troubleshooting AWS identity and access](#security_iam_troubleshoot) or the user guide of the AWS service you are using. **Service administrator** – If you're in charge of AWS resources at your company, you probably have full access to AWS. It's your job to determine which AWS features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with AWS, see the user guide of the AWS service you are using. **IAM administrator** – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to AWS. To view example AWS identity-based policies that you can use in IAM, see the user guide of the AWS service you are using. ## Authenticating with identities Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role. You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*. For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ### AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### Federated identity As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials. A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials. For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*. ### IAM users and groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [*IAM group*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ### Identity-based policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. ### Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy. ### Access control lists (ACLs) Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*. ### Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: - **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. - **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. - **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. - **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. ## How AWS services work with IAM To get a high-level view of how AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. To learn how to use a specific AWS service with IAM, see the security section of the relevant service's User Guide. ## Troubleshooting AWS identity and access Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS and IAM. ###### Topics - [I am not authorized to perform an action in AWS](#security_iam_troubleshoot-no-permissions) - [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole) - [I want to allow people outside of my AWS account to access my AWS resources](#security_iam_troubleshoot-cross-account-access) ### I am not authorized to perform an action in AWS If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action. The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but doesn't have the fictional `awes:GetWidget` permissions. User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: awes:`GetWidget` on resource: `my-example-widget` In this case, the policy for the `mateojackson` user must be updated to allow access to the `my-example-widget` resource by using the `awes:GetWidget` action. If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials. ### I am not authorized to perform iam:PassRole If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to AWS. Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service. The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in AWS. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service. `User: arn:aws:iam::123456789012:user/marymajor` is not authorized to perform: iam:PassRole In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action. If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials. ### I want to allow people outside of my AWS account to access my AWS resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: - To learn whether AWS supports these features, see [How AWS services work with IAM](#security_iam_service-with-iam). - To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. - To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. - To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. - To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Data Protection Compliance Validation --- # Security > Configure the AWS CLI to meet your security and compliance objectives, and learn how to use the AWS CLI to securely access your AWS resources. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/security.html --- # Security in the AWS CLI Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: - **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Command Line Interface, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). - **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using the AWS Command Line Interface (AWS CLI). The following topics show you how to configure the AWS CLI to meet your security and compliance objectives. You also learn how to use the AWS CLI to help you to monitor and secure your AWS resources. ###### Topics - [Data protection in the AWS CLI](./data-protection.html) - [Identity and Access Management](./security-iam.html) - [Compliance Validation for this AWS Product or Service](./compliance-validation.html) - [Resilience for this AWS Product or Service](./disaster-recovery-resiliency.html) - [Infrastructure Security for this AWS Product or Service](./infrastructure-security.html) - [Enforcing a minimum version of TLS for the AWS CLI](./cli-security-enforcing-tls.html) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) AWS STS Data Protection --- # Uninstall > Learn how to uninstall and remove the AWS Command Line Interface version 2 from your system. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/uninstall.html --- # Uninstalling the AWS CLI version 2 This topic describes how to uninstall the AWS Command Line Interface version 2 (AWS CLI version 2). AWS CLI version 2 uninstallation instructions: To uninstall, follow the same method you used to install the AWS CLI. To uninstall the AWS CLI version 2, run the following commands, substituting the paths you used to install. The example commands use the default installation paths. - Find the folder that contains the symlinks to the main program and the completer. `$ ``which aws`` /usr/local/bin`/aws - Using that information, run the following command to find the installation folder that the symlinks point to. `$ ``ls -l /usr/local/bin/aws`` lrwxrwxrwx 1 ec2-user ec2-user 49 Oct 22 09:49 /usr/local/bin/aws -> /usr/local/aws-cli`/aws - Delete the two symlinks in the first folder. If your user already has write permission to these folders, you don't need to use `sudo`. `$ ``sudo rm /usr/local/bin`/aws `$ ``sudo rm /usr/local/bin`/aws_completer - Delete the main installation folder. Use `sudo` to gain write access to the `/usr/local` folder. `$ ``sudo rm -rf /usr/local/aws-cli` - **(Optional)** Remove the shared AWS SDK and AWS CLI settings information in the `.aws` folder. ###### Warning These configuration and credentials settings are shared across all AWS SDKs and the AWS CLI. If you remove this folder, they cannot be accessed by any AWS SDKs that are still on your system. The default location of the `.aws` folder differs between platforms, by default the folder is located in `~/.aws/`. If your user has write permission to this directory, you don't need to use `sudo`. `$ ``sudo rm -rf ~/.aws/` - Open **Programs and Features** by doing one of the following: Open the **Control Panel**, and then choose **Programs and Features**. - Open a command prompt, and then enter the following command. `C:\> ``appwiz.cpl` - Select the entry named **AWS Command Line Interface**, and then choose **Uninstall** to launch the uninstaller. - Confirm that you want to uninstall the AWS CLI. - **(Optional)** Remove the shared AWS SDK and AWS CLI settings information in the `.aws` folder. ###### Warning These configuration and credentials settings are shared across all AWS SDKs and the AWS CLI. If you remove this folder, they cannot be accessed by any AWS SDKs that are still on your system. The default location of the `.aws` folder differs between platforms, by default the folder is located in `%UserProfile%\.aws`. `$ ``rmdir %UserProfile%\.aws` ## Troubleshooting AWS CLI install and uninstall errors If you come across issues after installing or uninstalling the AWS CLI, see [Troubleshooting errors for the AWS CLI](./cli-chap-troubleshooting.html) for troubleshooting steps. For the most relevant troubleshooting steps, see [Command not found errors](./cli-chap-troubleshooting.html#tshoot-install-not-found), [The "aws --version" command returns a different version than you installed](./cli-chap-troubleshooting.html#tshoot-install-wrong-version), and [The "aws --version" command returns a version after uninstalling the AWS CLI](./cli-chap-troubleshooting.html#tshoot-uninstall-1). **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) Migration instructions Document History --- # About the examples > The AWS CLI examples in this guide are formatted in a specific way. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/welcome-examples.html --- # About the examples in the AWS CLI User Guide The AWS Command Line Interface (AWS CLI) examples in this guide are formatted using the following conventions: - **Prompt** – The command prompt uses the Linux prompt and is displayed as (`$ `). For commands that are Windows specific, `C:\>` is used as the prompt. Do not include the prompt when you type commands. - **Directory** – When commands must be executed from a specific directory, the directory name is shown before the prompt symbol. - **User input** – Command text that you enter at the command line is formatted as `user input`. - **Replaceable text** – Variable text, including names of resources that you choose, or IDs generated by AWS services that you must include in commands, is formatted as `replaceable text`. In multiple-line commands or commands where specific keyboard input is required, keyboard commands can also be shown as replaceable text. - **Output** – Output returned by AWS services is shown under user input, and is formatted as `computer output`. The following `aws configure` command example demonstrates user input, replaceable text, and output: - Enter `aws configure` at the command line, and then press **Enter**. - The AWS CLI outputs lines of text, prompting you to enter additional information. - Enter each of your access keys in turn, and then press **Enter**. - Then, enter an AWS Region name in the format shown, press **Enter**, and then press **Enter** a final time to skip the output format setting. - The final **Enter** command is shown as replaceable text because there is no user input for that line. `$ ``aws configure` `AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE` AWS Secret Access Key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` Default region name [None]: `us-west-2` Default output format [None]: `ENTER` The following example shows a simple command with output. To use this example, enter the full text of the command (the highlighted text after the prompt), and then press **Enter**. The name of the security group, `my-sg`, is replaceable to your desired security group name. The JSON document, including the curly braces, is output. If you configure your CLI to output in text or table format, the output will be formatted differently. [JSON](https://json.org) is the default output format. `$ ``aws ec2 create-security-group --group-name my-sg` --description "My security group" `{ "GroupId": "sg-903004f8" }` **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) About the AWS CLI Additional documentation and resources --- # Additional documentation and resources > Additional documentations and resources for the AWS CLI. **Source:** https://docs.aws.amazon.com/cli/latest/userguide/welcome-resources.html --- # Additional documentation and resources for the AWS CLI ## AWS CLI documentation and resources In addition to this user guide, the following are valuable online resources when you use the AWS CLI. - [AWS CLI version 2 reference guide](https://docs.aws.amazon.com/cli/latest/reference/index.html) - [AWS CLI Bash scripting code examples repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli). Open source bash scripting examples. Bash scripting examples are hosted in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples) on *GitHub*. - [AWS CLI GitHub repository](https://github.com/aws/aws-cli). You can view and fork the source code for the AWS CLI on *GitHub*. Join the community of users on *GitHub* to provide feedback, request features, and submit your own contributions. This includes viewing and providing commands examples for the AWS CLI documentation. - [AWS CLI alias examples repository](https://github.com/awslabs/awscli-aliases) You can view and fork AWS CLI alias examples on *GitHub*. - [AWS CLI version 2 Changelog](https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst?plain=1) ## Other AWS SDKs and tools Depending on your use case, you might want to choose one of the AWS SDKs or tools to better fit your needs: - [AWS SDKs and Tools Reference Guide](https://docs.aws.amazon.com/sdkref/latest/guide/) - [AWS SDK for C++](https://docs.aws.amazon.com/sdk-for-cpp) - [AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go/api/) - [AWS SDK for Java](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) - [AWS SDK for JavaScript](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) - [AWS SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin) - [AWS SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) - [AWS SDK for Python (Boto)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - [AWS SDK for PHP](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) - [AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/) - [AWS SDK for Ruby](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) - [AWS SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust) - [AWS SDK for SAP ABAP](https://docs.aws.amazon.com/sdk-for-sapabap) - [AWS SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift) - [AWS Amplify](https://docs.amplify.aws/swift/) **Javascript is disabled or is unavailable in your browser.** To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. [Document Conventions](/general/latest/gr/docconventions.html) About the examples Get started