AWS CLI Client

Sources:

Install

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Use

Verify the version:

$ aws --version
aws-cli/2.4.29 Python/3.8.8 Linux/5.13.0-37-generic exe/x86_64.linuxmint.20 prompt/off

or on Windows:

PS C:\Users\asoko> aws --version
aws-cli/2.5.2 Python/3.9.11 Windows/10 exe/AMD64 prompt/off

Configure, e.g. for local use:

PS C:\Users\asoko> aws configure
AWS Access Key ID [None]: keyid
AWS Secret Access Key [None]: accesskey
Default region name [None]: us-west-1
Default output format [None]:

Pagination

It helps me to disable pagination in ~/.aws/credentials:

[default]
cli_pager=

Environment Variables

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Controlling command output

Topics:

output format, note --output table and --no-cli-pager
pagination
For discussion of --query vs --filter see Filtering AWS CLI output

(awscliv2) $ aws ec2 describe-volumes --profile dev --output table \
    --no-cli-pager \
    --query 'sort_by(Volumes, &VolumeId)[].{VolumeId: VolumeId, VolumeType: VolumeType, InstanceId: Attachments[0].InstanceId, State: Attachments[0].State}'
----------------------------------------------------------------------------
|                              DescribeVolumes                             |
+----------------------+-----------+-------------------------+-------------+
|      InstanceId      |   State   |        VolumeId         | VolumeType  |
+----------------------+-----------+-------------------------+-------------+
|  i-06253db1de27a1472 |  attached |  vol-0034927f6d89a987c  |  gp3        |
|  i-0c9e0188fe0105ed6 |  attached |  vol-0ad69e58bb689838e  |  gp2        |
|  i-081d9511ae174ebb2 |  attached |  vol-0cf1ecc29edae56d4  |  gp3        |
|  i-0c9e1235fe0666ed6 |  attached |  vol-0fbe38a5b1656f575  |  gp3        |
+----------------------+-----------+-------------------------+-------------+

Key-pair Create/Delete

Begin with:

export AWS_PROFILE=default

Create the key-pair:

aws ec2 create-key-pair --key-name _name_ --key-type ed25519 \
    --query "KeyMaterial" --output text > _name_.pem

then:

chmod 400 _name_.pem

To create a .pub public key from .pem:

ssh-keygen -y -f _name_.pem > _name_.pub

Delete the key-pair:

aws ec2 delete-key-pair --key-name _name_

S3

aws s3 ls

EC2

Instances

describe-instances

aws ec2 describe-instances --instance-ids _id_

A more practical approach:

Define a shell alias function:

#
# add this to you .zshprofile
#
function refresh_ec2_instances()
{
    okta-aws default sts get-caller-identity > /dev/null
    aws ec2 describe-instances --region=us-east-1 \
        --query 'Reservations[*].Instances[*].{Id:InstanceId,Name:Tags[?Key==`Name`]|[0].Value,Image:ImageId,Type:InstanceType,VPC:VpcId,AZ:Placement.AvailabilityZone,Subnet:SubnetId,PriIP\
:PrivateIpAddress,PubIP:PublicIpAddress,IAM:IamInstanceProfile.Arn,Launched:LaunchTime,State:State.Name}' \
        --output table | sed -e 's/arn:.*\///' > $HOME/.ec2instances.txt
    echo "$HOME/.ec2instances.txt updated"
}

Call this function at shell prompt to update ~/.ec2instances.txt
Search the ~/.ec2instances.txt for IPs

# find IPs of instances of interest:
grep _name_ ~/.ec2instances.txt | awk -F\| '{print $8}'| sed 'H;1h;$!d;x;y/\n/,/'| sed 's/ //g'

To execute command on multiple instances, e.g. sudo docker ps -a :

pdsh -w $(grep _name_ ~/.ec2instances.txt | awk -F\| '{print $8}' | sed 'H;1h;$!d;x;y/\n/,/' | sed -e 's/ //g') 'sudo docker ps -a '

terminate-instances

TBD

Auto Scaling Group

Special case for instance termination when the instance belongs to an ASG - use terminate-instance-in-auto-scaling-group - you also need to specify whether desired capacity should be changed.

aws autoscaling terminate-instance-in-auto-scaling-group --instance-id  _id_ --should-decrement-desired-capacity

Transit Gateways

describe-transit-gateways

aws ec2 describe-transit-gateways

and then delete-transit-gateway

aws ec2 delete-transit-gateway --transit-gateway-id <value>

Route Tables vs Transit Gateway Route Tables

Note that describe-route-tables and describe-transit-gateway-route-tables operate on different types of objects!

aws ec2 describe-route-tables

aws ec2 describe-transit-gateway-route-tables --transit-gateway-route-table-ids _id_

Transit Gateway Attachment, VPC vs Peering

describe-transit-gateway-attachments

aws ec2 describe-transit-gateway-attachments

and then [delete-transit-gateway-vpc-attachment]

aws ec2 delete-transit-gateway-vpc-attachment --transit-gateway-attachment-id _id_

To locate attachments to a TGW by id:

aws ec2 describe-transit-gateway-attachments --filters Name=transit-gateway-id,Values=_id_

VPCs

describe-vpcs

aws ec2 describe-vpcs

then delete-vpc only after you delete all the gateways and resources associated with the VPC.

aws ec2 delete-vpc --vpc-id _id_

finding VPC dependencies see vpc-describe.sh

#!/bin/bash
#
# vpc-describe.sh
#
vpc="_id_"
region="us-east-1"
profile="default"
#aws --profile $profile ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId
aws --profile $profile ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc
#aws --profile $profile ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws --profile $profile ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc
#aws --profile $profile ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws --profile $profile ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc
#aws --profile $profile ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws --profile $profile ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc
#aws --profile $profile ec2 describe-network-interfaces --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId
aws --profile $profile ec2 describe-network-interfaces --region $region --filters 'Name=vpc-id,Values='$vpc

Subnets

describe-subnets

aws ec2 describe-subnets

then delete-subnet

aws ec2 delete-subnet --subnet-id _id_

Resource Access Manager (RAM)

Commands

List resources:

aws ram list-resources --resource-owner SELF

aws ram list-resources --resource-owner OTHER-ACCOUNTS

Delete resource share:

aws ram delete-resource-share --resource-share-arn _arn_

Route53

Commands

list-hosted-zones

aws route53 list-hosted-zones

delete-hosted-zones

aws route53 delete-hosted-zone --id /hostedzone/_id_

Secrets Manager

cli-aws-secretsmanager

Start with create-secret:

aws secretsmanager create-secret \
    --name pass-secret \
    --description "Secrets for pass-secret repo" \
    --secret-string file:///home/alex/Projects/pass-secret/app/secrets.json

You can then issue describe-secret:

aws secretsmanager describe-secret --secret-id pass-secret

And then get-secret-value

aws secretsmanager get-secret-value --secret-id pass-secret

or better yet

aws secretsmanager get-secret-value --secret-id pass-secret|jq ".SecretString"

Notes to Self

Alex Sokolsky's Notes on Computers and Programming