name	mastering-aws-cli
description	AWS CLI v2 quick-reference for experienced developers. Covers compute (Lambda, ECS, EKS), storage (S3, DynamoDB, Aurora), networking (VPC, SSM tunneling), security (IAM, Secrets Manager), and GitHub Actions CI/CD. Use when asked to "write aws commands", "debug aws access", "set up cross-account roles", "configure aws cli", "assume role", "S3 bucket operations", or "deploy to ECS".
triggers	aws cli, aws command line, aws commands, ec2, s3, lambda, iam, eks, ecs, ecr, dynamodb, rds, aurora, glue, msk, kinesis, ssm, secrets manager, parameter store, vpc, cloudwatch, sts, assume role, aws configure, aws sso, github actions aws, oidc aws, bastion, ssm tunnel, kubectl eks
category	cloud-infrastructure
license	MIT
allowed-tools	Read, Bash, WebFetch
metadata	[object Object]

AWS CLI v2 Quick Reference

A unified tool to manage AWS services from the terminal. This guide focuses on CLI v2 features, practical examples, and advanced patterns for experienced developers.

Quick Start

# Verify installation and version
aws --version

# Interactive configuration
aws configure                    # Access keys + region + output format
aws configure sso               # IAM Identity Center (SSO) - recommended

# Verify identity
aws sts get-caller-identity     # Shows Account, UserId, ARN

# Enable auto-prompt for command discovery
aws dynamodb --cli-auto-prompt

Power User Tips

# See all waiter commands for a service
aws ec2 wait help

# Generate command skeleton (fill in the blanks)
aws lambda create-function --generate-cli-skeleton > create-fn.json

# Create CLI alias for common commands
aws configure set cli_alias.whoami "sts get-caller-identity"
aws whoami  # Now works!

# Disable pager for scripting
export AWS_PAGER=""

See Advanced Patterns for JMESPath mastery and automation tricks.

Global Options

Flag	Description
`--profile NAME`	Use named profile from `~/.aws/credentials`
`--region REGION`	Override default region (e.g., `us-east-1`)
`--output FORMAT`	Output: `json` (default), `text`, `table`, `yaml`, `yaml-stream`
`--query EXPR`	Filter output using JMESPath expressions
`--no-paginate`	Disable auto-pagination (first page only)
`--dry-run`	Check permissions without executing (EC2, etc.)
`--debug`	Verbose HTTP/API debug logging
`--cli-auto-prompt`	Interactive parameter completion
`--no-cli-pager`	Disable output paging

Decision Trees

Compute & Containers

Need compute?
├── Serverless functions ────────────► Lambda (references/lambda.md)
├── Docker containers
│   ├── Managed orchestration ───────► ECS (references/ecs.md)
│   ├── Kubernetes ──────────────────► EKS (references/eks.md)
│   └── Container registry ──────────► ECR (references/ecr.md)
└── Virtual machines ────────────────► EC2 (use aws ec2 commands)

Data & Storage

Need data storage?
├── Object/blob storage ─────────────► S3 (references/s3.md)
├── NoSQL (key-value/document) ──────► DynamoDB (references/dynamodb.md)
├── Relational SQL ──────────────────► Aurora/RDS (references/aurora.md)
├── Data catalog & ETL ──────────────► Glue (references/glue.md)
└── Data warehouse ──────────────────► Redshift (aws redshift commands)

Streaming & Messaging

Need streaming/messaging?
├── Kafka-compatible ────────────────► MSK (references/msk.md)
├── Real-time streams ───────────────► Kinesis (references/kinesis.md)
├── Message queues ──────────────────► SQS (aws sqs commands)
└── Pub/Sub notifications ───────────► SNS (aws sns commands)

Security & Access

Need security/access management?
├── Users, roles, policies ──────────► IAM (references/iam-security.md)
├── Secrets & credentials ───────────► Secrets Manager/SSM (references/private-parameters.md)
├── Private network access ──────────► VPC (references/vpc-networking.md)
└── Secure tunneling ────────────────► SSM/Bastion (references/bastion-tunneling.md)

Reference File Navigation

Reference	Description	Key Triggers
Setup	Installation, configuration, profiles, SSO	`install`, `configure`, `sso`, `profile`
IAM & Security	Roles, policies, STS, MFA, cross-account	`iam`, `role`, `policy`, `sts`, `assume-role`
Lambda	Functions, layers, aliases, URLs, events	`lambda`, `serverless`, `function`
ECS	Clusters, tasks, services, Fargate	`ecs`, `fargate`, `task`, `container`
EKS	Clusters, node groups, kubeconfig, IRSA	`eks`, `kubernetes`, `kubectl`, `k8s`
ECR	Repositories, auth, scanning, lifecycle	`ecr`, `docker`, `registry`, `image`
S3	Buckets, objects, sync, presign, lifecycle	`s3`, `bucket`, `upload`, `sync`
DynamoDB	Tables, items, queries, streams, backups	`dynamodb`, `ddb`, `nosql`
Aurora/RDS	Clusters, serverless v2, cloning, blue-green	`rds`, `aurora`, `mysql`, `postgresql`
Glue	Catalog, crawlers, ETL jobs, workflows	`glue`, `etl`, `catalog`, `crawler`
MSK	Kafka clusters, serverless, configuration	`msk`, `kafka`, `streaming`
Kinesis	Data streams, Firehose, consumers	`kinesis`, `stream`, `firehose`
Secrets & Params	Parameter Store, Secrets Manager, rotation	`ssm`, `secrets`, `parameter`, `rotation`
VPC & Networking	VPCs, subnets, security groups, endpoints	`vpc`, `subnet`, `security-group`, `endpoint`
Bastion & Tunneling	SSM Session Manager, port forwarding	`bastion`, `tunnel`, `ssm`, `ssh`
GitHub CI/CD	OIDC, GitHub Actions, CodeBuild	`github`, `actions`, `oidc`, `cicd`
Advanced Patterns	JMESPath, waiters, skeletons, aliases	`jmespath`, `query`, `waiter`, `alias`

Environment Variables

Variable	Purpose	Example
`AWS_ACCESS_KEY_ID`	Access key for authentication	`AKIAIOSFODNN7EXAMPLE`
`AWS_SECRET_ACCESS_KEY`	Secret key for authentication	`wJalrXUtnFEMI/...`
`AWS_SESSION_TOKEN`	Session token (temporary credentials)	For STS assume-role
`AWS_PROFILE`	Named profile to use	`production`
`AWS_REGION`	AWS region for requests	`us-west-2`
`AWS_DEFAULT_OUTPUT`	Default output format	`json`, `text`, `table`
`AWS_PAGER`	Pager program (empty to disable)	`""`
`AWS_CONFIG_FILE`	Custom config file path	`~/.aws/config`
`AWS_SHARED_CREDENTIALS_FILE`	Custom credentials file path	`~/.aws/credentials`
`AWS_CA_BUNDLE`	Custom CA certificate bundle	`/path/to/cert.pem`
`AWS_RETRY_MODE`	Retry mode	`standard`, `adaptive`

Credential Precedence

The CLI resolves credentials in this order (first match wins):

Command-line options (--profile, explicit credentials)
Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
Web identity token (EKS IRSA, OIDC)
SSO credentials (IAM Identity Center)
Credentials file (~/.aws/credentials)
Config file (~/.aws/config with credential_process)
Container credentials (ECS task role)
Instance metadata (EC2 instance profile, IMDSv2)

Common Patterns

Profile Switching

# Use specific profile for one command
aws s3 ls --profile production

# Set default profile for session
export AWS_PROFILE=production

# List configured profiles
aws configure list-profiles

Output Filtering with JMESPath

# Get specific fields
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[*].[InstanceId,State.Name]' \
    --output table

# Filter running instances
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[?State.Name==`running`].InstanceId' \
    --output text

Wait for Resource State

# Wait for instance to be running
aws ec2 wait instance-running --instance-ids i-1234567890abcdef0

# Wait for Lambda function update
aws lambda wait function-updated --function-name my-function

Best Practices

Category	Recommendation
Security	Use `aws configure sso` over long-lived access keys
Security	Use IAM roles for compute (EC2/Lambda/ECS) instead of embedded keys
Security	Enable MFA for sensitive operations
Scripting	Use `--output json` or `--output text` for parsing
Scripting	Use `--query` to filter data and reduce output
Safety	Use `--dry-run` before destructive operations
Performance	Use `--page-size` to control memory on large lists
Regions	Explicitly set region in scripts to avoid surprises
Cost	Use lifecycle policies (S3/ECR) for automatic cleanup
Debugging	Use `--debug` to see raw HTTP requests/responses

Common Errors Quick Reference

Error	Cause	Fix
`ExpiredToken`	Session credentials expired	Run `aws sso login` or `aws sts get-session-token`
`AccessDenied`	Missing IAM permissions	Check IAM policy; use `--debug` to see required action
`InvalidClientTokenId`	Invalid access key	Verify `AWS_ACCESS_KEY_ID` or run `aws configure`
`UnauthorizedAccess`	Wrong region or account	Check `--region` flag and `aws sts get-caller-identity`
`ThrottlingException`	API rate limit exceeded	Add retry logic with exponential backoff
`NoCredentialProviders`	No credentials found	Check credential chain; run `aws configure list`

For detailed troubleshooting, see Setup.

When Not to Use

AWS SDK code — For boto3, AWS SDK for JavaScript, etc., use programming documentation
CloudFormation/Terraform — This skill covers CLI commands, not IaC templates
Console UI steps — CLI-focused; use AWS documentation for console walkthroughs
Pricing/billing — Use AWS pricing calculator or Cost Explorer documentation

Quick Command Reference

# Identity & Access
aws sts get-caller-identity
# → {"Account": "123456789012", "UserId": "AIDAEXAMPLE", "Arn": "arn:aws:iam::123456789012:user/dev"}

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name mysession
# → {"Credentials": {"AccessKeyId": "ASIA...", "SecretAccessKey": "...", "SessionToken": "..."}}

# S3
aws s3 ls
# → 2024-01-15 bucket-name-1
# → 2024-02-20 bucket-name-2

aws s3 sync ./local s3://bucket/prefix --delete

# Lambda
aws lambda invoke --function-name fn response.json
# → {"StatusCode": 200, "ExecutedVersion": "$LATEST"}

aws lambda update-function-code --function-name fn --zip-file fileb://code.zip
# → {"FunctionName": "fn", "LastModified": "2024-12-28T...", "State": "Active"}

# ECS
aws ecs list-clusters
# → {"clusterArns": ["arn:aws:ecs:us-east-1:123456789012:cluster/prod"]}

aws ecs update-service --cluster prod --service api --force-new-deployment

# EKS
aws eks update-kubeconfig --name my-cluster
# → Added new context arn:aws:eks:us-east-1:123456789012:cluster/my-cluster

aws eks list-clusters
# → {"clusters": ["my-cluster", "dev-cluster"]}

# Secrets
aws secretsmanager get-secret-value --secret-id prod/api/key --query SecretString --output text
# → sk_live_xxxxxxxxxxxxx

aws ssm get-parameter --name /app/prod/db/host --with-decryption --query Parameter.Value --output text
# → db.example.com

# Debugging
aws ssm start-session --target i-0123456789abcdef0
# → Starting session with SessionId: user-0a1b2c3d4e5f67890

mastering-aws-cli

Install Skill

SKILL.md