mastering-aws-cli

|

SKILL.md

---
name: mastering-aws-cli
description: |
  AWS CLI v2 quick-reference for experienced developers. Covers compute (Lambda, ECS, EKS), storage (S3, DynamoDB, Aurora), networking (VPC, SSM tunneling), security (IAM, Secrets Manager), and GitHub Actions CI/CD. Use when asked to "write aws commands", "debug aws access", "set up cross-account roles", "configure aws cli", "assume role", "S3 bucket operations", or "deploy to ECS".
triggers:
  - aws cli
  - aws command line
  - aws commands
  - ec2
  - s3
  - lambda
  - iam
  - eks
  - ecs
  - ecr
  - dynamodb
  - rds
  - aurora
  - glue
  - msk
  - kinesis
  - ssm
  - secrets manager
  - parameter store
  - vpc
  - cloudwatch
  - sts
  - assume role
  - aws configure
  - aws sso
  - github actions aws
  - oidc aws
  - bastion
  - ssm tunnel
  - kubectl eks
category: cloud-infrastructure
license: MIT
allowed-tools:
  - Read
  - Bash
  - WebFetch
metadata:
  version: 2.1.0
  author: Spillwave
---

# AWS CLI v2 Quick Reference

A unified tool to manage AWS services from the terminal. This guide focuses on CLI v2 features, practical examples, and advanced patterns for experienced developers.

## Quick Start

```bash
# Verify installation and version
aws --version

# Interactive configuration
aws configure                    # Access keys + region + output format
aws configure sso               # IAM Identity Center (SSO) - recommended

# Verify identity
aws sts get-caller-identity     # Shows Account, UserId, ARN

# Enable auto-prompt for command discovery
aws dynamodb --cli-auto-prompt
```

## Power User Tips

```bash
# See all waiter commands for a service
aws ec2 wait help

# Generate command skeleton (fill in the blanks)
aws lambda create-function --generate-cli-skeleton > create-fn.json

# Create CLI alias for common commands
aws configure set cli_alias.whoami "sts get-caller-identity"
aws whoami  # Now works!

# Disable pager for scripting
export AWS_PAGER=""
```

See [Advanced Patterns](references/advanced-patterns.md) for JMESPath mastery and automation tricks.

## Global Options

| Flag | Description |
|:-----|:------------|
| `--profile NAME` | Use named profile from `~/.aws/credentials` |
| `--region REGION` | Override default region (e.g., `us-east-1`) |
| `--output FORMAT` | Output: `json` (default), `text`, `table`, `yaml`, `yaml-stream` |
| `--query EXPR` | Filter output using JMESPath expressions |
| `--no-paginate` | Disable auto-pagination (first page only) |
| `--dry-run` | Check permissions without executing (EC2, etc.) |
| `--debug` | Verbose HTTP/API debug logging |
| `--cli-auto-prompt` | Interactive parameter completion |
| `--no-cli-pager` | Disable output paging |

## Decision Trees

### Compute & Containers
```
Need compute?
├── Serverless functions ────────────► Lambda (references/lambda.md)
├── Docker containers
│   ├── Managed orchestration ───────► ECS (references/ecs.md)
│   ├── Kubernetes ──────────────────► EKS (references/eks.md)
│   └── Container registry ──────────► ECR (references/ecr.md)
└── Virtual machines ────────────────► EC2 (use aws ec2 commands)
```

### Data & Storage
```
Need data storage?
├── Object/blob storage ─────────────► S3 (references/s3.md)
├── NoSQL (key-value/document) ──────► DynamoDB (references/dynamodb.md)
├── Relational SQL ──────────────────► Aurora/RDS (references/aurora.md)
├── Data catalog & ETL ──────────────► Glue (references/glue.md)
└── Data warehouse ──────────────────► Redshift (aws redshift commands)
```

### Streaming & Messaging
```
Need streaming/messaging?
├── Kafka-compatible ────────────────► MSK (references/msk.md)
├── Real-time streams ───────────────► Kinesis (references/kinesis.md)
├── Message queues ──────────────────► SQS (aws sqs commands)
└── Pub/Sub notifications ───────────► SNS (aws sns commands)
```

### Security & Access
```
Need security/access management?
├── Users, roles, policies ──────────► IAM (references/iam-security.md)
├── Secrets & credentials ───────────► Secrets Manager/SSM (references/private-parameters.md)
├── Private network access ──────────► VPC (references/vpc-networking.md)
└── Secure tunneling ────────────────► SSM/Bastion (references/bastion-tunneling.md)
```

## Reference File Navigation

| Reference | Description | Key Triggers |
|:----------|:------------|:-------------|
| [Setup](references/setup.md) | Installation, configuration, profiles, SSO | `install`, `configure`, `sso`, `profile` |
| [IAM & Security](references/iam-security.md) | Roles, policies, STS, MFA, cross-account | `iam`, `role`, `policy`, `sts`, `assume-role` |
| [Lambda](references/lambda.md) | Functions, layers, aliases, URLs, events | `lambda`, `serverless`, `function` |
| [ECS](references/ecs.md) | Clusters, tasks, services, Fargate | `ecs`, `fargate`, `task`, `container` |
| [EKS](references/eks.md) | Clusters, node groups, kubeconfig, IRSA | `eks`, `kubernetes`, `kubectl`, `k8s` |
| [ECR](references/ecr.md) | Repositories, auth, scanning, lifecycle | `ecr`, `docker`, `registry`, `image` |
| [S3](references/s3.md) | Buckets, objects, sync, presign, lifecycle | `s3`, `bucket`, `upload`, `sync` |
| [DynamoDB](references/dynamodb.md) | Tables, items, queries, streams, backups | `dynamodb`, `ddb`, `nosql` |
| [Aurora/RDS](references/aurora.md) | Clusters, serverless v2, cloning, blue-green | `rds`, `aurora`, `mysql`, `postgresql` |
| [Glue](references/glue.md) | Catalog, crawlers, ETL jobs, workflows | `glue`, `etl`, `catalog`, `crawler` |
| [MSK](references/msk.md) | Kafka clusters, serverless, configuration | `msk`, `kafka`, `streaming` |
| [Kinesis](references/kinesis.md) | Data streams, Firehose, consumers | `kinesis`, `stream`, `firehose` |
| [Secrets & Params](references/private-parameters.md) | Parameter Store, Secrets Manager, rotation | `ssm`, `secrets`, `parameter`, `rotation` |
| [VPC & Networking](references/vpc-networking.md) | VPCs, subnets, security groups, endpoints | `vpc`, `subnet`, `security-group`, `endpoint` |
| [Bastion & Tunneling](references/bastion-tunneling.md) | SSM Session Manager, port forwarding | `bastion`, `tunnel`, `ssm`, `ssh` |
| [GitHub CI/CD](references/github-cicd.md) | OIDC, GitHub Actions, CodeBuild | `github`, `actions`, `oidc`, `cicd` |
| [Advanced Patterns](references/advanced-patterns.md) | JMESPath, waiters, skeletons, aliases | `jmespath`, `query`, `waiter`, `alias` |

## Environment Variables

| Variable | Purpose | Example |
|:---------|:--------|:--------|
| `AWS_ACCESS_KEY_ID` | Access key for authentication | `AKIAIOSFODNN7EXAMPLE` |
| `AWS_SECRET_ACCESS_KEY` | Secret key for authentication | `wJalrXUtnFEMI/...` |
| `AWS_SESSION_TOKEN` | Session token (temporary credentials) | For STS assume-role |
| `AWS_PROFILE` | Named profile to use | `production` |
| `AWS_REGION` | AWS region for requests | `us-west-2` |
| `AWS_DEFAULT_OUTPUT` | Default output format | `json`, `text`, `table` |
| `AWS_PAGER` | Pager program (empty to disable) | `""` |
| `AWS_CONFIG_FILE` | Custom config file path | `~/.aws/config` |
| `AWS_SHARED_CREDENTIALS_FILE` | Custom credentials file path | `~/.aws/credentials` |
| `AWS_CA_BUNDLE` | Custom CA certificate bundle | `/path/to/cert.pem` |
| `AWS_RETRY_MODE` | Retry mode | `standard`, `adaptive` |

## Credential Precedence

The CLI resolves credentials in this order (first match wins):

1. **Command-line options** (`--profile`, explicit credentials)
2. **Environment variables** (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
3. **Web identity token** (EKS IRSA, OIDC)
4. **SSO credentials** (IAM Identity Center)
5. **Credentials file** (`~/.aws/credentials`)
6. **Config file** (`~/.aws/config` with `credential_process`)
7. **Container credentials** (ECS task role)
8. **Instance metadata** (EC2 instance profile, IMDSv2)

## Common Patterns

### Profile Switching
```bash
# Use specific profile for one command
aws s3 ls --profile production

# Set default profile for session
export AWS_PROFILE=production

# List configured profiles
aws configure list-profiles
```

### Output Filtering with JMESPath
```bash
# Get specific fields
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[*].[InstanceId,State.Name]' \
    --output table

# Filter running instances
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[?State.Name==`running`].InstanceId' \
    --output text
```

### Wait for Resource State
```bash
# Wait for instance to be running
aws ec2 wait instance-running --instance-ids i-1234567890abcdef0

# Wait for Lambda function update
aws lambda wait function-updated --function-name my-function
```

## Best Practices

| Category | Recommendation |
|:---------|:---------------|
| **Security** | Use `aws configure sso` over long-lived access keys |
| **Security** | Use IAM roles for compute (EC2/Lambda/ECS) instead of embedded keys |
| **Security** | Enable MFA for sensitive operations |
| **Scripting** | Use `--output json` or `--output text` for parsing |
| **Scripting** | Use `--query` to filter data and reduce output |
| **Safety** | Use `--dry-run` before destructive operations |
| **Performance** | Use `--page-size` to control memory on large lists |
| **Regions** | Explicitly set region in scripts to avoid surprises |
| **Cost** | Use lifecycle policies (S3/ECR) for automatic cleanup |
| **Debugging** | Use `--debug` to see raw HTTP requests/responses |

## Common Errors Quick Reference

| Error | Cause | Fix |
|:------|:------|:----|
| `ExpiredToken` | Session credentials expired | Run `aws sso login` or `aws sts get-session-token` |
| `AccessDenied` | Missing IAM permissions | Check IAM policy; use `--debug` to see required action |
| `InvalidClientTokenId` | Invalid access key | Verify `AWS_ACCESS_KEY_ID` or run `aws configure` |
| `UnauthorizedAccess` | Wrong region or account | Check `--region` flag and `aws sts get-caller-identity` |
| `ThrottlingException` | API rate limit exceeded | Add retry logic with exponential backoff |
| `NoCredentialProviders` | No credentials found | Check credential chain; run `aws configure list` |

For detailed troubleshooting, see [Setup](references/setup.md#troubleshooting).

## When Not to Use

- **AWS SDK code** — For boto3, AWS SDK for JavaScript, etc., use programming documentation
- **CloudFormation/Terraform** — This skill covers CLI commands, not IaC templates
- **Console UI steps** — CLI-focused; use AWS documentation for console walkthroughs
- **Pricing/billing** — Use AWS pricing calculator or Cost Explorer documentation

## Quick Command Reference

```bash
# Identity & Access
aws sts get-caller-identity
# → {"Account": "123456789012", "UserId": "AIDAEXAMPLE", "Arn": "arn:aws:iam::123456789012:user/dev"}

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name mysession
# → {"Credentials": {"AccessKeyId": "ASIA...", "SecretAccessKey": "...", "SessionToken": "..."}}

# S3
aws s3 ls
# → 2024-01-15 bucket-name-1
# → 2024-02-20 bucket-name-2

aws s3 sync ./local s3://bucket/prefix --delete

# Lambda
aws lambda invoke --function-name fn response.json
# → {"StatusCode": 200, "ExecutedVersion": "$LATEST"}

aws lambda update-function-code --function-name fn --zip-file fileb://code.zip
# → {"FunctionName": "fn", "LastModified": "2024-12-28T...", "State": "Active"}

# ECS
aws ecs list-clusters
# → {"clusterArns": ["arn:aws:ecs:us-east-1:123456789012:cluster/prod"]}

aws ecs update-service --cluster prod --service api --force-new-deployment

# EKS
aws eks update-kubeconfig --name my-cluster
# → Added new context arn:aws:eks:us-east-1:123456789012:cluster/my-cluster

aws eks list-clusters
# → {"clusters": ["my-cluster", "dev-cluster"]}

# Secrets
aws secretsmanager get-secret-value --secret-id prod/api/key --query SecretString --output text
# → sk_live_xxxxxxxxxxxxx

aws ssm get-parameter --name /app/prod/db/host --with-decryption --query Parameter.Value --output text
# → db.example.com

# Debugging
aws ssm start-session --target i-0123456789abcdef0
# → Starting session with SessionId: user-0a1b2c3d4e5f67890
```