53

Can anybody tell me how to automate the aws configure in bash with a one liner?

Example:

$ aws configure --profile user2
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text

Application: I want to automate this inside a Docker Entrypoint!

blacklabelops
  • 4,708
  • 5
  • 25
  • 42
  • 6
    If this docker image is going outside of your control (ie. to customers, etc.), do not pre-configure AWS credentials in it. If the docker image is going to run on an EC2 instance or ECS, then use IAM Roles instead. – Matt Houser Jan 17 '16 at 15:08
  • This will be a multi-purpose image. The credentials are not part of the image but will be provided for the container instance. – blacklabelops Jan 17 '16 at 16:09
  • Will the container run on EC2? – Matt Houser Jan 17 '16 at 16:38
  • The container will run on hosts outside and inside EC2. – blacklabelops Jan 17 '16 at 16:43
  • I am still interested in how I can run cli commands inside EC2 without any credentials and only with IAM roles. Can you please provide a tutorial or how-to? – blacklabelops Jan 17 '16 at 16:57
  • 1
    Take a look here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html . Basically, you create your IAM EC2 Role, run your EC2 instance with that role assigned to it, then use the AWS CLI inside your instance without it having AWS credentials configured. The instance will pick up the credentials from the role. – Matt Houser Jan 17 '16 at 18:47
  • Thanks! I will prefer that when deploying inside EC2! – blacklabelops Jan 17 '16 at 20:06

8 Answers8

61

If you run aws configure set help you will see that you can supply settings individually on the command line and they will be written to the relevant credentials or config file. For example:

aws configure set aws_access_key_id AKIAI44QH8DHBEXAMPLE

You can also run this interactively to modify the default credentials:

aws configure

Or run it interactively to create/modify a named profile:

aws configure --profile qa

Note: with the first technique above, whatever command you type will appear in your history and this is not a good thing for passwords, secret keys etc. So in that case, use an alternative that does not cause the secret parameter to be logged to history, or prevent the entire command being logged to history.

jarmod
  • 71,565
  • 16
  • 115
  • 122
  • 12
    I highly recommend to NOT embed your access keys into your scripts, this is very bad practice. Take Thomas L. answer to configure your keys in a config file that you then share with your docker container instead – Tom Jan 19 '16 at 08:55
  • 2
    I was also mentioning this point as maybeg is willing to automate its docker container deployments, so he is likely to end up with scripts embedding his real access/secret keys. This is configuration and should be not mixed in code (e.g not committed on github etc.). cheers – Tom Jan 19 '16 at 17:52
  • Thanks for the tip, I was looking in `aws configure --help` – djheru Jan 11 '21 at 20:55
23

One liner

aws configure set aws_access_key_id "AKIAI44QH8DHBEXAMPLE" --profile user2 && aws configure set aws_secret_access_key "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" --profile user2 && aws configure set region "us-east-1" --profile user2 && aws configure set output "text" --profile user2

Note: setting region is optional (also never set it with an empty string if you don't have any region, or it will be buggy); as well as the user profile, if you don't set it it will go under default settings.

Better practice with Secrets

Use secrets, then use associated environment variables:

aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile user2 && aws configure set aws_secret_access_key "$AWS_ACCESS_KEY_SECRET" --profile user2 && aws configure set region "$AWS_REGION" --profile user2 && aws configure set output "text" --profile user2

To know more

Erdal G.
  • 2,694
  • 2
  • 27
  • 37
  • there is a typo in your commands and edit queue is full as well. working command is aws configure set aws_access_key_id "AKIAI44QH8DHBEXAMPLE" --profile user2 && aws configure set aws_secret_access_key "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY" --profile user2 && aws configure set region "us-east-1" --profile user2 && aws configure set output "text" --profile user2 – Umair Jun 24 '22 at 06:27
  • I'll keep the generic values, but thanks for the mistake in the extra "set" command. Edited. – Erdal G. Jun 27 '22 at 10:51
11

For those inclined to use bash, the following works quite well and keeps secrets out of your scripts. In addition, it will also save your input to a named profile in one go.

printf "%s\n%s\nus-east-1\njson" "$KEY_ID" "$SECRET_KEY" | aws configure --profile my-profile
killthrush
  • 4,859
  • 3
  • 35
  • 38
11

I think this is the answer in one line

aws configure set aws_access_key_id $YOUR_ACCESS_KEY_ID; aws configure set aws_secret_access_key $YOUR_SECRET_ACCESS_KEY; aws configure set default.region $YOUR_AWS_DEFAULT_REGION
El David
  • 616
  • 8
  • 17
10

If you want to automate you should use files rather than CLI. Your CLI only write those files.

➜ cat ~/.aws/config
[profile_1]
output = json
region = eu-west-1
[profile_2]
output = json
region = eu-west-1

➜ cat ~/.aws/credentials
[profile_1]
aws_access_key_id =
aws_secret_access_key =
[profile_2]
aws_access_key_id =
aws_secret_access_key =
Thomas L.
  • 1,294
  • 9
  • 13
5

One liner

aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile profile_name_here && aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile profile_name_here && aws configure set region "$AWS_REGION" --profile profile_name_here && aws configure set output "json" --profile profile_name_here

Setting individual configuration

profile_name_here is the aws profile name to be saved to your aws config. Replace it with your own.

ACCESS KEY

aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile profile_name_here

SECRET ACCESS KEY

aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile profile_name_here

REGION

aws configure set region "$AWS_REGION" --profile profile_name_here

OUTPUT

aws configure set output "json" --profile profile_name_here

The value specified here is json but you can replace it from the list of supported output formats from aws docs.

  • json
  • yaml
  • yaml-stream
  • text
  • table

Note:

That $AWS_ACCESS_KEY_ID, $AWS_SECRET_ACCESS_KEY and $AWS_REGION are variables from your AWS credentials file or environment variables if you are using CI. You can also replace them using regular strings value but that is not safe.

Mac Ignacio
  • 655
  • 7
  • 5
1

Building upon the suggestion by Tom in jarmod's answer, to "configure your keys in a config file that you then share with your docker container instead".

I found that slightly confusing as I'm new to using Docker and awscli.
Also, I believe most who end up at this question are similarly trying to use Docker and awscli together.

So what you'd want to do, step by step is:

Create a credentials file containing
[default] aws_access_key_id = default_access_key aws_secret_access_key = default_secret_key
that you copy to ~/.aws/credentials, using a line in Dockerfile like
COPY credentials /root/.aws/credentials

and a config file containing
[default] region = us-west-2 output = table
that you copy to ~/.aws/config, using a line in Dockerfile like
COPY config /root/.aws/config

Reference:
aws configure set help

cryanbhu
  • 4,780
  • 6
  • 29
  • 47
0

Similar to killthrush's answer above but pure bash, no aws command needed. I used this when I don't have aws cli installed but will need it to use from python boto3.

mkdir -p ~/.aws && printf "[default]\nregion = %s\noutput = json\n" "$MY_AWS_DEFAULT_REGION"> ~/.aws/config && printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\n" "$MY_AWS_ACCESS_KEY_ID" "$MY_AWS_SECRET_ACCESS_KEY" > ~/.aws/credentials

Kiran Pathuru
  • 31
  • 3