AWS CLI 权限配置
目录
01 配置秘钥
环境变量秘钥
声明 profile
aws configure
02 aws configure 命令
list [--profile PROFILE]
list-profiles
import
03 配置文档字段
范例
credentials
config
04 AWS IAM Identity Center (SSO)配置
configure 配置
再次登录过程
登出
配置 IAM 角色
基本设置
同账号带有 MFA 信息
带有External ID 的配置
带有 Session Name 的配置
清除凭证缓存
01 配置秘钥
环境变量秘钥
Linux | Mac
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2Windows CMD
setx AWS_ACCESS_KEY_ID AKIAIOSFODNN7EXAMPLE
setx AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
setx AWS_DEFAULT_REGION us-west-2Powershell
$Env:AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
$Env:AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
$Env:AWS_DEFAULT_REGION="us-west-2"声明 profile
CLI 参数声明
aws ec2 describe-instances --profile user1环境变量声明
linux | mac
export AWS_PROFILE=user1Windows
setx AWS_PROFILE user1aws configure
配置 default profile
# aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json02 aws configure 命令
list [--profile PROFILE]
获取某个 profile 的配置信息
# aws configure list --profle xxx
Name Value Type Location
---- ----- ---- --------
profile None None
access_key ****************ABCD shared-credentials-file
secret_key ****************ABCD shared-credentials-file
region us-west-2 env AWS_DEFAULT_REGION list-profiles
获取已配置的所有 profile
# aws configure list-profiles
default
testimport
从在 console 中下载的 csv 中导入
aws configure import --csv file://credentials.csvget
# aws configure get region --profile integ
us-west-2set
# aws configure set region us-west-2 --profile integ03 配置文档字段
范例
~/.aws/credentials(Linux 和 Mac)或 %USERPROFILE%\.aws\credentials (Windows)
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY~/.aws/config(Linux 和 Mac)或 %USERPROFILE%\.aws\config (Windows)
[default]
region=us-west-2
output=json
[profile user1]
region=us-east-1
output=textcredentials
秘钥相关
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4Olgkconfig
cli_auto_prompt
为 AWS CLI 版本 2 启用自动提示。可以使用两种设置:
-
on 每次尝试运行 aws 命令时都会使用完整的自动提示模式。这包括在完整或不完整的命令之后按 ENTER 键。
cli_auto_prompt = on-
on-partial 使用部分自动提示模式。如果命令不完整或由于客户端验证错误而无法运行,则使用自动提示。如果您已有现有脚本、运行手册,或者如果您希望只对于不熟悉的命令收到自动提示,而不是每个命令都收到提示,则此模式将非常有帮助。
cli_auto_prompt = on-partial您可以使用 aws_cli_auto_prompt 环境变量或 --cli-auto-prompt 和 --no-cli-auto-prompt 命令行参数覆盖此设置。
cli_pager
指定用于处理输出的分页程序。预设情况下,AWS CLI 版本 2 会通过操作系统的原定设置分页程序返回所有输出。
可以被 AWS_PAGER 环境变量覆盖。
cli_pager=less要完全禁用外部分页程序,请将该变量设置为空字符串,如以下示例所示。
cli_pager=cli_timestamp_format
指定输出中包含的时间戳值的格式。可以指定以下任一值:
- iso8601 – AWS CLI 版本 2 的原定设置值。如果指定,AWS CLI 根据 ISO 8601 对所有时间戳进行重新格式化。
ISO 8601 格式的时间戳与以下示例类似。第一个示例通过在时间之后加入 Z,显示以协调世界时 (UTC) 表示的时间。日期和时间由 T 分隔。
2019-10-31T22:21:41Z要指定不同的时区,不是使用 Z,而是指定 + 或 - 以及所需时区在 UTC 之前或之后的小时数作为两位数值。以下示例显示的时间与上一个示例相同,但调整为太平洋标准时间(比 UTC 晚 8 小时):
2019-10-31T14:21:41-08- wire – AWS CLI 版本 1 的原定设置值。如果指定,AWS CLI 按原样显示在 HTTP 查询响应中收到的所有时间戳值。
该条目没有等效的环境变量或命令行选项。
cli_timestamp_format = iso8601max_attempts
指定 AWS CLI 重试处理程序使用的最大重试次数值,其中初始调用计入您提供的 max_attempts 值。
您可以使用 AWS_MAX_ATTEMPTS 环境变量覆盖此值。
max_attempts = 3output
指定使用该配置文件请求的命令的原定设置输出格式。您可以指定以下任意值:
- json – 输出采用 JSON 字符串的格式。
- yaml – 输出采用 YAML 字符串的格式。
- yaml-stream – 输出被流式处理并采用 YAML 字符串的格式。串流支持更快地处理大型数据类型。
- text – 输出采用多个制表符分隔字符串值行的格式。这对于将输出传递到文本处理器(如
grep、sed 或 awk)很有用。 - table – 输出采用表格形式,使用字符 +|- 以形成单元格边框。它通常以“人性化”格式呈现信息,这种格式比其他格式更容易阅读,但从编程方面来讲不是那么有用。
可以被 AWS_DEFAULT_OUTPUT 环境变量或 --output 命令行选项覆盖。
output = tableregion
对于使用该配置文件请求的命令,指定要将请求发送到的 AWS 区域。
- 您可以指定可用于所选服务的任何区域代码,有关列表,请参阅《Amazon Web Services 一般参考》中的 AWS 区域和终端节点。
- 通过
aws_global,您可以为不仅支持区域端点,还支持全局端点的服务指定全局端点,例如 AWS Security Token Service (AWS STS) 和 Amazon Simple Storage Service (Amazon S3)。
您可以使用 AWS_REGION 环境变量、AWS_DEFAULT_REGION 环境变量或 --region 命令行选项覆盖此值。
region = us-west-2S3 自有属性
[profile development]
s3 =
max_concurrent_requests = 20
max_queue_size = 10000
multipart_threshold = 64MB
multipart_chunksize = 16MB
max_bandwidth = 50MB/s
use_accelerate_endpoint = true
addressing_style = path04 AWS IAM Identity Center (SSO)配置
configure 配置
配置信息
$ aws configure sso
SSO session name (Recommended): my-sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access浏览器验证
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
QCFK-N451选择账号和角色
There are 2 AWS accounts available to you.
> DeveloperAccount, [email protected] (123456789011)
ProductionAccount, [email protected] (123456789022)Using the account ID 123456789011
There are 2 roles available to you.
> ReadOnly
FullAccess设置 config
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [123456789011_ReadOnly]: my-dev-profile 成功验证
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile my-dev-profile~/.aws/config 自动写入以下数据
[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access也可多 profile 共用一个 session配置方式如下,
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[profile prod]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole2
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start再次登录过程
登录 profile
# aws sso login --profile my-dev-profile
Using a browser, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
and enter the following code:
QCFK-N451登录 session
# aws sso login --sso-session my-dev-session
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
and enter the following code:
QCFK-N451
Successfully logged into Start URL: https://cli-reinvent.awsapps.com/start登出
# aws sso logout
Successfully signed out of all SSO profiles.配置 IAM 角色
IAM 角色的定义要定义在 ~/.aws/config
基本设置
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1同账号带有 MFA 信息
[profile role-without-mfa]
region = us-west-2
role_arn= arn:aws:iam::128716708097:role/cli-role
source_profile=cli-user
[profile role-with-mfa]
region = us-west-2
role_arn= arn:aws:iam::128716708097:role/cli-role
source_profile = cli-user
mfa_serial = arn:aws:iam::128716708097:mfa/cli-user
[profile anika]
region = us-west-2
output = json带有External ID 的配置
[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456带有 Session Name 的配置
[profile namedsessionrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
role_session_name = Session_Maria_Garcia带有 Session name 后, sts caller identity 会显示以下格式
arn:aws:iam::234567890123:assumed-role/SomeRole/Session_Maria_Garcia清除凭证缓存
linux | mac
rm -r ~/.aws/cli/cacheWindows
del /s /q %UserProfile%\.aws\cli\cache
','
"];return document.body.append(w.parseToDOM(T)),document.body.append(w.parseToDOM(q.join(""))),document.querySelector("#__stay_sinffer_modal")}()).style.visibility="visible";const m=document.querySelector("#__stay_sinffer_modal ._stay-sinffer-popup");document.querySelector("#__stay_sinffer_modal .__stay-sinffer-content").classList.add("__stay-trans");let f=setTimeout((function(){p.classList.add("__stay-show-modal"),m.style.visibility="visible",clearTimeout(f),f=0}),400);p.addEventListener("touchmove",(t=>{t.preventDefault(),t.stopPropagation()}),!1),p.addEventListener("touchstart",(t=>{t.preventDefault(),p.classList.remove("__stay-show-modal"),m.style.animation="fadeout .5s;";let e=setTimeout((()=>{p&&document.body.removeChild(p),document.body.removeChild(document.querySelector("#__style_sinffer_style")),clearTimeout(e),e=0}),200)}),!1);const y=document.querySelectorAll("#__stay_sinffer_modal ._stay-quality-item");if(y&&y.length)for(let t=0;t{t=t.target.getAttribute("stay-download");var e=document.createElement("a");e.href=t,e.click()}))}function R(t){var e,r;return O()?(e=d.decodeFunStr,e=new Function("return "+e),r=w.queryParams(t,"url"),t=w.queryParams(t,"s"),t=e()(decodeURIComponent(t)),decodeURIComponent(r)+"&sig="+t):""}function P(t){return O()?R(t):t}function N(t){return t&&t.length?(t=t.sort(w.compare("bitrate")).pop()).url||(O()?R(t.signatureCipher):t.signatureCipher):""}function k(){let t=setTimeout((()=>{{let t={},e=window.location.host,r=(l=window.location.href,t.hostUrl=l,null);-1{"hls"==e.format&&"string"==typeof e.quality&&e.videoUrl&&n.push({downloadUrl:e.videoUrl,qualityLabel:e.quality,quality:Number(e.quality)}),!e.defaultQuality||"boolean"!=typeof e.defaultQuality&&"number"!=typeof e.defaultQuality||(r=e.defaultQuality,t.downloadUrl)||(t.downloadUrl=e.videoUrl)})),t.qualityList=n}}return t}function M(t){if(!t)return{};var e={};if(e.title=t.title,e.poster=t.poster,e.downloadUrl=t.playurl,t.clarityUrl&&t.clarityUrl.length){let r=[];t.clarityUrl.forEach((t=>{t.vodVideoHW,r.push({downloadUrl:t.url,qualityLabel:t.title,quality:t.key})})),e.qualityList=r}return e}function j(){var t=document.querySelector(".art-player-wrapper .art-video-player .art-poster");return t&&(t=t.getAttribute("style"),t)?w.matchUrlInString(t):(t=document.querySelector("#bdMainPlayer .art-video-player .art-poster"),t&&(t=t.getAttribute("style"),t)?w.matchUrlInString(t):"")}function F(){var t=document.querySelector(".adVideoPageV3 .curVideoInfo h3.videoTitle");return(t=t||document.querySelector(".video-info .video-info-title"))||(t=document.querySelector(".video-main .video-content .video-title .video-title-left"))?t.textContent:""}function z(t){let e={};var r=window.ytplayer;let o=w.queryURLParams(l,"v");if(o||(a=document.querySelector("#player-control-container > ytm-custom-control > div.inline-player-controls > a.inline-player-overlay"))&&(a=a.getAttribute("href"),o=w.queryParams(a,"v")),!o)return e;let i="";if(t){e.poster=t.getAttribute("poster")||"",e.downloadUrl=t.getAttribute("src");var a=t.getAttribute("title");e.title=a}else if(!r||!s.videoDetails)return e;const s=r?r.bootstrapPlayerResponse:{};if(s&&s.videoDetails&&s.streamingData&&(!o||o===s.videoDetails.videoId)){t=s.videoDetails,a=t.title||"",t=(e.title=a,t.thumbnail),t=(t&&(t=t.thumbnails)&&t.length&&(e.poster=t.pop().url),s.microformat&&s.microformat.playerMicroformatRenderer&&s.microformat.playerMicroformatRenderer.thumbnail&&s.microformat.playerMicroformatRenderer.thumbnail.thumbnails.length&&(e.poster=s.microformat.playerMicroformatRenderer.thumbnail.thumbnails[0].url),s.streamingData);var c=t.adaptiveFormats;if(t.formats,i=i||"",!c||!c.length||i&&i.replace(/\s+/g,"")!==a.replace(/\s+/g,""))e.title=i||W(),e.downloadUrl=V();else{let o=[],i=new Set;t=r.bootstrapWebPlayerContextConfig?r.bootstrapWebPlayerContextConfig.jsUrl:"";try{if(t){let e="";var d=(m=t).split("/");(e=t.startsWith("/")?d[3]:d[2])&&(n.randomPathUuid=e)}}catch(r){}let a=N(c.filter((t=>{if(-1{var r=t.mimeType;let n=t.qualityLabel;if(n=n?n.replace(/p[\d]*$/,"P"):"",-1{if(-1{var r=t.mimeType;let n=t.qualityLabel;if(n=n?n.replace(/p[\d]*$/,"P"):"",-1(t.qualityLabel&&t.qualityLabel.toLowerCase()==n.toLowerCase()&&(t.downloadUrl=e,t.audioUrl="",t.protect=!1),t)))}return t}(o,e.downloadUrl),e.qualityList=o),e.downloadUrl||(e.downloadUrl=V())}e.poster||(e.poster=B())}else(e={}).title=i||W(),e.downloadUrl=V();let u=e.poster;return u=u||B(),u=(u=s.videoDetails&&o!=s.videoDetails.videoId?`https://i.ytimg.com/vi/${o}/hqdefault.jpg`:u)||`https://i.ytimg.com/vi/${o}/hqdefault.jpg`,e.poster=u,function(t){return t&&-1{if((u=document.querySelector("#player-base"))&&u.getAttribute("src")){var t=u.getAttribute("src");let r=t;var e=t.split("/");Y(r=t.startsWith("/")?e[3]:e[2],t,!0),b.forEach((t=>{clearTimeout(t)}))}}),200*t),u&&u.getAttribute("src"))break;b.push(r)}var t}async function Y(e,r,n){o=e,i=r;var o,i,a=await new Promise(((e,r)=>{if(t)s.runtime.sendMessage({from:"sniffer",operate:"fetchYoutubeDecodeFun",pathUuid:o,pathUrl:i},(t=>{t=t&&t.decodeFun?t.decodeFun:"",e(t)}));else{const t=Math.random().toString(36).substring(2,9),r=n=>{n.data.pid===t&&"GET_YOUTUBE_DECODE_FUN_RESP"===n.data.name&&(e(n.data.decodeFun),window.removeEventListener("message",r))};window.postMessage({id:t,pid:t,name:"GET_YOUTUBE_DECODE_FUN",pathUuid:o,pathUrl:i}),window.addEventListener("message",r)}}));a?($(e,a),n&&L()):async function(e,r){if(r&&e)try{var n=await(await fetch("https://m.youtube.com"+r)).text();if(n){var o=n.match(/[a-zA-Z]+\=function\(a\)\{.*return\s+a\.join\(\"\"\)\};/g);let r="";if(r=o&&o.length?o[0]:r){let o="";var i=n.match(/var\s+[a-zA-Z]{2}\=\{[a-zA-Z]{2}\:function[\s\S]*(a\.reverse\(\)|splice\(0\,b\)|length\]\=c)\}\};/g);(o=i&&i.length?i[0]:o)&&(r=r.replace(/[a-zA-Z]+\=function\(a\)\{/g,"function decodeFun(a){"+o))?(function(t){try{var e,r=new Function("return "+t);if(e=r()(decodeURIComponent("%3D%3DQmbTSWlgLuztoft4F_uqQieS7_jBtboKab9zSp5WRdSAiApcTRtZLjBmFtzLXphJ0x_haWmWIhVtdAg8jD1rsKkRKAhIQRw8JQ0qOAOA")),decodeURIComponent("https://rr5---sn-o097znsk.googlevideo.com/videoplayback%3Fexpire%3D1679042695%26ei%3DJ9QTZJ6FFKeksfIPkaSL-Aw%26ip%3D2602%253Afeda%253A30%253Aae86%253A40e7%253A53ff%253Afe8b%253A9a97%26id%3Do-AI3u_uLu7PqvSwoVFwTG0fSk-puen4XBHxlLqco9MH8Q%26itag%3D135%26aitags%3D133%252C134%252C135%252C160%252C242%252C243%252C244%252C278%26source%3Dyoutube%26requiressl%3Dyes%26mh%3D_m%26mm%3D31%252C26%26mn%3Dsn-o097znsk%252Csn-a5meknzk%26ms%3Dau%252Conr%26mv%3Dm%26mvi%3D5%26pl%3D44%26initcwndbps%3D2135000%26vprv%3D1%26mime%3Dvideo%252Fmp4%26ns%3DwhOrAPi40PxLIKHeHvAaoDIL%26gir%3Dyes%26clen%3D18438908%26dur%3D584.533%26lmt%3D1635010443575003%26mt%3D1679020854%26fvip%3D5%26keepalive%3Dyes%26fexp%3D24007246%26c%3DMWEB%26txp%3D5432434%26n%3D3BrEIxrXFc7SkC%26sparams%3Dexpire%252Cei%252Cip%252Cid%252Caitags%252Csource%252Crequiressl%252Cvprv%252Cmime%252Cns%252Cgir%252Cclen%252Cdur%252Clmt%26lsparams%3Dmh%252Cmm%252Cmn%252Cms%252Cmv%252Cmvi%252Cpl%252Cinitcwndbps%26lsig%3DAG3C_xAwRgIhAKYBlOvRZiHPnnEJJ5foNn7LZU1cgGvfyO3WU9TjETfZAiEA6PvSgRq0gdcsBBTTj0VHXybmMwb-ouW2TVIYGmG_PG0%253D")+"&sig="+e)return 1}catch(t){}}(r)&&function(e,r){if(t)s.runtime.sendMessage({from:"sniffer",operate:"saveYoutubeDecodeFun",pathUuid:e,randomFunStr:r},(t=>{}));else{const t=Math.random().toString(36).substring(2,9),n=e=>{e.data.pid===t&&"SAVE_YOUTUBE_DECODE_FUN_STR_RESP"===e.data.name&&window.removeEventListener("message",n)};window.postMessage({id:t,pid:t,name:"SAVE_YOUTUBE_DECODE_FUN_STR",pathUuid:e,randomFunStr:r}),window.addEventListener("message",n)}}(e,r),$(e,r)):$(e,"")}else $(e,"")}else $(e,"")}catch(r){$(e,"")}else $(e,"")}(e,r)}function $(t,e){d={pathUuid:t,decodeFunStr:e},n.decodeFunStr=e,window.localStorage.setItem("__stay_decode_str",JSON.stringify(d))}function G(t){!async function(){i||(e=!0,i=await T(),e=!1),a||(r=!0,a=await q(),r=!1)}(),async function(){var t;-1{"complete"===document.readyState&&G(!0)},Object.defineProperty(n,"randomPathUuid",{get:function(){return randomPathUuid},set:function(t){(randomPathUuid=t)!=p&&Y(p=t,m,!1)}}),Object.defineProperty(n,"decodeFunStr",{get:function(){return decodeFunStr},set:function(t){(decodeFunStr=t)&&L()}})} handleInjectParseVideoJS(false);("youtube.com")&&((t=window.localstorage.getitem("__stay_decode_str"))&&(d=json.parse(t)).decodefunstr?l:h)()}(),s(t)}g(!1),document.onreadystatechange=()=>("pltype=adhost")?1:(t=document.queryselector("#container>("video>("audio>("video>("audio>("pornhub.com")?(r=(r=document.queryselector("#videoshow>;t++)y[t].addeventlistener("touchstart",(t=>0?(a=0,i<=o&&(a=w.div(w.sub(i,u),2))):0==l?i<=o&&(a=w.div(w.sub(i,u),2)):(t=w.add(4,36),t=w.add(w.add(u,t),w.add(w.mul(x,38),36)),l>(a)&&(s=' (i,2)&&(u=o),document.queryselector("#__stay_sinffer_modal"));(p=p||function(){let>("muiplayer.js.org")){let>("mobile.twitter.com")))if(-1("youtube.com")){var>
','
","
','
","
'+D+"
",'
','
","
'+n.title+"
",'
',E,"
","