Now that we've got Identity Center set up and we've got our multiple accounts set up, we know how to access the console through the Identity Center portal, but we also need our dev environment, our local machine to be able to connect to our AWS account in order to push application changes. So first things first, we need to install the AWS CLI. So you can see if you go to this page, we'll have this link in the notes below. There's a guide for installing the CLI, and I'm not gonna go through each of the different operating system setup guides. I'm on a Mac, so I actually just brew installed the CLI.
You can brew install AWS CLI and it works great on a Mac. I don't know why they don't list it on the AWS docs. They've got other instructions for installing. They've got a GUI installer. Go through your operating system of choice and get the CLI installed.
And once you've done that, we want to come in and just do an AWS dash dash version. And I'm running a recent version of the CLI that looks good. The next thing we're gonna do, now that you've got the CLI installed, we're gonna run aws sts get caller identity. This is a command in the CLI that I use constantly. And it's really just a way to say, in my current active terminal session, what credentials are currently configured?
What do I have access to in terms of AWS accounts? And you'll see that the response here, unable to locate credentials. You can configure credentials by running AWS Configure. So we haven't actually set up connectivity into our AWS account yet. We've just installed the CLI.
So at this point, we need to configure connectivity. We need to set up connectivity through IAM Identity Center, just like we did with the console through the portal. This is how we can hop into the console. Now we're going to do the same thing, but for our CLI. And there's a guide for this as well.
Again, we'll have this link in the notes below. And I'm going to skip all over here. I'm going to jump down. There's a section where they explain how you can manually configure the config file. They have a sort of wizard that walks you through each step and allow you to just drop values into the wizard to set up this file.
I personally think it's easier just to create the text file and drop the contents in, especially since they give you a template that's just perfect for what we've got set up. We have a dev account and a prod account. We'll add a management account to this, but we can just copy this block if you find it about halfway down the page, more than halfway down the page, toward the bottom. If you just copy that block, we're going to create the file. And the file, just open it in your editor of choice.
I'm going to create it here, users, atom. It's found at .aws. So in your user root on a Mac, I don't know how this translates to Windows and Linux, but it'll tell you here in the guide. It's gonna be .aws slash config. So I've got a brand new file here under .aws-config in my user root directory.
And I'm just going to paste that block that we just saw. So what do we have here? We have SSO session and then a name mysso. We're going to change that name. I'm just going to call it SSO.
I just don't like I don't like when I see my on every example. So I'm just going to do this actually, SSO is a little too ambiguous. Let's say SSO session. I don't know if that's better. Naming things is hard, isn't it?
OK, so the SSO session, this is where it stores our start URL. I'm going to expand this out. So this is the start URL that we set up in the last lesson. And you might have a custom one, or maybe you just left the default. I'm going to go ahead and replace this with my custom subdomain, adam.dev.awsapps.com slash start.
The SSO region, you can set this up in any region you'd like. If there's a closer region to you, depending on where you're watching this from, there likely is. US East 1 is in Virginia, and I generally just default to it. And now we're going to set up each of these profiles. So we have a dev profile, which is going to use SSO session, SSO session, the named SSO session, SSO session.
That's hard to say. But then we have to put in the account ID. So let's go over here on our identity center portal. You can see the account numbers here for each of the accounts. And unfortunately, they make that really tough to copy.
You can't just like select it. So I'm gonna do just like that. And then the role name, it's just going to mirror what you see there. Yeah, administrator access. So you see it right here.
That's the role name. And we set that up earlier. So then we got to get the prod account ID, which is right here. And paste that in. And then we're going to add a block for the management account.
So we'll call the profile management. Could call it profile root or something else, but I think management makes sense. And similarly, we're just gonna copy this right here. Okay, so at this point, we've got our profile set up for dev, prod, and management. We've configured our start URL.
I'm gonna go and just close this file. I'm going to save it and close it. And if we try a get caller identity again, and we have to specify a profile, We're going to see that it can't load the SSO token. And that's because we haven't logged in yet. So we need to do AWS SSO login.
Oh, I forgot the profile. So AWS SSO login, profile, dev. And it's going to open a browser tab. As long as you're logged into the console here, you won't have to log in again. But if you hadn't logged in to the identity center portal, you'd be presented with a login, you'd put your credentials in and you get to this state.
So then I'm not gonna confirm and continue, I see that those codes match up, allow access. Okay, so now we've got an actual SSO session. So if I do AWS get caller or SPS get caller identity with the profile dev, we should see access into that account. We can just double check. So the account ID 992, that is correct.
That's development. Okay, so at this point we could do any AWS CLI operation with the profile dev and actually interact with our dev account. So I'm going to just try one off the top. AWS S3, I don't know, list buckets. Is that a...
I think that's... I'm just guessing. There's a lot of consistency to the command names. Okay, that was not it. It's just LS.
So AWS S3 LS. Profile dev. And I don't have any buckets, so it's not going to return anything. But you can see that that command is working. We've got access into dev.
Let's do the same thing for prod in our management account. So we're going to do AWS SSO login profile prod. And generally that's a mouthful to type that out just to log in and get credentials. The credentials will auto refresh in the background, the CLI is configured to do that. But also generally I put it like in my package JSON.
So my web project, wherever I'm working with AWS and deploying something into AWS, I just put it in package JSON as a script so that I can just do, you know, pnpm sso. So, okay, we've got prod. Let's just make sure that looks good. AWS STS, get color identity, profile prod. We should see the prod account number, which is 770.
Yep. These account numbers aren't sensitive, by the way. I know I've shared account numbers and screenshots and stuff before, and people freak out. They're not a sensitive thing. Last one, let's do AWS SSO login profile management.
And I'm going to give that access. So now, using those profiles, I have access. I have credentials, short-term credentials, ready to interact with all three of the accounts. And it's just a matter of specifying profile on any AWS CLI commands. So you can take a look at all the many, many AWS CLI commands.
There's code examples, use AWS CLI command structure. There's just a ton of information here. If you wanted to look at different types of like common commands that people are using for the CLI, check out the documentation. We're not going to go any further here because it's not really important for where we're headed. Ultimately, where we're headed is deploying applications in our AWS account.
And by having access to our Identity Center configured in our CLI, we're now prepped to do that.
The AWS CLI
Adam Elmore
Installing the AWS CLI
First, you'll need to install the AWS CLI on your local machine. You can find the installation guide on the AWS website, with instructions for different operating systems. If you're on a Mac, you can simply use Homebrew to install it:
brew install aws-cli
Once installed, you can verify the version by running:
aws --version
Configuring AWS CLI with Identity Center
After installing the CLI, you'll need to configure it to connect to your AWS accounts through Identity Center. Run the following command to check your current credentials:
aws sts get-caller-identity
This will likely return an error saying "unable to locate credentials" since you haven't set up connectivity yet.
To configure the CLI, you'll need to create an AWS config file. This file will contain the necessary information to connect to your accounts through Identity Center.
Creating the AWS Config File
Open your text editor and create a new file called config in the .aws directory within your user's home directory (e.g., ~/.aws/config on macOS/Linux or %UserProfile%\.aws\config on Windows).
Copy the provided template from the AWS documentation and paste it into the config file.
Customize the file with your specific details:
Change the sso_start_url to your custom subdomain URL (e.g., adam.dev.awsapps.com/start).
Set the sso_region to the AWS region closest to you (e.g., us-east-1).
Replace the account_id and role_name values for the dev, prod, and management profiles with your actual account IDs and role names.
Logging in with AWS SSO
After saving the config file, you can log in to your accounts using the AWS SSO login command:
aws sso login --profile <profile_name>
Replace <profile_name> with dev, prod, or management depending on which account you want to access.
This command will open a browser window where you can authenticate with your Identity Center credentials. Once authenticated, you'll have short-term credentials to interact with the specified AWS account using the CLI.
Verifying Access
To verify that you have access to the account, run the get-caller-identity command with the appropriate profile:
This should return the account ID and other details, confirming that you have successfully configured the CLI to access your AWS accounts through Identity Center.
With the AWS CLI configured, you can now execute various AWS commands and interact with your accounts directly from your local machine. This setup allows you to deploy applications, manage resources, and perform other AWS operations seamlessly.
Conclusion
By following these steps, you have installed the AWS CLI, configured it with your Identity Center accounts, and learned how to log in and verify access. You are now ready to start working with AWS services from your local development environment using the CLI.
Transcript
Now that we've got Identity Center set up and we've got our multiple accounts set up, we know how to access the console through the Identity Center portal, but we also need our dev environment, our local machine to be able to connect to our AWS account in order to push application changes. So first things first, we need to install the AWS CLI. So you can see if you go to this page, we'll have this link in the notes below. There's a guide for installing the CLI, and I'm not gonna go through each of the different operating system setup guides. I'm on a Mac, so I actually just brew installed the CLI.
You can brew install AWS CLI and it works great on a Mac. I don't know why they don't list it on the AWS docs. They've got other instructions for installing. They've got a GUI installer. Go through your operating system of choice and get the CLI installed.
And once you've done that, we want to come in and just do an AWS dash dash version. And I'm running a recent version of the CLI that looks good. The next thing we're gonna do, now that you've got the CLI installed, we're gonna run aws sts get caller identity. This is a command in the CLI that I use constantly. And it's really just a way to say, in my current active terminal session, what credentials are currently configured?
What do I have access to in terms of AWS accounts? And you'll see that the response here, unable to locate credentials. You can configure credentials by running AWS Configure. So we haven't actually set up connectivity into our AWS account yet. We've just installed the CLI.
So at this point, we need to configure connectivity. We need to set up connectivity through IAM Identity Center, just like we did with the console through the portal. This is how we can hop into the console. Now we're going to do the same thing, but for our CLI. And there's a guide for this as well.
Again, we'll have this link in the notes below. And I'm going to skip all over here. I'm going to jump down. There's a section where they explain how you can manually configure the config file. They have a sort of wizard that walks you through each step and allow you to just drop values into the wizard to set up this file.
I personally think it's easier just to create the text file and drop the contents in, especially since they give you a template that's just perfect for what we've got set up. We have a dev account and a prod account. We'll add a management account to this, but we can just copy this block if you find it about halfway down the page, more than halfway down the page, toward the bottom. If you just copy that block, we're going to create the file. And the file, just open it in your editor of choice.
I'm going to create it here, users, atom. It's found at .aws. So in your user root on a Mac, I don't know how this translates to Windows and Linux, but it'll tell you here in the guide. It's gonna be .aws slash config. So I've got a brand new file here under .aws-config in my user root directory.
And I'm just going to paste that block that we just saw. So what do we have here? We have SSO session and then a name mysso. We're going to change that name. I'm just going to call it SSO.
I just don't like I don't like when I see my on every example. So I'm just going to do this actually, SSO is a little too ambiguous. Let's say SSO session. I don't know if that's better. Naming things is hard, isn't it?
OK, so the SSO session, this is where it stores our start URL. I'm going to expand this out. So this is the start URL that we set up in the last lesson. And you might have a custom one, or maybe you just left the default. I'm going to go ahead and replace this with my custom subdomain, adam.dev.awsapps.com slash start.
The SSO region, you can set this up in any region you'd like. If there's a closer region to you, depending on where you're watching this from, there likely is. US East 1 is in Virginia, and I generally just default to it. And now we're going to set up each of these profiles. So we have a dev profile, which is going to use SSO session, SSO session, the named SSO session, SSO session.
That's hard to say. But then we have to put in the account ID. So let's go over here on our identity center portal. You can see the account numbers here for each of the accounts. And unfortunately, they make that really tough to copy.
You can't just like select it. So I'm gonna do just like that. And then the role name, it's just going to mirror what you see there. Yeah, administrator access. So you see it right here.
That's the role name. And we set that up earlier. So then we got to get the prod account ID, which is right here. And paste that in. And then we're going to add a block for the management account.
So we'll call the profile management. Could call it profile root or something else, but I think management makes sense. And similarly, we're just gonna copy this right here. Okay, so at this point, we've got our profile set up for dev, prod, and management. We've configured our start URL.
I'm gonna go and just close this file. I'm going to save it and close it. And if we try a get caller identity again, and we have to specify a profile, We're going to see that it can't load the SSO token. And that's because we haven't logged in yet. So we need to do AWS SSO login.
Oh, I forgot the profile. So AWS SSO login, profile, dev. And it's going to open a browser tab. As long as you're logged into the console here, you won't have to log in again. But if you hadn't logged in to the identity center portal, you'd be presented with a login, you'd put your credentials in and you get to this state.
So then I'm not gonna confirm and continue, I see that those codes match up, allow access. Okay, so now we've got an actual SSO session. So if I do AWS get caller or SPS get caller identity with the profile dev, we should see access into that account. We can just double check. So the account ID 992, that is correct.
That's development. Okay, so at this point we could do any AWS CLI operation with the profile dev and actually interact with our dev account. So I'm going to just try one off the top. AWS S3, I don't know, list buckets. Is that a...
I think that's... I'm just guessing. There's a lot of consistency to the command names. Okay, that was not it. It's just LS.
So AWS S3 LS. Profile dev. And I don't have any buckets, so it's not going to return anything. But you can see that that command is working. We've got access into dev.
Let's do the same thing for prod in our management account. So we're going to do AWS SSO login profile prod. And generally that's a mouthful to type that out just to log in and get credentials. The credentials will auto refresh in the background, the CLI is configured to do that. But also generally I put it like in my package JSON.
So my web project, wherever I'm working with AWS and deploying something into AWS, I just put it in package JSON as a script so that I can just do, you know, pnpm sso. So, okay, we've got prod. Let's just make sure that looks good. AWS STS, get color identity, profile prod. We should see the prod account number, which is 770.
Yep. These account numbers aren't sensitive, by the way. I know I've shared account numbers and screenshots and stuff before, and people freak out. They're not a sensitive thing. Last one, let's do AWS SSO login profile management.
And I'm going to give that access. So now, using those profiles, I have access. I have credentials, short-term credentials, ready to interact with all three of the accounts. And it's just a matter of specifying profile on any AWS CLI commands. So you can take a look at all the many, many AWS CLI commands.
There's code examples, use AWS CLI command structure. There's just a ton of information here. If you wanted to look at different types of like common commands that people are using for the CLI, check out the documentation. We're not going to go any further here because it's not really important for where we're headed. Ultimately, where we're headed is deploying applications in our AWS account.
And by having access to our Identity Center configured in our CLI, we're now prepped to do that.