aws
14 commands
14 shown
Who am I / which account
Confirm active account, ARN and assumed role before running risky commands
aws sts get-caller-identity --query '{acct:Account,arn:Arn}' --output table
Assume role and export creds
Assume an IAM role and inject temp creds into the shell env in one shot
eval $(aws sts assume-role --role-arn <id> --role-session-name ops --query 'Credentials.[`AWS_ACCESS_KEY_ID=`+AccessKeyId,`AWS_SECRET_ACCESS_KEY=`+SecretAccessKey,`AWS_SESSION_TOKEN=`+SessionToken]' --output text | sed 's/^/export /')
EC2 instances by tag as table
List running prod instances with id, private IP and AZ via JMESPath projection
aws ec2 describe-instances --filters Name=tag:Env,Values=prod Name=instance-state-name,Values=running --query 'Reservations[].Instances[].{id:InstanceId,ip:PrivateIpAddress,az:Placement.AvailabilityZone}' --output table
S3 sync with delete + excludes
Mirror dir to bucket; --delete removes stale keys. note: --size-only skips mtime checks
aws s3 sync ./ s3://<name>/ --delete --exclude '*.tmp' --exclude '.git/*' --size-only
Presigned S3 download URL
Generate a time-limited download URL without making the object public
aws s3 presign s3://<name>/path/file.tgz --expires-in 3600
Update kubeconfig for EKS
Add/refresh an EKS context with a clean alias instead of the long ARN
aws eks update-kubeconfig --name <cluster> --region <id> --alias <cluster> --kubeconfig ~/.kube/config
ECR docker login
Auth Docker to ECR via stdin so the token never lands in shell history
aws ecr get-login-password --region <id> | docker login --username AWS --password-stdin <id>.dkr.ecr.<id>.amazonaws.com
SSM shell without SSH
Open an interactive shell on an instance with no open port 22 or bastion
aws ssm start-session --target i-<id> --region <id>
Tail Lambda/CloudWatch logs
Live-stream a log group like tail -f. modern: replaces clunky filter-log-events polling
aws logs tail /aws/lambda/<name> --follow --since 10m --format short
Simulate IAM policy decision
Test if a principal can do an action before granting; explains allow/deny
aws iam simulate-principal-policy --policy-source-arn <id> --action-names s3:GetObject --resource-arns <id> --query 'EvaluationResults[].{action:EvalActionName,decision:EvalDecision}' --output table
Read a secret value
Fetch a JSON secret and extract one field. note: value appears in process args
aws secretsmanager get-secret-value --secret-id <name> --query SecretString --output text | jq -r '.password'
Cheapest spot price by AZ
Sort current spot history to find the cheapest AZ for an instance type
aws ec2 describe-spot-price-history --instance-types m6i.large --product-descriptions 'Linux/UNIX' --start-time $(date -u +%Y-%m-%dT%H:%M:%S) --query 'sort_by(SpotPriceHistory,&SpotPrice)[0:5].[AvailabilityZone,SpotPrice]' --output table
Deploy CloudFormation stack
Idempotent deploy; CAPABILITY_NAMED_IAM required when template creates IAM roles
aws cloudformation deploy --template-file stack.yaml --stack-name <name> --capabilities CAPABILITY_NAMED_IAM --parameter-overrides Env=prod --no-fail-on-empty-changeset
Count results with JMESPath
Count unattached EBS volumes in one call using length(); --profile/--region scope it
aws ec2 describe-volumes --filters Name=status,Values=available --query 'length(Volumes[])' --output text --profile staging --region <id>
no commands match