aws

14 commands

14 shown

Who am I / which account Confirm active account, ARN and assumed role before running risky commands aws sts get-caller-identity --query '{acct:Account,arn:Arn}' --output table #aws#security#troubleshooting Assume role and export creds Assume an IAM role and inject temp creds into the shell env in one shot eval $(aws sts assume-role --role-arn <id> --role-session-name ops --query 'Credentials.[`AWS_ACCESS_KEY_ID=`+AccessKeyId,`AWS_SECRET_ACCESS_KEY=`+SecretAccessKey,`AWS_SESSION_TOKEN=`+SessionToken]' --output text | sed 's/^/export /') #aws#security#secrets EC2 instances by tag as table List running prod instances with id, private IP and AZ via JMESPath projection aws ec2 describe-instances --filters Name=tag:Env,Values=prod Name=instance-state-name,Values=running --query 'Reservations[].Instances[].{id:InstanceId,ip:PrivateIpAddress,az:Placement.AvailabilityZone}' --output table #aws#network#troubleshooting S3 sync with delete + excludes Mirror dir to bucket; --delete removes stale keys. note: --size-only skips mtime checks aws s3 sync ./ s3://<name>/ --delete --exclude '*.tmp' --exclude '.git/*' --size-only #aws#disk#cloud Presigned S3 download URL Generate a time-limited download URL without making the object public aws s3 presign s3://<name>/path/file.tgz --expires-in 3600 #aws#security#cloud Update kubeconfig for EKS Add/refresh an EKS context with a clean alias instead of the long ARN aws eks update-kubeconfig --name <cluster> --region <id> --alias <cluster> --kubeconfig ~/.kube/config #aws#k8s#gitops ECR docker login Auth Docker to ECR via stdin so the token never lands in shell history aws ecr get-login-password --region <id> | docker login --username AWS --password-stdin <id>.dkr.ecr.<id>.amazonaws.com #aws#security#ci SSM shell without SSH Open an interactive shell on an instance with no open port 22 or bastion aws ssm start-session --target i-<id> --region <id> #aws#security#network Tail Lambda/CloudWatch logs Live-stream a log group like tail -f. modern: replaces clunky filter-log-events polling aws logs tail /aws/lambda/<name> --follow --since 10m --format short #aws#observability#debug Simulate IAM policy decision Test if a principal can do an action before granting; explains allow/deny aws iam simulate-principal-policy --policy-source-arn <id> --action-names s3:GetObject --resource-arns <id> --query 'EvaluationResults[].{action:EvalActionName,decision:EvalDecision}' --output table #aws#security#troubleshooting Read a secret value Fetch a JSON secret and extract one field. note: value appears in process args aws secretsmanager get-secret-value --secret-id <name> --query SecretString --output text | jq -r '.password' #aws#secrets#security Cheapest spot price by AZ Sort current spot history to find the cheapest AZ for an instance type aws ec2 describe-spot-price-history --instance-types m6i.large --product-descriptions 'Linux/UNIX' --start-time $(date -u +%Y-%m-%dT%H:%M:%S) --query 'sort_by(SpotPriceHistory,&SpotPrice)[0:5].[AvailabilityZone,SpotPrice]' --output table #aws#performance#cloud Deploy CloudFormation stack Idempotent deploy; CAPABILITY_NAMED_IAM required when template creates IAM roles aws cloudformation deploy --template-file stack.yaml --stack-name <name> --capabilities CAPABILITY_NAMED_IAM --parameter-overrides Env=prod --no-fail-on-empty-changeset #aws#gitops#ci Count results with JMESPath Count unattached EBS volumes in one call using length(); --profile/--region scope it aws ec2 describe-volumes --filters Name=status,Values=available --query 'length(Volumes[])' --output text --profile staging --region <id> #aws#disk#cloud
no commands match