AWS CLI on your Desktop

November 14, 2019 Leave a comment
NOT the AWS CLI…

To Install the AWS CLI on your local desktop is really simple.

1.) If it’s not already installed… Install PIP

2.) Install the “awscli” PIP Package.

3.) Run “aws configure” to store your Access Key ID / Secret Access Key and store your defaults.

There are instructions on the AWS Document site, but they seems to be written from the perspective that you’re going to install the AWS CLI on an EC2 Instance instead of your local Desktop or Laptop because of the examples referencing the ec2-user account.

It would actually be more secure to use the AWS CLI on a EC2 instance that has been given access to the rest of the environment using IAM roles, but you can’t use IAM roles to grant access to your Desktop / Laptop. So you need to install the AWS CLI locally if you don’t want to log into an EC2 instance every time you need to modify your AWS environment.

Installing the AWS CLI version 1
(The link is for Version 1 because Version 2 is currently considered Preview Evaluation Software and is not recommended for use in a production environment.)

If you choose to follow the documentation above, I would recommend that you don’t use the “–user” switch. Doing so will place the awscli binary into your home directory and require that you add it to your search $PATH.

You’ll get a warning during installation, but I don’t think this will really cause problems as long as you drop out of root to configure the AWS CLI tool afterwards. (Otherwise, anyone with access to root can do things in AWS as you.)

If you leave the “–user” switch off, the AWS CLI software will install itself in /usr/local/bin, which should aready be in your $PATH.

The AWS CLI will still store its configuration and credential files in the $HOME/.aws directory. So make sure you are NOT logged in as root when you run aws configure or anyone with root access on your system will have access to AWS as you.

Speaking of the Configuration and Credential files, don’t forget that your Access Key ID and Secret Key ID are the Keys to the Kingdom. Anyone with access to this keypair will have full access to your AWS environment as YOU. This is the source of the GitHub based AWS breaches we keep hearing about in the news.

In the event that your Desktop/Laptop configured with AWS CLI is stolen, you will want to have your new Access Key ID and Secret Key ID revoked and regenerated.

This has the added benefit of easily making the software available to other users in the event that you have more than one user set up on your desktop.

Leave a Reply

Your email address will not be published. Required fields are marked *