Create an access key ID and secret access key

• Next steps (p. 6)

Step 1: Sign up to AWS

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Step 2: Create an IAM user account

To create an administrator user for yourself and add the user to an administrators group (console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

NoteWe strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

2. In the navigation pane, choose Users and then choose Add user.

3. For User name, enter Administrator.

4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

6. Choose Next: Permissions.

7. Under Set permissions, choose Add user to group.

8. Choose Create group.

9. In the Create group dialog box, for Group name enter Administrators.

10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.

11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

NoteYou must activate IAM user and role access to Billing before you can use the

AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

13. Choose Next: Tags.

14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources, see Access management and Example policies.

Step 3: Create an access key ID and secret access key

For CLI access, you need an access key ID and secret access key. Use IAM user access keys instead of AWS account root user access keys. IAM lets you securely control access to AWS services and resources in your AWS account. For more information about creating access keys, see Understanding and getting your security credentials in the AWS General Reference.

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself.

The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.

To create access keys for an IAM user

1. Sign in to the AWS Management Console and open the IAM console at https://

console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users.

3. Choose the name of the user whose access keys you want to create, and then choose the Security credentials tab.

4. In the Access keys section, choose Create access key.

5. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:

• Access key ID: AKIAIOSFODNN7EXAMPLE

• Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRﬁCYEXAMPLEKEY

6. To download the key pair, choose Download .csv ﬁle. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.

Keep the keys conﬁdential in order to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

7. After you download the .csv ﬁle, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

Related topics

• What is IAM? in the IAM User Guide

• AWS security credentials in AWS General Reference

Next steps

After creating an AWS account, IAM credentials, and an IAM access key pair, to use the AWS CLI you can do one of the following:

• Install the latest release (p. 6) of the AWS CLI version 2 on your computer.

• Install a past release (p. 15) of the AWS CLI version 2 on your computer.

• Access the AWS CLI version 2 from your computer using a Docker image. (p. 25)

• Access the AWS CLI version 2 in the AWS console from your browser using AWS CloudShell. For more information see the AWS CloudShell User Guide.

Installing or updating the latest version of the AWS CLI

This topic describes how to install or update the latest release of the AWS Command Line Interface (AWS CLI) on supported operating systems. For information on the latest releases of AWS CLI, see the AWS CLI change notes on GitHub.

To install a past release of the AWS CLI, see the section called “Past releases” (p. 15).

For uninstall instructions, see Uninstall (p. 208).

Important

AWS CLI versions 1 and 2 use the same aws command name. If you have both versions installed, your computer uses the ﬁrst one found in your search path. If you previously installed AWS CLI version 1, we recommend that you do one of the following to use AWS CLI version 2:

• Recommended – Uninstall AWS CLI version 1 and use only AWS CLI version 2. For uninstall instructions, determine the method you used to install AWS CLI version 1 and follow the appropriate uninstall instructions for your operating system in Installing, updating, and uninstalling the AWS CLI version 1.

• Use your operating system's ability to create a symbolic link (symlink) or alias with a diﬀerent name for one of the two aws commands. For example, you can use a symbolic link or alias on Linux and macOS, or DOSKEY on Windows.

For information on breaking changes between version 1 and version 2, see Breaking changes – Migrating from AWS CLI version 1 to version 2 (p. 201).

AWS CLI installation instructions:

Linux

Installation requirements

• You must be able to extract or "unzip" the downloaded package. If your operating system doesn't have the built-in unzip command, use an equivalent.

• The AWS CLI uses glibc, groff, and less. These are included by default in most major distributions of Linux.

• We support the AWS CLI on 64-bit versions of recent distributions of CentOS, Fedora, Ubuntu, Amazon Linux 1, Amazon Linux 2 and Linux ARM.

• Because AWS doesn't maintain third-party repositories, we can’t guarantee that they contain the latest version of the AWS CLI.

Installation instructions

Follow these steps from the command line to install the AWS CLI on Linux.

We provide the steps in one easy to copy and paste group based on whether you use 64-bit Linux or Linux ARM. See the descriptions of each line in the steps that follow.

Linux x86 (64-bit)

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

unzip awscliv2.zip sudo ./aws/install

Linux ARM

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"

unzip awscliv2.zip sudo ./aws/install

1. Download the installation ﬁle in one of the following ways:

Linux x86 (64-bit)

• Use the curl command – The -o option speciﬁes the ﬁle name that the downloaded package is written to. The options on the following example command write the downloaded ﬁle to the current directory with the local name awscliv2.zip.

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

• Downloading from the URL – To download the installer with your browser, use the following URL: https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip

(Optional) To verify the integrity and authenticity of your downloaded installation ﬁle before you unpack the package, follow the instructions in the section called “(Optional) Verifying the integrity of your downloaded zip ﬁle” (p. 9).

Linux ARM

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"

• Downloading from the URL – To download the installer with your browser, use the following URL: https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip

2. Unzip the installer. If your Linux distribution doesn't have a built-in unzip command, use an equivalent to unzip it. The following example command unzips the package and creates a directory named aws under the current directory.

$ unzip awscliv2.zip

3. Run the install program. The installation command uses a ﬁle named install in the newly unzipped aws directory. By default, the ﬁles are all installed to /usr/local/aws-cli, and a symbolic link is created in /usr/local/bin. The command includes sudo to grant write permissions to those directories.

$ sudo ./aws/install

You can install without sudo if you specify directories that you already have write permissions to.

Use the following instructions for the install command to specify the installation location:

• Ensure that the paths you provide to the -i and -b parameters contain no volume name or directory names that contain any space characters or other white space characters. If there is a space, the installation fails.

• --install-dir or -i – This option speciﬁes the directory to copy all of the ﬁles to.

The default value is /usr/local/aws-cli.

• --bin-dir or -b – This option speciﬁes that the main aws program in the install directory is symbolically linked to the ﬁle aws in the speciﬁed path. You must have write permissions to the

speciﬁed directory. Creating a symlink to a directory that is already in your path eliminates the need to add the install directory to the user's $PATH variable.

The default value is /usr/local/bin.

$ ./aws/install -i /usr/local/aws-cli -b /usr/local/bin

Note

To update your current installation of the AWS CLI, add your existing symlink and installer information to construct the install command with the --update parameter.

$ sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update

To locate the existing symlink and installation directory, use the following steps:

1. Use the which command to ﬁnd your symlink. This gives you the path to use with the --bin-dir parameter.

$ which aws

/usr/local/bin/aws

2. Use the ls command to ﬁnd the directory that your symlink points to. This gives you the path to use with the --install-dir parameter.

$ ls -l /usr/local/bin/aws

lrwxrwxrwx 1 ec2-user ec2-user 49 Oct 22 09:49 /usr/local/bin/aws -> /usr/

local/aws-cli/v2/current/bin/aws

4. Conﬁrm the installation with the following command.

$ aws --version

aws-cli/2.4.5 Python/3.8.8 Linux/4.14.133-113.105.amzn2.x86_64 botocore/2.4.5

If the aws command cannot be found, you may need to restart your terminal or follow the instructions in the section called “Add to path” (p. 30).

(Optional) Verifying the integrity of your downloaded zip ﬁle

If you chose to manually download the AWS CLI installer package .zip in the above steps, you use can use the following steps to verify the signatures by using the GnuPG tool.

The AWS CLI installer package .zip ﬁles are cryptographically signed using PGP signatures. If there is any damage or alteration of the ﬁles, this veriﬁcation fails and you should not proceed with installation.

1. Download and install the gpg command using your package manager. For more information about GnuPG, see the GnuPG website.

2. To create the public key ﬁle, create a text ﬁle and paste in the following text.

---BEGIN PGP PUBLIC KEY

BLOCK---mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G

gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk

---END PGP PUBLIC KEY

BLOCK---For reference, the following are the details of the public key.

Key ID: A6310ACC4672

Key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C

3. Import the AWS CLI public key with the following command, substituting public-key-file-name with the ﬁle name of the public key you created.

$ gpg --import public-key-file-name

gpg: /home/username/.gnupg/trustdb.gpg: trustdb created

gpg: key A6310ACC4672475C: public key "AWS CLI Team <[email protected]>" imported gpg: Total number processed: 1

gpg: imported: 1

4. Download the AWS CLI signature ﬁle for the package you downloaded. It has the same path and name as the .zip ﬁle it corresponds to, but has the extension .sig. In the following examples, we save it to the current directory as a ﬁle named awscliv2.sig.

Linux x86 (64-bit)

For the latest version of the AWS CLI, use the following command block:

$ curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig

For a speciﬁc version of the AWS CLI, append a hyphen and the version number to the ﬁlename. For this example the ﬁlename for version 2.0.30 would be awscli-exe-linux-x86_64-2.0.30.zip.sig resulting in the following command:

$ curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.0.30.zip.sig

For a list of versions, see the AWS CLI changelog on GitHub.

Linux ARM

For the latest version of the AWS CLI, use the following command block:

$ curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip.sig

For a speciﬁc version of the AWS CLI, append a hyphen and the version number to the ﬁlename. For this example the ﬁlename for version 2.0.30 would be awscli-exe-linux-aarch64-2.0.30.zip.sig resulting in the following command:

$ curl -o awscliv2.sig https://awscli.amazonaws.com/awscli-exe-linux-aarch64-2.0.30.zip.sig

For a list of versions, see the AWS CLI changelog on GitHub.

5. Verify the signature, passing both the downloaded .sig and .zip ﬁle names as parameters to the gpg command.

$ gpg --verify awscliv2.sig awscliv2.zip

The output should look similar to the following.

gpg: Signature made Mon Nov 4 19:00:01 2019 PST

gpg: using RSA key FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C gpg: Good signature from "AWS CLI Team <[email protected]>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C

Important

The warning in the output is expected and doesn't indicate a problem. It occurs because there isn't a chain of trust between your personal PGP key (if you have one) and the AWS CLI PGP key. For more information, see Web of trust.

macOS

Installation requirements

• We support the AWS CLI on Apple-supported versions of 64-bit macOS.

• Because AWS doesn't maintain third-party repositories, we can’t guarantee that they contain the latest version of the AWS CLI.

Installation instructions

If you are updating to the latest version, use the same installation method that you used in your current version. You can install the AWS CLI on macOS in the following ways.

GUI installer

The following steps show how to install the latest version of the AWS CLI by using the standard macOS user interface and your browser.

1. In your browser, download the macOS pkg ﬁle: https://awscli.amazonaws.com/AWSCLIV2.pkg 2. Run your downloaded ﬁle and follow the on-screen instructions. You can choose to install the

AWS CLI in the following ways:

• For all users on the computer (requires sudo)

• You can install to any folder, or choose the recommended default folder of /usr/local/

aws-cli.

• The installer automatically creates a symlink at /usr/local/bin/aws that links to the main program in the installation folder you chose.

• For only the current user (doesn't require sudo)

• You can install to any folder to which you have write permission.

• Due to standard user permissions, after the installer ﬁnishes, you must manually create a symlink ﬁle in your $PATH that points to the aws and aws_completer programs by using the following commands at the command prompt. If your $PATH includes a folder you can write to, you can run the following command without sudo if you specify that folder as the target's path. If you don't have a writable folder in your $PATH, you must use sudo in the commands to get permissions to write to the speciﬁed target folder. The default location for a symlink is /usr/local/bin/.

$ sudo ln -s /folder/installed/aws-cli/aws /usr/local/bin/aws

$ sudo ln -s /folder/installed/aws-cli/aws_completer /usr/local/bin/

aws_completer

NoteYou can view debug logs for the installation by pressing Cmd+L anywhere in the installer. This opens a log pane that enables you to ﬁlter and save the log. The log ﬁle is also automatically saved to /var/log/install.log.

3. To verify that the shell can ﬁnd and run the aws command in your $PATH, use the following commands.

$ which aws

/usr/local/bin/aws

$ aws --version

aws-cli/2.4.5 Python/3.8.8 Darwin/18.7.0 botocore/2.4.5

If the aws command cannot be found, you may need to restart your terminal or follow the instructions in the section called “Add to path” (p. 30).

Command line installer - All users

If you have sudo permissions, you can install the AWS CLI for all users on the computer. We provide the steps in one easy to copy and paste group. See the descriptions of each line in the following steps.

$ curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"

在文檔中 AWS Command Line Interface (頁 11-145)