AWS CLI Installation and Configuration on Linux
The AWS CLI (Command Line Interface) lets you manage Amazon Web Services resources directly from your Linux terminal, making it essential for VPS users who work with S3, EC2, IAM, and other AWS services. This guide covers installing AWS CLI v2 on Linux, configuring credentials and profiles, and running practical commands to manage your AWS infrastructure from the command line.
Prerequisites
- A Linux server running Ubuntu/Debian or CentOS/Rocky
- An AWS account with IAM user credentials (access key ID and secret access key)
curlandunzipinstalled- Sudo or root access
Installing AWS CLI v2
AWS CLI v2 is distributed as a standalone binary — no Python environment required.
# Download the installer
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# Unzip and install
unzip awscliv2.zip
sudo ./aws/install
# Verify installation
aws --version
# Output: aws-cli/2.x.x Python/3.x.x Linux/...
For ARM64 servers (e.g., Graviton-based):
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
To update an existing installation:
sudo ./aws/install --update
Configuring Credentials
Generate an IAM access key from the AWS Console under IAM > Users > Security credentials, then configure the CLI:
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]: us-east-1
# Default output format [None]: json
This writes to two files:
# ~/.aws/credentials
cat ~/.aws/credentials
# ~/.aws/config
cat ~/.aws/config
You can also set credentials via environment variables (useful in scripts and CI/CD):
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
Named Profiles
Named profiles let you manage multiple AWS accounts or IAM roles from one machine.
# Create a named profile
aws configure --profile production
# Use a named profile in a command
aws s3 ls --profile production
# Set a default profile for the session
export AWS_PROFILE=production
Manual profile configuration in ~/.aws/credentials:
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[production]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
[staging]
aws_access_key_id = AKIAIOSFODNN7STAGING
aws_secret_access_key = stagingSecretKeyExample
Role assumption via profile (~/.aws/config):
[profile assume-role]
role_arn = arn:aws:iam::123456789012:role/MyRole
source_profile = default
Output Formats and Regions
# Available output formats: json, yaml, text, table
aws ec2 describe-instances --output table
aws ec2 describe-instances --output text
aws ec2 describe-instances --output yaml
# Override region per command
aws s3 ls --region eu-west-1
# Use JMESPath query to filter output
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].[InstanceId,State.Name,PublicIpAddress]' \
--output table
Practical S3 and EC2 Commands
S3 Operations
# List all buckets
aws s3 ls
# List objects in a bucket
aws s3 ls s3://my-bucket/
# Copy a file to S3
aws s3 cp /local/file.txt s3://my-bucket/backups/
# Sync a directory to S3
aws s3 sync /var/www/html s3://my-bucket/website/
# Download from S3
aws s3 cp s3://my-bucket/backups/file.txt /local/restore/
# Remove an object
aws s3 rm s3://my-bucket/old-file.txt
# Create a bucket
aws s3 mb s3://my-new-bucket --region us-east-1
EC2 Operations
# List running instances
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].[InstanceId,InstanceType,PublicIpAddress]' \
--output table
# Start and stop instances
aws ec2 start-instances --instance-ids i-1234567890abcdef0
aws ec2 stop-instances --instance-ids i-1234567890abcdef0
# Describe security groups
aws ec2 describe-security-groups --output table
IAM and Security Best Practices
# List IAM users
aws iam list-users --output table
# Check current caller identity
aws sts get-caller-identity
# Create a minimal IAM policy (S3 read-only example)
cat > s3-readonly-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
}
]
}
EOF
aws iam create-policy \
--policy-name S3ReadOnly \
--policy-document file://s3-readonly-policy.json
Rotate credentials regularly and avoid using root account access keys. For EC2 instances, use IAM instance roles instead of embedding credentials.
Troubleshooting
"Unable to locate credentials"
# Verify credentials file exists
cat ~/.aws/credentials
# Check environment variables
env | grep AWS
"Invalid region" errors
# List valid regions
aws ec2 describe-regions --output table
# Ensure region is set
aws configure get region
SSL certificate errors
# Disable SSL verification (not recommended for production)
aws s3 ls --no-verify-ssl
# Or specify a custom CA bundle
export AWS_CA_BUNDLE=/path/to/ca-bundle.crt
Permission denied errors
# Check your IAM permissions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names s3:ListBucket \
--resource-arns arn:aws:s3:::my-bucket
Conclusion
The AWS CLI provides full control over your AWS infrastructure from any Linux server. With named profiles, IAM role assumption, and JMESPath filtering, you can build powerful automation scripts that interact with S3, EC2, and hundreds of other AWS services securely and efficiently.