Tips and tricks for working with the AWS CLI

Assume a Role

  • With the correct permissions, we can assume an IAM role.

  • The session name doesn't matter

aws sts assume-role --role-arn <role-arn> --role-session-name <session-name>

Configure Role Credentials

  • After setting up the associated access keys with aws configure we can run this command to set up the session token associated with the role.

aws --profile myIamRole sts set aws_session_token <sessionToken>


  • Provides a way to search a command's output for certain things.

  • jq is another tool that can be used for this.

Example output

aws ec2 describe-security-groups

    "SecurityGroups": [
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                            "GroupId": "sg-0494280510832e7b2",

Attribute Contains

  • Query the GroupName attribute that contains VPC

aws ec2 describe-security-groups --query 'SecurityGroups[?contains(GroupName, `VPC`)]'
  • Query the nested IpProtocols attribute that contains -1

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?contains(IpProtocol,'-1')]]"

Attribute is Exactly

  • Query the Description attribute that is exactly default VPC security group

aws ec2 describe-security-groups --query "SecurityGroups[?Description=='default VPC security group']"
  • Query the nested GroupId attribute that is exactly sg-0494280510832e7b2

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?UserIdGroupPairs[?GroupId=='sg-0494280510832e7b2']]]"

Last updated