OpenSkillIndex← back to search
claude-codecloud-infrastructure

Claude-skill-registry-data mastering-aws-cli

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry-data
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry-data "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/mastering-aws-cli" ~/.claude/skills/majiayu000-claude-skill-registry-data-mastering-aws-cli && rm -rf "$T"
manifest: data/mastering-aws-cli/SKILL.md
source content

AWS CLI v2 Quick Reference

A unified tool to manage AWS services from the terminal. This guide focuses on CLI v2 features, practical examples, and advanced patterns for experienced developers.

Quick Start

# Verify installation and version
aws --version

# Interactive configuration
aws configure                    # Access keys + region + output format
aws configure sso               # IAM Identity Center (SSO) - recommended

# Verify identity
aws sts get-caller-identity     # Shows Account, UserId, ARN

# Enable auto-prompt for command discovery
aws dynamodb --cli-auto-prompt

Power User Tips

# See all waiter commands for a service
aws ec2 wait help

# Generate command skeleton (fill in the blanks)
aws lambda create-function --generate-cli-skeleton > create-fn.json

# Create CLI alias for common commands
aws configure set cli_alias.whoami "sts get-caller-identity"
aws whoami  # Now works!

# Disable pager for scripting
export AWS_PAGER=""

See Advanced Patterns for JMESPath mastery and automation tricks.

Global Options

FlagDescription
--profile NAME
Use named profile from 
~/.aws/credentials
--region REGION
Override default region (e.g., 
us-east-1
)
--output FORMAT
Output: 
json
(default), 
text
, 
table
, 
yaml
, 
yaml-stream
--query EXPR
Filter output using JMESPath expressions
--no-paginate
Disable auto-pagination (first page only)
--dry-run
Check permissions without executing (EC2, etc.)
--debug
Verbose HTTP/API debug logging
--cli-auto-prompt
Interactive parameter completion
--no-cli-pager
Disable output paging

Decision Trees

Compute & Containers

Need compute?
├── Serverless functions ────────────► Lambda (references/lambda.md)
├── Docker containers
│   ├── Managed orchestration ───────► ECS (references/ecs.md)
│   ├── Kubernetes ──────────────────► EKS (references/eks.md)
│   └── Container registry ──────────► ECR (references/ecr.md)
└── Virtual machines ────────────────► EC2 (use aws ec2 commands)

Data & Storage

Need data storage?
├── Object/blob storage ─────────────► S3 (references/s3.md)
├── NoSQL (key-value/document) ──────► DynamoDB (references/dynamodb.md)
├── Relational SQL ──────────────────► Aurora/RDS (references/aurora.md)
├── Data catalog & ETL ──────────────► Glue (references/glue.md)
└── Data warehouse ──────────────────► Redshift (aws redshift commands)

Streaming & Messaging

Need streaming/messaging?
├── Kafka-compatible ────────────────► MSK (references/msk.md)
├── Real-time streams ───────────────► Kinesis (references/kinesis.md)
├── Message queues ──────────────────► SQS (aws sqs commands)
└── Pub/Sub notifications ───────────► SNS (aws sns commands)

Security & Access

Need security/access management?
├── Users, roles, policies ──────────► IAM (references/iam-security.md)
├── Secrets & credentials ───────────► Secrets Manager/SSM (references/private-parameters.md)
├── Private network access ──────────► VPC (references/vpc-networking.md)
└── Secure tunneling ────────────────► SSM/Bastion (references/bastion-tunneling.md)

Reference File Navigation

ReferenceDescriptionKey Triggers
SetupInstallation, configuration, profiles, SSO
install
, 
configure
, 
sso
, 
profile
IAM & SecurityRoles, policies, STS, MFA, cross-account
iam
, 
role
, 
policy
, 
sts
, 
assume-role
LambdaFunctions, layers, aliases, URLs, events
lambda
, 
serverless
, 
function
ECSClusters, tasks, services, Fargate
ecs
, 
fargate
, 
task
, 
container
EKSClusters, node groups, kubeconfig, IRSA
eks
, 
kubernetes
, 
kubectl
, 
k8s
ECRRepositories, auth, scanning, lifecycle
ecr
, 
docker
, 
registry
, 
image
S3Buckets, objects, sync, presign, lifecycle
s3
, 
bucket
, 
upload
, 
sync
DynamoDBTables, items, queries, streams, backups
dynamodb
, 
ddb
, 
nosql
Aurora/RDSClusters, serverless v2, cloning, blue-green
rds
, 
aurora
, 
mysql
, 
postgresql
GlueCatalog, crawlers, ETL jobs, workflows
glue
, 
etl
, 
catalog
, 
crawler
MSKKafka clusters, serverless, configuration
msk
, 
kafka
, 
streaming
KinesisData streams, Firehose, consumers
kinesis
, 
stream
, 
firehose
Secrets & ParamsParameter Store, Secrets Manager, rotation
ssm
, 
secrets
, 
parameter
, 
rotation
VPC & NetworkingVPCs, subnets, security groups, endpoints
vpc
, 
subnet
, 
security-group
, 
endpoint
Bastion & TunnelingSSM Session Manager, port forwarding
bastion
, 
tunnel
, 
ssm
, 
ssh
GitHub CI/CDOIDC, GitHub Actions, CodeBuild
github
, 
actions
, 
oidc
, 
cicd
Advanced PatternsJMESPath, waiters, skeletons, aliases
jmespath
, 
query
, 
waiter
, 
alias

Environment Variables

VariablePurposeExample
AWS_ACCESS_KEY_ID
Access key for authentication
AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY
Secret key for authentication
wJalrXUtnFEMI/...
AWS_SESSION_TOKEN
Session token (temporary credentials)For STS assume-role
AWS_PROFILE
Named profile to use
production
AWS_REGION
AWS region for requests
us-west-2
AWS_DEFAULT_OUTPUT
Default output format
json
, 
text
, 
table
AWS_PAGER
Pager program (empty to disable)
""
AWS_CONFIG_FILE
Custom config file path
~/.aws/config
AWS_SHARED_CREDENTIALS_FILE
Custom credentials file path
~/.aws/credentials
AWS_CA_BUNDLE
Custom CA certificate bundle
/path/to/cert.pem
AWS_RETRY_MODE
Retry mode
standard
, 
adaptive

Credential Precedence

The CLI resolves credentials in this order (first match wins):

  1. Command-line options (
    --profile
    , explicit credentials)
  2. Environment variables (
    AWS_ACCESS_KEY_ID
    , 
    AWS_SECRET_ACCESS_KEY
    )
  3. Web identity token (EKS IRSA, OIDC)
  4. SSO credentials (IAM Identity Center)
  5. Credentials file (
    ~/.aws/credentials
    )
  6. Config file (
    ~/.aws/config
    with 
    credential_process
    )
  7. Container credentials (ECS task role)
  8. Instance metadata (EC2 instance profile, IMDSv2)

Common Patterns

Profile Switching

# Use specific profile for one command
aws s3 ls --profile production

# Set default profile for session
export AWS_PROFILE=production

# List configured profiles
aws configure list-profiles

Output Filtering with JMESPath

# Get specific fields
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[*].[InstanceId,State.Name]' \
    --output table

# Filter running instances
aws ec2 describe-instances \
    --query 'Reservations[*].Instances[?State.Name==`running`].InstanceId' \
    --output text

Wait for Resource State

# Wait for instance to be running
aws ec2 wait instance-running --instance-ids i-1234567890abcdef0

# Wait for Lambda function update
aws lambda wait function-updated --function-name my-function

Best Practices

CategoryRecommendation
SecurityUse 
aws configure sso
over long-lived access keys
SecurityUse IAM roles for compute (EC2/Lambda/ECS) instead of embedded keys
SecurityEnable MFA for sensitive operations
ScriptingUse 
--output json
or 
--output text
for parsing
ScriptingUse 
--query
to filter data and reduce output
SafetyUse 
--dry-run
before destructive operations
PerformanceUse 
--page-size
to control memory on large lists
RegionsExplicitly set region in scripts to avoid surprises
CostUse lifecycle policies (S3/ECR) for automatic cleanup
DebuggingUse 
--debug
to see raw HTTP requests/responses

Common Errors Quick Reference

ErrorCauseFix
ExpiredToken
Session credentials expiredRun 
aws sso login
or 
aws sts get-session-token
AccessDenied
Missing IAM permissionsCheck IAM policy; use 
--debug
to see required action
InvalidClientTokenId
Invalid access keyVerify 
AWS_ACCESS_KEY_ID
or run 
aws configure
UnauthorizedAccess
Wrong region or accountCheck 
--region
flag and 
aws sts get-caller-identity
ThrottlingException
API rate limit exceededAdd retry logic with exponential backoff
NoCredentialProviders
No credentials foundCheck credential chain; run 
aws configure list

For detailed troubleshooting, see Setup.

When Not to Use

  • AWS SDK code — For boto3, AWS SDK for JavaScript, etc., use programming documentation
  • CloudFormation/Terraform — This skill covers CLI commands, not IaC templates
  • Console UI steps — CLI-focused; use AWS documentation for console walkthroughs
  • Pricing/billing — Use AWS pricing calculator or Cost Explorer documentation

Quick Command Reference

# Identity & Access
aws sts get-caller-identity
# → {"Account": "123456789012", "UserId": "AIDAEXAMPLE", "Arn": "arn:aws:iam::123456789012:user/dev"}

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name mysession
# → {"Credentials": {"AccessKeyId": "ASIA...", "SecretAccessKey": "...", "SessionToken": "..."}}

# S3
aws s3 ls
# → 2024-01-15 bucket-name-1
# → 2024-02-20 bucket-name-2

aws s3 sync ./local s3://bucket/prefix --delete

# Lambda
aws lambda invoke --function-name fn response.json
# → {"StatusCode": 200, "ExecutedVersion": "$LATEST"}

aws lambda update-function-code --function-name fn --zip-file fileb://code.zip
# → {"FunctionName": "fn", "LastModified": "2024-12-28T...", "State": "Active"}

# ECS
aws ecs list-clusters
# → {"clusterArns": ["arn:aws:ecs:us-east-1:123456789012:cluster/prod"]}

aws ecs update-service --cluster prod --service api --force-new-deployment

# EKS
aws eks update-kubeconfig --name my-cluster
# → Added new context arn:aws:eks:us-east-1:123456789012:cluster/my-cluster

aws eks list-clusters
# → {"clusters": ["my-cluster", "dev-cluster"]}

# Secrets
aws secretsmanager get-secret-value --secret-id prod/api/key --query SecretString --output text
# → sk_live_xxxxxxxxxxxxx

aws ssm get-parameter --name /app/prod/db/host --with-decryption --query Parameter.Value --output text
# → db.example.com

# Debugging
aws ssm start-session --target i-0123456789abcdef0
# → Starting session with SessionId: user-0a1b2c3d4e5f67890