$ aws -version aws-cli/2.0.47 Python/3.7.4 Linux/4.14.133-113.105.amzn2.x8664 botocore/2.0.0 AWS CLI version 2. The AWS CLI version 2 is the most recent major version of the AWS CLI and supports all of the latest features. The AWS SAM CLI requires that the project directory, or any parent directory, is listed in a shared drive. To share drives on macOS, see File sharing.
It is easier to manager AWS S3 buckets and objects from CLI. This tutorial explains the basics of how to manage S3 buckets and its objects using aws s3 cli using the following examples:
For quick reference, here are the commands. For details on how these commands work, read the rest of the tutorial.
1. Create New S3 Bucket
Use mb option for this. mb stands for Make Bucket.
The following will create a new S3 bucket
In the above example, the bucket is created in the us-east-1 region, as that is what is specified in the user’s config file as shown below.
To setup your config file properly, use aws configure command as explained here: 15 AWS Configure Command Examples to Manage Multiple Profiles for CLI
If the bucket already exists, and you own the bucket, you’ll get the following error message.
If the bucket already exists, but owned by some other user, you’ll get the following error message.
Under some situation, you might also get the following error message.
2. Create New S3 Bucket – Different Region
To create a bucket in a specific region (different than the one from your config file), then use the –region option as shown below.
3. Delete S3 Bucket (That is empty)
Use rb option for this. rb stands for remove bucket.
The following deletes the given bucket.
If the bucket you are trying to delete doesn’t exists, you’ll get the following error message.
4. Delete S3 Bucket (And all its objects)
If the bucket contains some object, you’ll get the following error message:
To delete a bucket along with all its objects, use the –force option as shown below.
5. List All S3 Buckets
To view all the buckets owned by the user, execute the following ls command.
In the above output, the timestamp is the date the bucket was created. The timezone was adjusted to be displayed to your laptop’s timezone.
The following command is same as the above:
6. List All Objects in a Bucket
The following command displays all objects and prefixes under the tgsbucket.
In the above output:
- Inside the tgsbucket, there are two folders config and data (indicated by PRE)
- PRE stands for Prefix of an S3 object.
- Inside the tgsbucket, we have 4 files at the / level
- The timestamp is when the file was created
- The 2nd column display the size of the S3 object
Note: The above output doesn’t display the content of sub-folders config and data
7. List all Objects in a Bucket Recursively
To display all the objects recursively including the content of the sub-folders, execute the following command.
Note: When you are listing all the files, notice how there is no PRE indicator in the 2nd column for the folders.
8. Total Size of All Objects in a S3 Bucket
You can identify the total size of all the files in your S3 bucket by using the combination of following three options: recursive, human-readable, summarize
Note: The following displays both total file size in the S3 bucket, and the total number of files in the s3 bucket
In the above output:
- recursive option make sure that it displays all the files in the s3 bucket including sub-folders
- human-readable displays the size of the file in readable format. Possible values you’ll see in the 2nd column for the size are: Bytes/MiB/KiB/GiB/TiB/PiB/EiB
- summarize options make sure to display the last two lines in the above output. This indicates the total number of objects in the S3 bucket and the total size of all those objects
9. Request Payer Listing
If a specific bucket is configured as requester pays buckets, then if you are accessing objects in that bucket, you understand that you are responsible for the payment of that request access. In this case, bucket owner doesn’t have to pay for the access.
![Aws Cli For Mac Os Aws Cli For Mac Os](/uploads/1/1/9/4/119410513/896005962.jpg)
To indicate this in your ls command, you’ll have to specify –request-payer option as shown below.
For signed URL, make sure to include x-amz-request-payer=requester in the request
10. Copy Local File to S3 Bucket
In the following example, we are copying getdata.php file from local laptop to S3 bucket.
If you want to copy the getdata.php to a S3 bucket with a different name, do the following
For the local file, you can also specify the full path as shown below.
11. Copy Local Folder with all Files to S3 Bucket
In this example, we are copying all the files from the “data” folder that is under /home/projects directory to S3 bucket
In the above example, note that only the files from the local data/ folder is getting uploaded. Not the folder “data” itself
If you like to upload the data folder from local to s3 bucket as data folder, then specify the folder name after the bucket name as shown below.
12. Download a File from S3 Bucket
To download a specific file from an S3 bucket do the following. The following copies getdata.php from the given s3 bucket to the current directory.
You can download the file to the local machine with in a different name as shown below.
Download the file from S3 bucket to a specific folder in local machine as shown below. The following will download getdata.php file to /home/project folder on local machine.
13. Download All Files Recursively from a S3 Bucket (Using Copy)
The following will download all the files from the given bucket to the current directory on your laptop.
If you want to download all the files from a S3 bucket to a specific folder locally, please specify the full path of the local directory as shown below.
In the above command, if the tgsbucket folder doesn’t exists under /home/projects, it will create it automatically.
14. Copy a File from One Bucket to Another Bucket
The following command will copy the config/init.xml from tgsbucket to backup bucket as shown below.
In the above example, eventhough init.xml file was under config folder in the source bucket, on the destination bucket, it copied the init.xml file to the top-level / in the backup-bucket.
If you want to copy the same folder from source and destination along with the file, specify the folder name in the desintation bucketas shown below.
If the destination bucket doesn’t exist, you’ll get the following error message.
15. Copy All Files Recursively from One Bucket to Another
The following will copy all the files from the source bucket including files under sub-folders to the destination bucket.
16. Move a File from Local to S3 Bucket
When you move file from Local machine to S3 bucket, as you would expect, the file will be physically moved from local machine to the S3 bucket.
As you see the file doesn’t exists on the local machine after the move. Its only on S3 bucket now.
17. Move a File from S3 Bucket to Local
The following is reverse of the previou example. Here, the file will be moved from S3 bucket to local machine.
As you see below, the file now exists on the s3 bucket.
Aws Cli For Mac Os 10.8
Move the file from S3 bucket to /home/project directory on local machine.
After the move, the file doesn’t exists on S3 bucketanymore.
18. Move a File from One S3 Bucket to Another S3 Bucket
Before the move, the file source.json is in tgsbucket.
This file is not in backup-bucket.
Move the file from tgsbucketto backup-bucket.
Now, the file is only on the backup-bucket.
19. Move All Files from a Local Folder to S3 Bucket
In this example, the following files are under data folder.
The following moves all the files in the data directory on local machine to tgsbucket
20. Move All Files from S3 Bucket to Local Folder
In this example, the localdata folder is currently empty.
The following will move all the files in the S3 bucketunder data folder to localdata folder on your local machine.
Install Aws Cli Mac Os
Here is the output after the above move.
21. Move All Files from One S3 Bucket to Another S3 Bucket
Use the recursive option to move all files from one bucket to another as shown below.
22. Delete a File from S3 Bucket
To delete a specific file from a S3 bucket, use the rm option as shown below. The following will delete the queries.txt file from the given S3 bucket.
23. Delete All Objects from S3 buckets
When you specify rm option just with a bucket name, it doesn’t do anything. This will not delete any file from the bucket.
To delete all the files from a S3 bucket, use the –recursive option as show nbelow.
24. Sync files from Laptop to S3 Bucket
Aws Cli For Mac Os
When you use sync command, it will recursively copies only the new or updated files from the source directory to the destination.
The following will sync the files from backup directory in local machine to the tgsbucket.
If you want to sync it to a subfolder called backup on the S3 bucket, then include the folder name in the s3 bucket as shown below.
Once you do the sync once, if you run the command immediately again, it will not do anything, as there is no new or updated files on the local backup directory.
Let us create a new file on the local machine for testing.
Now when you execute the sync, it will sync only this new file to the S3 bucket.
25. Sync File from S3 bucket to Local
This is reverse of the previous example. Here, we are syncing the files from the S3 bucket to the local machine.
26. Sync Files from one S3 Bucket to Another S3 Bucket
The following example syncs the files from one tgsbucket to backup-bucket
27. Set S3 bucket as a website
You can also make S3 bucket to host a static website as shown below. For this, you need to specify both the index and error document.
This bucket is in us-east-1 region. So, once you’ve done the above, you can access the tgsbucket as a website using the following URL: http://tgsbucket.s3-website-us-east-1.amazonaws.com/
For this to work properly, make sure public access is set on this S3 bucket, as this acts as a website now.
28. Presign URL of S3 Object for Temporary Access
When you presign a URL for an S3 file, anyone who was given this URL can retrieve the S3 file with a HTTP GET request.
For example, if you want to give access to the dnsrecords.txt file to someone temporarily, presign this specific S3 object as shown below.
The output of the above command will be a HTTPS url, which you can hand it out someone who should be able to download the dnsrecords.txt file from your S3 bucket.
The above URL will be valid by default for 3600 seconds (1 hour).
If you want to specify a short expirty time, use the following expires-in option. The following will create a presigned URL that is valid only for 1 minute.
–expires-in (integer) Number of seconds until the pre-signed URL expires. Default is 3600 seconds.
–expires-in (integer) Number of seconds until the pre-signed URL expires. Default is 3600 seconds.
If someone tries to access the URL after the expiry time, they’ll see the following AccessDenied message.
> Add your comment
If you enjoyed this article, you might also like..
Next post: REST API Jumpstart Guide with Python REST web-service Example
Previous post: 15 Practical Python Set Examples with a Sample Program
How do I use an MFA token to authenticate access to my AWS resources with the AWS Command Line Interface (AWS CLI)?
Resolution
It's a best practice to protect your account and its resources by using a multi-factor authentication (MFA) device. If you plan to interact with your resources using the AWS CLI when using an MFA device, then you must create a temporary session. If you're using an MFA hardware device, the ARN value is similar to GAHT12345678. If you're using a virtual MFA, the value is similar to arn:aws:iam::123456789012:mfa/user. For more information, see Checking MFA status.
Important:
- Support for Universal 2nd Factor (U2F) security keys is available only with the AWS Management Console. For more information, see Enabling a U2F security key (console). As a workaround, you can use a virtual MFA device. For more information, see Enabling and managing virtual MFA devices (AWS CLI or AWS API).
- Before you begin, be sure that you have installed and configured the AWS CLI.
Run the sts get-session-token AWS CLI command, replacing the variables with information from your account, resources, and MFA device:
You receive an output with temporary credentials and an expiration time (by default, 12 hours) similar to the following:
Note: You can specify an expiration duration (in seconds) using the --duration-seconds option in the sts get-session-token command, where the value can range from 900 seconds (15 minutes) to 129600 seconds (36 hours). If you are using root user credentials, the range is from 900 seconds (15 minutes) to 3600 seconds (1 hour).
Using temporary credentials with environment variables
You can use temporary credentials by exporting their values to environment variables using these commands.
Linux:
Windows:
If you set the environment variables, be sure to unset them before making the get-session-token call again using these commands.
Using temporary credentials with named profiles
You can also use named profiles to specify the commands that require MFA authentication. To do so, edit the credentials file in the .aws folder in the home directory of the user to add a new profile configuration for issuing MFA-authenticated commands. Here's an example profile configuration:
After the credentials expire, execute the get-session-token command again, and then export the returned values to the environment variables or to the profile configuration.
Tip: Consider running a script or a cron job in the background that checks for 'expiration' from the output of get-session-token command, and then prompts for re-authentication.
If the AWS CLI is configured using the configure command, there's a default configuration with permanent AWS Identity and Access Management (IAM) user credentials. This IAM user can use commands that don't require MFA authentication.
Example configuration:
.aws/credentials
Note: You can't use the mfa_serial parameter with permanent IAM credentials.
If you use profiles to authenticate commands using the AWS CLI, specify the --profile option followed by the profile name to verify that the calls authenticate using MFA.
For example, this command uses the default profile credentials and isn't authenticated with MFA.
Important: Be sure that you understand the credential precedence so that you can verify that correct credentials are used when making API calls.
Aws Cli For Mac Os 10.13
You can also require that a user authenticate using an MFA to perform particular API actions with the aws:MultiFactorAuthPresent or aws:MultiFactorAuthAge conditions in an IAM policy.