Setting Up Basic Access
This page walks through what to do in the AWS portal and what to do on a Mac so the AWS CLI can access your AWS resources. After this, you can run aws s3 ls, aws ec2 describe-instances, and other CLI commands against your account.
In the AWS portal (console)
Section titled “In the AWS portal (console)”All steps below use the AWS Management Console.
1. Account
Section titled “1. Account”- New account: Sign up at aws.amazon.com. You get a root user (the account owner). Do not use the root user for day-to-day work.
- Existing account: Sign in with your root or IAM user.
2. Secure the root user
Section titled “2. Secure the root user”If you have not already:
- Enable MFA on the root user: IAM → Dashboard (or Account → Security credentials) → assign an MFA device. This protects the account if the root password is compromised.
- Billing alarm (optional): Set a CloudWatch billing alarm so you get notified if spend exceeds a threshold. See Cost Management for budgets and alerts.
3. Create an IAM user for the CLI
Section titled “3. Create an IAM user for the CLI”Create a dedicated IAM user for programmatic (CLI) access instead of using the root user:
- Go to IAM → Users → Create user.
- Choose a name (e.g.
cli-adminordev). - For CLI-only use: leave “Provide user access to the AWS Management Console” unchecked. Optionally enable console access if you want this user to log in to the console too.
- Click Next. You’ll see Set permissions with three options:
| Option | When to use it |
|---|---|
| Add user to group | Best practice for teams: create or pick a group (e.g. cli-users), attach a policy to the group, add the user. New users get the same permissions by joining the group. |
| Copy permissions | Use when this user should have the same permissions as an existing user. |
| Attach policies directly | Simplest for a single user (e.g. just you): skip groups and attach a managed policy to the user. For learning, choose AdministratorAccess; for production, choose a minimal policy or use a group instead. |
For one CLI user to get started quickly, choose Attach policies directly and attach AdministratorAccess (or a narrower policy). For best practice with multiple users, choose Add user to group and attach the policy to the group.
- Complete user creation.
For users, groups, and least privilege, see IAM.
4. Create an access key
Section titled “4. Create an access key”The CLI uses access keys (Access Key ID + Secret Access Key), not a password:
- Open the new user → Security credentials tab.
- Create access key.
- Choose Command Line Interface (CLI) and acknowledge the warning.
- Save the Access Key ID and Secret Access Key. The secret is shown only once; store it somewhere safe (e.g. a password manager). You will paste it into
aws configureon your Mac.
5. Permissions
Section titled “5. Permissions”The user needs at least one permission to do anything useful:
- Learning / sandbox: Attach the managed policy AdministratorAccess to the user (or add the user to a group that has it). Easiest for getting started.
- Production: Prefer least privilege: create a custom policy or use a group with only the permissions the user needs. See IAM for policies and groups.
Attach: User → Permissions → Add permissions → Attach policies directly (or add to group).
On the Mac
Section titled “On the Mac”1. Install the AWS CLI
Section titled “1. Install the AWS CLI”Using Homebrew (recommended on Mac):
brew install awscliIf you need a specific major version: brew install awscli@2. Confirm with:
aws --version2. Configure credentials
Section titled “2. Configure credentials”Run:
aws configureYou will be prompted for:
| Prompt | What to enter |
|---|---|
| AWS Access Key ID | The access key ID from the console (e.g. AKIA...). |
| AWS Secret Access Key | The secret key you saved (shown only once in the console). |
| Default region name | e.g. us-east-1. Use a region close to you or your resources. |
| Default output format | e.g. json (or yaml, table). |
This writes credentials to ~/.aws/credentials and options to ~/.aws/config. Do not commit these files to version control.
3. Verify access
Section titled “3. Verify access”Check that the CLI is using the right identity:
aws sts get-caller-identityExample output:
{ "UserId": "AIDAXXXXXXXXXX", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/cli-admin"}Then try a harmless call, e.g. list S3 buckets (empty list is fine):
aws s3 lsIf you see “Unable to locate credentials” or “Access Denied”, double-check the access key and secret, and that the IAM user has the needed permissions.
Multiple profiles
Section titled “Multiple profiles”You can have several named profiles (e.g. personal, work, different accounts):
aws configure --profile myprofileUse a profile by setting the environment variable or passing it to each command:
export AWS_PROFILE=myprofileaws s3 ls
# oraws s3 ls --profile myprofileSecurity
Section titled “Security”- Do not commit
~/.aws/credentialsor~/.aws/configto Git. Add~/.aws/to.gitignoreif you ever script around it. - Rotate keys if they might have been exposed: create a new access key in the console, update
aws configure, then deactivate or delete the old key. - Delete unused keys in IAM → Users → Security credentials to reduce risk.
For more on users, MFA, and least privilege, see IAM.