AWS CLI Command Cheat Sheet: Efficiently Working With Amazon S3 and AWS Lambda
Hemanta Sundaray
Published December 3, 2023
AWS CLI commands for efficiently working with AWS IAM, Amazon S3 and AWS Lambda.
AWS Account ID
Run the command below to find out your AWS account ID:
aws sts get-caller-identity --query Account --output text
AWS Permission Policy
Create a permission policy that allows a Lambda function to get objects from an Amazon S3 bucket and write to Amazon CloudWatch logs.
aws iam create-policy \
--policy-name <POLICY_NAME> \
--policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::*/*" } ] }'
AWS IAM
List all IAM roles
aws iam list-roles
This command outputs a JSON object containing detailed information about each IAM role.
If you are interested in retrieving just the role names, run the following command:
aws iam list-roles --query 'Roles[].RoleName' --output text | tr '\t' '\n'
In this command, --output text outputs the role names in text format, separated by tabs. | tr '\t' '\n' then pipes the output through the tr command, which replaces tab characters '\t' with newline characters '\n', placing each role name on its new line.
Attach a permission policy to an IAM role
aws iam attach-role-policy \
--role-name <ROLE_NAME> \
--policy-arn <PERMISSION_POLICY_ARN>
List all policies attached to an IAM role
aws iam list-attached-role-policies --role-name <ROLE_NAME>
Detach a policy attached to an IAM role
aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn <POLICY_ARN>
Delete an IAM role
aws iam delete-role --role-name <ROLE_NAME>
Amazon S3
Create a bucket
aws s3 mb s3://<BUCKET_NAME>
Delete a bucket
aws s3 rb s3://<BUCKET_NAME>
Note that the bucket must be empty before you can delete it.
If your bucket is not empty, and you want to delete the bucket along with all its contents, you can use the --force option:
aws s3 rb s3://<BUCKET_NAME> --force
Allow public access for a bucket
aws s3api put-public-access-block \
--bucket <BUCKET_NAME> \
--public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"
Remember that just turning off these settings doesn't make the bucket's content public.You still need a bucket policy to explicitly grant public read or write access.
Set the bucket to public access via bucket policy
Run the following command to apply a bucket policy that grants public read access:
aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::<BUCKET_NAME>/*\"}]}"
This policy allows anyone to read the objects in your bucket. Make sure to adjust the policy according to your specific requirements.
List buckets
To list all buckets in Amazon S3, run the following command:
aws s3 ls
This command lists all the S3 buckets available in your AWS account under the currently configured AWS CLI profile. It provides a simple list of bucket names along with the creation date of each bucket.
List objects in a bucket
aws s3 ls s3://<BUCKET_NAME>
Delete objects in a bucket
aws s3 rm s3://<bucket-name> --recursive
Check the CORS configuration of an S3 bucket
aws s3api get-bucket-cors --bucket <BUCKET_NAME>
Set the CORS configuration of an S3 bucket
aws s3api put-bucket-cors --bucket <BUCKET_NAME> --cors-configuration '{"CORSRules":[{"AllowedHeaders":["*"],"AllowedMethods":["GET","POST","PUT","DELETE"],"AllowedOrigins":["*"]}]}'
Check an S3 bucket's notification configuration
aws s3api get-bucket-notification-configuration --bucket <BUCKET_NAME>
This command returns the bucket's notification configuration, which includes configurations for events that trigger Lambda functions, SQS queues, and SNS topics.
Delete an S3 bucket notification configuration
aws s3api put-bucket-notification-configuration --bucket <BUCKET_NAME> --notification-configuration "{}"
This command sets the notification configuration of a bucket to an empty configuration, effectivelt removing any existing configurations.
AWS Lambda
List lambda functions
aws lambda list-functions
This command shows a JSON object with detailed information about each Lambda function.
To list just the Lambda function names, each on their own line, run the command below:
aws lambda list-functions --query 'Functions[].FunctionName' --output text | tr '\t' '\n'
In this command, the --query parameter filters the output to only show the FunctionName for each function and formats the output as text. Then the tr command replaces tabs with newline characters, so each function name appears on its own line.
Retrieve configuration information of a Lambda function
aws lambda get-function-configuration --function-name <FUNCTION_NAME>
ARN of a lambda function
aws lambda get-function --function-name <FUNCTION_NAME> --query 'Configuration.FunctionArn'
Function URL of a lambda function
aws lambda get-function-url-config --function-name <FUNCTION_ NAME>
Create an execution role for a lambda function
aws iam create-role \
--role-name <ROLE_NAME> \
--assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
Add environment variables to an existing lambda function
aws lambda update-function-configuration \
--function-name explainChart \
--environment "Variables={KEY=VALUE}"
Create a function URL for an existing lambda function
aws lambda create-function-url-config \
--function-name <FUNCTION_NAME>\
--auth-type NONE \
--cors '{"AllowOrigins":["*"],"AllowHeaders":["content-type"],"AllowMethods":["*"]}'
Delete a Lambda function
aws lambda delete-function --function-name <FUNCTION_NAME>
Amazon ECR (Elastic Container Registry)
List all repositories
aws ecr describe-repositories
This command will return a list of all the ECR repositories in your current AWS account and region. The output includes information such as the repository name, URI, and details about the repository configuration.
List images in an Amazon ECR repository
aws ecr list-images --repository-name <REPOSITORY_NAME>
Delete images in an Amazon ECR repository
aws ecr batch-delete-image \
--repository-name explain-formula \
--image-ids imageDigest=<IMAGE_DIGEST_VALUE> \
imageDigest=<IMAGE_DIGEST_VALUE> \
imageDigest=<IMAGE_DIGEST_VALUE> \
imageDigest=<IMAGE_DIGEST_VALUE>
Replace <IMAGE_DIGEST_VALUE> with the actual image digest values of the images you want to delete. You can find these digest values by running the command: aws ecr list-images --repository-name <REPOSITORY_NAME>. This command will list all images in the specified repository, along with their image digests.
Note
Mention as many imageDigest entries as the number of images you want to delete.
Delete an Amazon ECR repository
aws ecr delete-repository --repository-name <REPOSITORY_NAME> --force
Note
The --force flag is optional and used to delete the repository regardless of whether it contains images or not. If you don't use the --force flag and the repository contains images, the command will fail.