Simplify AWS CLI Troubleshooting with My Custom Debug Script
Dec 11th, 2023Working with AWS CLI can sometimes feel like navigating a maze, especially when it comes to managing credentials and configurations. Misconfigurations or missing credentials can halt your work, leading to frustration and lost productivity. To address this common issue, I’ve crafted a handy Bash script to streamline the debugging process for AWS CLI credentials.
What Does the Script Do?
This script serves as a diagnostic tool, systematically checking various aspects of your AWS configuration. It outputs crucial information regarding your AWS environment, making it easier to identify and fix issues. Here’s a rundown of its features:
Here is an usage example:
$ ./debug-aws-credentials.sh
================== Environment variables =======================================
AWS_PROFILE not set
AWS_ACCESS_KEY_ID not set
AWS_SECRET_ACCESS_KEY not set
AWS_SESSION_TOKEN not set
================== aws configure list ==========================================
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region <not set> None None
================== aws sts get-caller-identity =================================
Unable to locate credentials. You can configure credentials by running "aws configure".
================== aws configure list-profiles =================================
terraform
management-admin
security-admin
================== ~/.aws/config ===============================================
[profile terraform]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 866109354512
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml
[profile management-admin]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 866109354512
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml
[profile security-admin]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 274407225643
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml
================== versions ====================================================
aws-cli/2.3.1 Python/3.8.8 Darwin/21.6.0 exe/x86_64 prompt/off
EB CLI 3.20.9 (Python 3.11.5 (main, Aug 24 2023, 15:23:30) [Clang 14.0.0 (clang-1400.0.29.202)])
Python 3.11.5
Terraform v1.5.0
on darwin_amd64
Your version of Terraform is out of date! The latest version
is 1.6.6. You can update by downloading from https://www.terraform.io/downloads.html
Environment Variables Verification
Firstly, the script checks for the presence of essential AWS environment variables: AWS_PROFILE
, AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
. It reports whether these variables are set and, if so, whether they are populated or empty.
AWS Configuration Listings
Next, the script executes aws configure list
, displaying the current configuration status.
Identity Confirmation
By running aws sts get-caller-identity
, the script confirms the identity that the AWS CLI is operating under and wether or not it is recognized by the AWS API.
Profile Listings
The script also lists all the configured profiles through aws configure list-profiles
. This is particularly useful in environments where multiple profiles are used.
Config File Display
It prints the contents of the ~/.aws/config
file. This file typically contains your AWS CLI configurations and is a common source of issues.
Version Checks
Finally, the script checks the versions of various AWS-related tools such as AWS CLI, Elastic Beanstalk CLI, Python, and Terraform. Version mismatches can often lead to unexpected errors.
Customizable for Specific Profiles
An additional feature of the script is its ability to take a profile name as an argument. If provided, it will run the aws configure list
and aws sts get-caller-identity
commands for that specific profile, further aiding in debugging issues related to specific AWS CLI profiles.