🌱 Quentin Pleplé LinkedIn

A Bash script to debug AWS CLI credentials

Dec 11th, 2023

Debugging AWS CLI credential issues usually involves checking the same handful of things: env vars, profiles, the config file, and which identity the CLI thinks it’s using. I wrote a small Bash script that dumps all of it at once.

Example output:

$ ./debug-aws-credentials.sh

================== Environment variables =======================================
AWS_PROFILE not set
AWS_ACCESS_KEY_ID not set
AWS_SECRET_ACCESS_KEY not set
AWS_SESSION_TOKEN not set

================== aws configure list ==========================================
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key                <not set>             None    None
secret_key                <not set>             None    None
    region                <not set>             None    None

================== aws sts get-caller-identity =================================

Unable to locate credentials. You can configure credentials by running "aws configure".

================== aws configure list-profiles =================================
terraform
management-admin
security-admin

================== ~/.aws/config ===============================================
[profile terraform]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 866109354512
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml

[profile management-admin]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 866109354512
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml

[profile security-admin]
sso_start_url = https://aws-short-edition.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 274407225643
sso_role_name = AdministratorRole
region = eu-west-1
output = yaml


================== versions ====================================================
aws-cli/2.3.1 Python/3.8.8 Darwin/21.6.0 exe/x86_64 prompt/off
EB CLI 3.20.9 (Python 3.11.5 (main, Aug 24 2023, 15:23:30) [Clang 14.0.0 (clang-1400.0.29.202)])
Python 3.11.5
Terraform v1.5.0
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.6.6. You can update by downloading from https://www.terraform.io/downloads.html

What it checks

  • Environment variables: AWS_PROFILE, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN — whether they’re set and populated.
  • aws configure list: the active CLI configuration.
  • aws sts get-caller-identity: which identity AWS actually sees you as.
  • aws configure list-profiles: every profile the CLI knows about.
  • ~/.aws/config: dumped raw, since this is where most issues come from.
  • Tool versions: AWS CLI, EB CLI, Python, Terraform — version mismatches show up here.

You can also pass a profile name as an argument; it will run aws configure list and aws sts get-caller-identity scoped to that profile.

Script

Comments