AWS CLI 配置与 Terraform AWS Provider 实战指南 | 身份验证与基础设施即代码

The Agent Skills Directory

安装命令

npx skills add https://smithery.ai/skills/motoki317/aws-ecosystem

云服务开发运维命令行工具

🇨🇳中文介绍

AWS 生态系统

AWS CLI 配置、身份验证以及 Terraform AWS Provider 基础设施即代码的模式。

CLI 配置

配置文件

# ~/.aws/config
[default]
region = ap-northeast-1
output = json

[profile dev]
region = ap-northeast-1

# ~/.aws/credentials (prefer SSO over storing credentials)
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = ...

环境变量

AWS_PROFILE - 活动配置文件
AWS_REGION / AWS_DEFAULT_REGION - 区域
AWS_SESSION_TOKEN - 临时凭证

配置文件切换

export AWS_PROFILE=dev
# 或内联使用
aws s3 ls --profile prod

身份验证

SSO（推荐用于人工操作）

[profile sso-dev]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = DeveloperAccess
region = ap-northeast-1

[sso-session my-sso]
sso_start_url = https://example.awsapps.com/start
sso_region = ap-northeast-1



aws sso login --sso-session my-sso

代入角色

[profile cross-account]
role_arn = arn:aws:iam::987654321098:role/CrossAccountRole
source_profile = default

OIDC 联合身份验证（CI/CD 最佳实践）

# .github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
      aws-region: ap-northeast-1

验证身份

aws sts get-caller-identity

常用命令

S3

aws s3 ls s3://bucket/prefix/
aws s3 cp file.txt s3://bucket/
aws s3 sync ./local s3://bucket/prefix/
aws s3 presign s3://bucket/key --expires-in 3600

EC2

aws ec2 describe-instances
aws ec2 start-instances --instance-ids i-123...
aws ec2 stop-instances --instance-ids i-123...

查询过滤

# 单个值
aws ec2 describe-instances --query 'Reservations[0].Instances[0].InstanceId' --output text

# 过滤列表
aws ec2 describe-instances --query 'Reservations[].Instances[?State.Name==`running`].InstanceId'

Terraform Provider

基础配置

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "ap-northeast-1"

  default_tags {
    tags = {
      Environment = "dev"
      ManagedBy   = "terraform"
    }
  }
}

带锁定的 S3 后端

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "env/dev/terraform.tfstate"
    region         = "ap-northeast-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

常用资源

IAM 角色：

resource "aws_iam_role" "lambda" {
  name = "lambda-execution-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "lambda.amazonaws.com" }
    }]
  })
}

S3 存储桶：

resource "aws_s3_bucket" "main" {
  bucket = "my-bucket"
}

resource "aws_s3_bucket_public_access_block" "main" {
  bucket                  = aws_s3_bucket.main.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

用于 GitHub Actions 的 OIDC：

resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["ffffffffffffffffffffffffffffffffffffffff"]
}

Terraform 命令

terraform init
terraform plan -out=tfplan
terraform apply tfplan
terraform fmt -recursive
terraform validate

最佳实践

关键：

消除长期访问密钥；使用 SSO 或 IAM 角色
为 CI/CD 使用 OIDC 联合身份验证
为 EC2 使用实例配置文件，为 Lambda 使用执行角色

高优先级：

为所有人工用户启用 MFA
遵循最小权限原则；避免通配符权限
启用 CloudTrail 以监控 CLI 活动

Terraform：

使用 S3 + DynamoDB 锁定的远程状态
启用状态加密
固定 Provider 版本
使用 default_tags 实现一致的标记

反面模式

避免	替代方案
硬编码的凭证	IAM 角色、SSO、credential_process
长期访问密钥	通过 SSO/AssumeRole 获取临时凭证
使用根账户进行 CLI 操作	IAM 用户或 SSO
通配符权限	针对特定资源的最小权限
无锁定的状态	为 S3 后端使用 DynamoDB 表

约束

必须：

使用 Terraform 进行基础设施管理
遵循最小权限 IAM 原则
启用静态和传输中加密

避免：

硬编码凭证
过于宽松的安全组规则
未标记的资源

Context7 参考

库 ID：/hashicorp/terraform-provider-aws

每周安装次数

–

来源

smithery.ai/ski…cosystem

首次出现

–

🇺🇸English

AWS Ecosystem

Patterns for AWS CLI configuration, authentication, and Terraform AWS Provider infrastructure as code.

CLI Configuration

Config Files

# ~/.aws/config
[default]
region = ap-northeast-1
output = json

[profile dev]
region = ap-northeast-1

# ~/.aws/credentials (prefer SSO over storing credentials)
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = ...

Environment Variables

AWS_PROFILE - active profile
AWS_REGION / AWS_DEFAULT_REGION - region
AWS_SESSION_TOKEN - temporary credentials

Profile Switching

export AWS_PROFILE=dev
# or inline
aws s3 ls --profile prod

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Avoid	Instead
Hardcoded credentials	IAM roles, SSO, credential_process
Long-term access keys	Temporary credentials via SSO/AssumeRole
Root account for CLI	IAM users or SSO
Wildcard permissions	Least privilege with specific resources
State without locking	DynamoDB table for S3 backend

AWS CLI 配置与 Terraform AWS Provider 实战指南 | 身份验证与基础设施即代码

🇨🇳中文介绍

AWS 生态系统

CLI 配置

配置文件

环境变量

配置文件切换

身份验证

SSO（推荐用于人工操作）

代入角色

OIDC 联合身份验证（CI/CD 最佳实践）

验证身份

常用命令

S3

EC2

查询过滤

Terraform Provider

基础配置

带锁定的 S3 后端

常用资源

Terraform 命令

最佳实践

反面模式

约束

Context7 参考

🇺🇸English

AWS Ecosystem

CLI Configuration

Config Files

Environment Variables

Profile Switching

相关 Skills

Authentication

SSO (Recommended for Humans)

Assume Role

OIDC Federation (CI/CD Best Practice)

Verify Identity

Common Commands

S3

EC2

Query Filtering

Terraform Provider

Basic Configuration

S3 Backend with Locking

Common Resources

Terraform Commands

Best Practices

Anti-Patterns

Constraints

Context7 Reference

最新 Skills