Skip to content

aws-cli-setup.md

Latest commit

 

History

History
85 lines (63 loc) · 3.39 KB

aws-cli-setup.md

File metadata and controls

85 lines (63 loc) · 3.39 KB

AWS CLI v2.27.50 Setup Guide

This guide establishes the guardrails required to interact with the Threat Classifier SageMaker environment using the AWS CLI. It focuses on secure-by-default configuration, FinOps visibility, and day-2 operations readiness.

1. Install or Upgrade the AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.27.50.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install --update
aws --version  # verify 2.27.50

Why this version? 2.27.50 aligns with current SageMaker feature parity and prevents drift across local, CI, and CDK pipelines.

2. Create Least-Privilege Named Profiles

  1. Generate IAM access keys for a least-privilege role (ideally assume-role via SSO). Start with a profile name like sagemaker-dev.
  2. Store credentials using the CLI: 
    aws configure --profile sagemaker-dev
  3. Set the default region (e.g., us-west-2) and JSON output format.
  4. Enable MFA or SSO in ~/.aws/config: 
    [profile sagemaker-dev]
region = us-west-2
output = json
mfa_serial = arn:aws:iam::123456789012:mfa/your-user
role_arn = arn:aws:iam::123456789012:role/ThreatClassifierDeployment
source_profile = default

GovCloud note: When targeting GovCloud, configure region = us-gov-west-1 (or appropriate) and ensure the profile references a GovCloud account with mirrored IAM roles.

3. Tagging & Cost Visibility

Set default tags at the CLI level to enforce FinOps hygiene across CDK and manual commands:

[default]
cli_timestamp_format = iso8601

[profile sagemaker-dev]
region = us-west-2
output = json
tags = App=ThreatClassifier,Env=dev,CostCenter=SecOps,Owner=ThreatClassifierTeam

These tags propagate automatically when resources are created through the CLI or CDK stack, enabling accurate cost allocation dashboards.

4. Environment Variables for Tooling

The project expects the following variables (see .env.example):

  • AWS_PROFILE - matches the named profile, e.g., sagemaker-dev.
  • AWS_REGION - deployment region (us-west-2 by default).
  • DATA_CAPTURE_S3_PREFIX - S3 URI used for Model Monitor data capture.
  • MODEL_MONITOR_ENABLED - toggle (true/false) controlling capture & monitoring jobs.
  • COST_CENTER_TAG - matches FinOps tags for auditing.

Load them before running CDK or training:

export $(grep -v '^#' .env | xargs)

5. Validation Checklist

  • aws --version returns 2.27.50.
  • aws sts get-caller-identity --profile sagemaker-dev succeeds with the expected account ID.
  • aws configure list-profiles includes the dedicated SageMaker profiles.
  • Cost allocation tags are visible under Billing > Cost Allocation Tags in the console.
  • MFA challenge triggers when calling privileged APIs.

6. Troubleshooting

Symptom Resolution
CLI reports Unknown options: --profile Upgrade to v2.27.50, older v1 commands differ.
AccessDenied from SageMaker APIs Verify IAM policy grants CreateModel, CreateEndpoint, PassRole to the SageMaker execution role.
MFA required but not prompted Confirm mfa_serial is set for the profile and that your terminal cache supports prompting.
Cost tags missing Re-run aws configure set profile.sagemaker-dev.tags "App=...,Env=...,CostCenter=...,Owner=...".

With the CLI standardized, you can proceed to CDK deployments and automated pipelines with consistent governance.