Aws-cli: Ability to create entry in ~/.aws/credentials from CSV

You should be able to do that via aws configure set:

$ cat /tmp/fakecreds.sh
fake_access_key,fake_secret_key,fake_session_token


/tmp $ AKID=$(cut -d',' -f 1 < fakecreds.sh)
/tmp $ SK=$(cut -d',' -f 2 < fakecreds.sh)
/tmp $ TOKEN=$(cut -d',' -f 3 < fakecreds.sh)

/tmp $ aws configure set profile.newprofile.aws_access_key_id $AKID
/tmp $ aws configure set profile.newprofile.aws_secret_access_key $SK
/tmp $ aws configure set profile.newprofile.aws_session_token $TOKEN

I understand that I can do that (although I was doing it with AWK) -- the problem is that it takes 3 commands. If set could take more than one variable that would be great.

From a UX perspective devs are always DLing credentials in this CSV format. If you're a contractor you may go through hundreds of these in a year. The ability to just direct the CSV into the command would be a simple and useful feature. I don't consider this closed unless you have a justification for why the feature shouldn't be implemented.

I'm ok with supporting common formats that give credentials. For example:

• Creating a profile from the output of aws iam create-access-key, which gives creds in a JSON format (by default)
• Creating a profile from the output of the various sts calls, which give creds in a JSON format
• Supporting the CSV format you get from the AWS IAM console (which is actually username,akid,skid but no token since they aren't temporary credentials).

What I want to avoid is this feature degrading into a less featureful version of cut/awk as people have more special cases for the various CSV formats (i.e different column orders, column headers, supporting role_arn/source_profile/etc). This is exactly why we have things like aws configure set, so that users can use the standard text manipulation tools they're familiar with and integrate with the CLI exactly as they need.

Marking as a feature request. Also if you have any other common CSV formats you're aware of that contractors commonly receive, please let me know.

Absolutely understand that and agree that it shouldn't replace specialized formats.

The CSV is the most common format as that is what the IAM console will prompt you to download after creating a user (or batch of users). I think the idea of being able to create a profile from the output of aws iam create-access-key or sts is a great idea as well.

I really like @ranman's original suggestion. I think to see it's value you have to look at it from the perspective of a first time aws (and/or) cli user. Once you download and install the cli you then need create an IAM user in the web UI. That process always generates you a file called credentials.csv.

It would be awesome if the cli could just be told where to grab that file and generate a profile with a single step :)

It would be awesome if this was true...

aws configure --profile test --credentials credentials.csv

Speaking as a customer it would really simplify a lot of DevOps processes when teams are involved. Just to elaborate... I may have a small team working on a static site and want everyone to sync to a bucket used as staging. If I can make a very specific policy to that bucket and store the credentials.csv in that repo then everyone can just install the aws cli and run one commend to set things up and start syncing.

Importing the credentials.csv file directly is a great idea. Either that, or the web console should be updated to output a .aws/config file. It's very annoying to have to explain to a Windows user how to retrieve a file off of S3. Any little bit helps.

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

Based on community feedback, we have decided to return feature requests to GitHub issues.

It seems obvious to me that a vendor provides two tools (the console, and the aws-cli)... what one tool outputs, the other tool should be able to input, without manipulation. If CSV is the most appropriate output, then the cli should support CSV for input.

Any traction here? ranman's suggestion is awesome

I just stumbled upon this need while configuring a random PC to be able to access various AWS resources.

The AWS console allows me to download a CSV file with credentials after the last step, yet - I have to open it and copy paste the credentials manually in the terminal that I have opened on my other monitor.

Introducing an optional param aws configure --from /path/to/aws-credentials.csv wouldn't introduce that many technical challenges.

This is amazing feature and I'd very much like to have it!

Agree this should be (have been) the default behavior...definitely those two teams don't talk...lol. Until this gets added (if ever), here is what I do:

Put this into a file and make it executable e.g. aws-import-credentials-cvs

#!/bin/awk -f

BEGIN {
    FS=","
    # profile name i.e. ini header
    header="[" ARGV[1] "]"
    ARGV[1]=""
    print header
}
# only process line 2 of CSV
FNR==2 {
    print "aws_access_key_id=" $3
    print "aws_secret_access_key=" $4
}

_Don't forget the chmod +x aws-import-credentials-cvs step_

Then...

./aws-import-credentials-cvs foo_profile < ~/Downloads/credentials.csv >> ~/.aws/credentials

...will add this...

[foo_profile]
aws_access_key_id=AKIAX4U...
aws_secret_access_key=m8/31WPAz3...

...to the end of your ~/.aws/credentials file

Hope that helps!

This is now possible in CLI v2 !

https://aws.amazon.com/blogs/developer/aws-cli-v2-is-now-generally-available/

One caveat is that v2 does not support the access key format.
If you enable access keys later or rotate keys, you need to configure them manually.

@ranman still flawed

$ /usr/local/aws-cli/aws --version
aws-cli/2.0.1 Python/3.7.4 Darwin/19.5.0 botocore/2.0.0dev5

$ /usr/local/bin/aws configure import --csv file://$PWD/accessKeys.csv

Expected header "User Name" not found

$ head -n1 accessKeys.csv
Access key ID,Secret access key

I understand not being able to support every format people may come up with. But, the aws cli should at a minimum support 2 formats:

1. The format of the csv created by the AWS web console
2. The format output by aws iam create-access-key

I would also argue that to be the priority order. People like me (group A) need the least help because I can write my own tools. People who are generating single access keys via a web page (group B) are likely to need the most help. The problem is not that it's hard for people like me to do. The problem is that it's nearly impossible for Group A to explain to Group B how to do this without the back & forth of individualized support.