Hey there! Let's break down your AWS CLI questions step by step—both are super common when getting started with AWS tools, so I’ve got you covered.

Setting up an AWS CLI user has two core steps: creating the user in AWS IAM, then configuring your local CLI with their credentials. Here’s how to do it:

• Step 1: Create an IAM User in the AWS Console

  • Log into the AWS Management Console, navigate to the IAM service.
  • From the left sidebar, select Users and click Add user.
  • Enter a username (e.g., mycliuser), then check the box for Access key - Programmatic access—this is mandatory for CLI access.
  • Click Next: Permissions and attach the right policy to the user. For example, if you need to work with DynamoDB, you could use AmazonDynamoDBFullAccess (for full control) or a more restricted policy based on your actual needs.
  • Finish creating the user, and make sure to save the Access Key ID and Secret Access Key—these only show once, so don’t lose them!

• Step 2: Configure AWS CLI Locally

  • Open your terminal and run:

    aws configure
    

  • You’ll be prompted to enter these details:
    1. AWS Access Key ID: Paste the key ID you saved earlier.
    2. AWS Secret Access Key: Paste the secret key you saved.
    3. Default region name: Enter your preferred region (like ap-northeast-1 for Tokyo).
    4. Default output format: Choose json, text, or table—json is a safe default.
  • Once done, your credentials will be stored in ~/.aws/credentials and ~/.aws/config (Linux/macOS) or C:\Users\<YourUsername>\.aws\ (Windows).

First, let’s unpack why you’re seeing this error and confirm which user the CLI is using.

确认当前CLI使用的身份 #

To check exactly which user your AWS CLI is authenticated as, run this command in your terminal:

aws sts get-caller-identity

You’ll get output like this, which confirms the active user:

{
    "UserId": "AIDAXYZ1234567890ABC",
    "Account": "213352837455",
    "Arn": "arn:aws:iam::213352837455:user/someuser"
}

为什么会自动使用someuser？ #

There are a few common reasons this might happen:

• You previously ran aws configure and set someuser as your default credentials.
• Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY on your system are set to someuser’s credentials.
• You created a named profile for someuser (with aws configure --profile someuser) and either the AWS_PROFILE environment variable is set to someuser, or you’re not specifying a --profile flag when running commands.

修复AccessDenied报错 #

You have two straightforward options here:

Option 1: Grant the required permissions to someuser

If you want to keep using someuser, you need to give it permission to run dynamodb:DescribeTable:

1. Go back to the IAM Console, find the someuser account.
2. Navigate to the Permissions tab, click Add permissions > Attach existing policies directly.
3. Search for and select a policy like AmazonDynamoDBReadOnlyAccess (this includes DescribeTable access) or create a custom policy that only allows dynamodb:DescribeTable on your MyTable resource for tighter security.
4. Save the changes, wait a few minutes for permissions to propagate, then try your command again.

Option 2: Switch to a different user with the right permissions

If you have another user that already has DynamoDB access:

• Run aws configure again to overwrite the default credentials with the new user’s details.
• Or create a new named profile:

  aws configure --profile myauthorizeduser
  

  Then run your command with the profile flag:

  aws dynamodb describe-table --table-name MyTable --profile myauthorizeduser
  

内容的提问来源于stack exchange，提问作者Michel