Useful aws cli commands (and errors)

aws-cli-commands.sh

# List all AWS Org accounts' Id, Name, and Email in a csv format
aws organizations list-accounts --query 'Accounts[].[Id,Name,Email,Status]' | jq -r '["id","name","email","status"], (.[]) | @csv' 

# Find all EKS clusters in AWS Org 
aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --output text

# Find all EKS cluster AWS Org with name like name_pattern
#  and only display the source account id, the cluster name, and the cluster region

aws configservice list-aggregate-discovered-resources --resource-type "AWS::EKS::Cluster" --configuration-aggregator-name "aws-config-aggregator-name" --no-paginate --query 'ResourceIdentifiers[?contains(ResourceName,`name_pattern`)].[SourceAccountId,ResourceName,SourceRegion]' --output text

# Find all AWS SSO groups
aws identitystore list-groups --identity-store-id d-12345abcde --output text

# Find all permission set ids in AWS SSO
aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text

# Find all permission set names in AWS SSO
#  permission set name is only available via the describe-permission-set command

aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef --output text > aws-sso-permission-sets.txt

while read ps; do aws sso-admin describe-permission-set --permission-set-arn $ps --instance-arn arn:aws:sso:::instance/ssoins-12345abcdef | jq -r .PermissionSet.Name ; done < aws-sso-permission-sets.txt

# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 1
aws cloudformation describe-stacks  --query 'Stacks[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName'

# Find all AWS Cloudformtion stacks which have `ControlTower` in their name - Option 2
aws cloudformation list-stacks --query 'StackSummaries[?contains(StackName,`ControlTower`)]' | jq -r '.[].StackName'

# Create a stackset
#  tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --auto-deployment Enabled=false --tags file://tags.json

# Create a stackset (with service_managed permissions, from the delegated admin account)
#  tags.json => [{Key=environment,Value=test},{Key=team,Value=operations}]
aws cloudformation create-stack-set --stack-set-name stackset-test --template-body file://template.yaml --capabilities CAPABILITY_NAMED_IAM --permission-model SERVICE_MANAGED --call-as DELEGATED_ADMIN --auto-deployment Enabled=false --tags file://tags.json

# Deploy stackset instance to a single account in AWS Org OU with multiple accounts
aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets Accounts=112233445566,OrganizationalUnitIds=ou-12345abcdef,AccountFilterType=INTERSECTION --regions eu-west-1 us-east-1

# Deploy stackset instance (with service_managed permissions, from the delegated admin account) to an OU with multiple accounts
aws cloudformation create-stack-instances --stack-set-name stackset-test --deployment-targets OrganizationalUnitIds=ou-12345abcdef --call-as DELEGATED_ADMIN --regions eu-west-1 us-east-1

aws-cli-errors.md

Errors

• Error: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set
  • Verify the pre-requisites are met
  • cli option --call-as DELEGATED_ADMIN is specified, if running from a delegated admin account

---

• Parameter validation failed: Unknown parameter in DeploymentTargets: "AccountFilterType", must be one of: Accounts, AccountsUrl, OrganizationalUnitIds
  • Upgrade AWS cli
  • Failed with aws-cli/2.2.26 Python/3.8.8, worked with aws-cli/2.9.0 Python/3.9.11