| name | aws-cli |
| description | AWS CLI safety guardrails and account/role management for AI agents. Read before running any AWS CLI command. Covers environment setup, credential checking, account switching, pagination, and account-guard patterns. Triggers on any aws CLI invocation, account switching, SSO login, or when setting up a shell pane for AWS work. |
AWS CLI — Agent Safety Guardrails
Pre-flight: set before any AWS command
unset AWS_CLI_AUTO_PROMPT && export AWS_PAGER='' AWS_DEFAULT_OUTPUT=json
AWS_CLI_AUTO_PROMPT — interactive autocomplete; blocks non-TTY execution, always unset
AWS_PAGER='' — prevents less capturing output; empty string disables entirely
AWS_DEFAULT_OUTPUT=json — machine-readable; override per-command with --output text for scalar extraction only
Identity and credential check
Use aws-whoami (not bare aws sts get-caller-identity) — it prints all AWS_* env vars,
shows active account roles with expiry, and calls sts get-caller-identity:
aws-whoami
Key env vars to note after aws-whoami:
AWS_SSO_PROFILE — the active profile (account-alias:RoleName)
AWS_SSO_SESSION_EXPIRATION — credential expiry (ISO8601); check this before long operations
AWS_SSO_ACCOUNT_ID — current account ID; use to guard against wrong-account operations
If credentials are expired: do not retry in a loop. Re-authenticate:
aws-login [account-alias]
aws-login
List accounts and roles
aws-sso list
aws-sso list -P AccountAlias=tec-dce-inn-dev
aws-sso list -P AccountId=990136964265
aws-sso list -s AccountAlias
Available fields for -P filtering / -s sorting:
AccountAlias, AccountId, AccountIdPad, AccountName, Arn, DefaultRegion,
EmailAddress, Expires, ExpiresEpoch, Profile, RoleName, SSO, Via
The Profile column value is what goes into aws-login and AWS_SSO_PROFILE.
Switch account or role
aws-login tec-dce-inn-dev
aws-login tec-dce-inn-dev:_TECAdmin-Dev
aws-login tec-dce-inn-dev -c
aws-login calls aws-sso eval -p <profile>, writes credentials to $AWS_SSO_CACHE,
then sources them into the shell. After login, aws-whoami confirms the active identity.
aws-sso-profile resolves the correct profile for an account alias (used internally by
aws-login; also useful to check what profile would be selected):
aws-sso-profile tec-dce-inn-dev
Account guard: verify before destructive operations
Always assert the active account matches expectation before mutations:
EXPECTED_ACCOUNT=990136964265
ACTUAL_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
[[ "$ACTUAL_ACCOUNT" == "$EXPECTED_ACCOUNT" ]] || { echo "Wrong account: $ACTUAL_ACCOUNT"; exit 1; }
AWS_SSO_ACCOUNT_ID is also available in the environment after aws-login / aws-whoami
for a no-API-call check.
Pagination
Many list-* / describe-* calls return only the first page by default. Always handle this:
aws ec2 describe-instances --no-paginate
aws ec2 describe-instances --output json
Silent truncation is a common agent bug — if a result set seems incomplete, add --no-paginate
or check for NextToken in the response.
Retry and throttle behaviour
export AWS_RETRY_MODE=standard
export AWS_MAX_ATTEMPTS=5
Set these alongside the pre-flight block for long-running or high-volume sessions.
Per-command output patterns
aws sts get-caller-identity --query Account --output text
aws ec2 describe-instances \
--query 'Reservations[*].Instances[*].{ID:InstanceId,State:State.Name}' \
--output json
aws autoscaling describe-auto-scaling-instances \
--query 'AutoScalingInstances[?AutoScalingGroupName==`MY-ASG`].{Id:InstanceId,State:LifecycleState,Health:HealthStatus}' \
--output table
MFA / STS session (legacy accounts)
For accounts using MFA rather than SSO:
aws-sts-mfa-session login
aws-sts-mfa-session test
aws-sts-mfa-session refresh
Creds are cached at $STS_SESSION_CACHE (default ~/.aws/sts-mfa-session.json).
To load from file into current shell:
aws-load-sts-session-from-file ~/.aws/sts-mfa-session.json