AWS CLI

Last update: June 04 2026

AWS CLI (AWS Command Line Interface) is a command-line interface for working with AWS services that allows you to use Amazon CloudWatch API methods. Learn more in the DescribeLogGroups, DescribeLogStreams, GetLogEvents, and FilterLogEvents articles in the AWS documentation.

You can use AWS CLI to work with logs: get events, event streams, and log groups.

Before you begin, configure AWS CLI.

Configure AWS CLI

1. Add a service user.
2. Issue an S3 key to the user.
3. Install the client.
4. Configure the AWS CLI settings.

1. Add a service user

Add a service user with permission in the Projects access scope and the role:

• member or logs.admin for read and write access to logs;
• logs.write for write access to logs;
• reader or logs.viewer for read-only access to logs.

Account Owner or users with the iam.admin role can add users.

2. Issue an S3 key to the user

Users with access to the control panel can issue S3 keys for themselves, but we recommend creating service users and issuing S3 keys to them.

Only the Account Owner or a user with the iam.admin role can issue S3 keys to other users. A service user cannot get an S3 key independently because they do not have access to the control panel — the Account Owner or iam.admin.

You must create a separate key for each project. You can issue multiple keys for one project.

1. In the control panel, click IAM.

2. Go to the section for the required user type:

   • Users — for users with access to the control panel;
   • Service users — for service users.

3. Open the user page → in the Access tab.

4. In the S3 keys block, click Add key.

5. Enter a key name.

6. Select a project for which the key will work.

7. Click Generate. Two values will be generated:

   • Access key — Access Key ID, a key identifier;
   • Secret key — Secret Access Key, a secret key.

8. Click Copy and save the key — you will not be able to view it after closing the window.

3. Install the client⁠​

Follow the Install or update to the latest version of the AWS CLI guide in the Amazon documentation.

4. Configure AWS CLI settings⁠​

1. Open the CLI.

2. Open configuration mode:

   aws configure

3. Enter AWS Access Key ID — the value of the Access key field from the S3 key you issued to the user, and press Enter.

4. Enter AWS Secret Access Key — the value of the Secret key field from the S3 key you issued to the user, and press Enter.

5. Enter Default region name — the pool where your logs are located (e.g., ru-9), and press Enter.

6. Optional: enter Default output format or leave it blank and press Enter. If you do not specify a value, the default output format will be json.

7. Settings will be saved in the configuration files:

   • credentials in .aws/credentials;
   • pool in ~/.aws/config.

8. In the ~/.aws/config file, add the endpoint_url parameter after the region:

   [default]
   endpoint_url = <log_endpoint>

   Specify <log_endpoint> — the URL to access the Logs service API in the required pool. The list of URLs can be found in the URL Lists guide