Introduction

You can call the AWS CLI from Python, but that should usually be the second choice, not the first. If your script is interacting with AWS APIs directly, boto3 is normally the better tool. Use the AWS CLI through Python only when you specifically need CLI behavior, existing shell commands, or an AWS feature workflow you already have encoded as CLI commands.

The Clean Way to Call the AWS CLI

If you do need the CLI, use subprocess.run with an argument list. Do not build a shell command string unless you truly need shell features.

1import json
2import subprocess
3
4result = subprocess.run(
5    [
6        "aws",
7        "sts",
8        "get-caller-identity",
9        "--output",
10        "json",
11    ],
12    check=True,
13    capture_output=True,
14    text=True,
15)
16
17data = json.loads(result.stdout)
18print(data["Arn"])

This is safer than os.system because:

• arguments are passed directly without shell quoting problems
• you can capture stdout and stderr cleanly
• 'check=True raises an exception on failure'

When boto3 Is Better

If the goal is "use AWS from Python," the AWS SDK is usually the right abstraction.

1import boto3
2
3sts = boto3.client("sts")
4identity = sts.get_caller_identity()
5print(identity["Arn"])

This avoids parsing CLI output and removes the dependency on the external aws executable being installed in the runtime environment.

A useful rule is:

• use boto3 for API access
• use aws through subprocess only when you intentionally want CLI behavior

It also keeps your Python code closer to structured request and response objects instead of text-based command output. That usually makes error handling, retries, pagination, and testing easier.

Why People Still Call the CLI

There are legitimate reasons to wrap aws in Python:

• you already have known-good CLI commands from scripts
• the team shares CLI-based operational workflows
• you want the exact same output format as a shell-based process
• you are orchestrating tools rather than writing a long-lived AWS client

That is fine, but you should be explicit about the tradeoff. A CLI wrapper inside Python is an integration choice, not the default best practice.

Credentials and Environment

Whether you use aws or boto3, credentials still come from the runtime environment, profile configuration, or attached IAM role.

That means your Python script should also think about:

• which AWS profile is active
• whether the environment has AWS_REGION or explicit region configuration
• whether the aws executable is actually installed and on PATH

If you want to force a profile for a CLI command, pass it explicitly:

1subprocess.run(
2    ["aws", "s3", "ls", "--profile", "dev"],
3    check=True,
4)

Handling Errors Properly

Always capture and inspect failures.

1import subprocess
2
3try:
4    subprocess.run(
5        ["aws", "s3", "ls"],
6        check=True,
7        capture_output=True,
8        text=True,
9    )
10except subprocess.CalledProcessError as exc:
11    print("Command failed")
12    print(exc.stderr)

That gives you meaningful diagnostics instead of silent failure or a raw shell exit code.

Common Pitfalls

The most common mistake is using os.system or shell=True unnecessarily, which makes quoting and error handling worse.

Another mistake is calling the AWS CLI when boto3 would be simpler and more reliable.

A third pitfall is assuming the CLI is installed in every execution environment, especially containers, CI jobs, or Lambda-like runtimes.

Summary

• You can call the AWS CLI from Python with subprocess.run.
• Pass arguments as a list, capture output, and use check=True.
• Prefer boto3 when your real goal is AWS API access from Python.
• Use the CLI intentionally when you need CLI behavior or existing operational workflows.
• Handle credentials, region, and executable availability explicitly.