Manage multiple AWS profiles on CLI¶

There are two kinds of profiles you can have over AWS accounts:

A profile which grants you direct access to an AWS account (e.g., your profile over the Nextbit AWS account)
A role you assume from one account to have access to another account (e.g., all our roles in our customer AWS accounts)

To assume a role, of course, you need to first login with a “real” profile. Expanding the customer example, you first login with your profile over customer_develop_account, and then you assume your role on another account, such as customer_prod_account.

At some point you probably want to work with these profiles on your command line. To configure your AWS accounts for the command line, there are two important files:

~/.aws/credentials
~/.aws/config

Credentials¶

In ~/.aws/credentials you need to insert your security credentials for your profiles with direct access to the account. The roles you assume do not have any credentials. To generate your credentials, you login over the AWS console, click on your name on the top right, and then click on “My security credentials”. You then click on “Create access key”, and download the .csv AWS generates for you.

You need to save such credentials in ~/.aws/credentials. The structure of the file is this:

[default]
aws_access_key_id = AKIAAAAAAAAAAAA
aws_secret_access_key = superSecret

[another-account]
aws_access_key_id = AKIAVVVVVVVVVVVV
aws_secret_access_key = anotherSuperSecret

The default section contains the credentials that will be used by default on the CLI, when you do not specify anything else. Then, you can add any other account under any other section. You choose the name inside the square brackets, and it’s for your convenience: you don’t need to match that name to any other name.

Config¶

Now that you have configured your credentials, you can configure other options, and also the roles you want to assume. In the ~/.aws/config file, you can specify a default AWS region, if you don’t want to insert it every time, and any other role you want to assume.

The schema of the file is like this:

[default]
region = eu-central-1

[profile customer]
role_arn = arn:aws:iam::your-aws-account-number:role/YourAmazingRole
source_profile = default

In the default section you can specify some default config, like the region.

Under the profile you insert the name of the profile (you can name it as you want), then you specify the role you want to assume in the role_arn section, and then you specify which credentials should be used by the role (e.g., who is the profile where you start when you assume that role). The value in the source_profile should match one of the sections of ~./aws/credentials.

Usage¶

When you launch anything from the command line, you should set the AWS_PROFILE environment variable: every AWS tool (such boto3 for Python, or aws in the CLI) will read it. Therefore, you add AWS_PROFILE=my_profile before any command you want to run:

AWS_PROFILE=example python3 main.py
AWS_PROFILE=another aws s3 ls

Example, same command but with different profiles:

15:55:26 in ~
➜ AWS_PROFILE=your-wonderful-profile aws s3 ls
2019-07-17 19:24:49 my-bucket-1-newer
2019-07-17 19:16:59 my-bucket-1-new
2019-09-02 16:32:25 my-bucket-1-newest
2019-07-17 17:47:22 my-bucket-1

15:55:44 in ~ took 2s
➜ AWS_PROFILE=your-fantastic-profile aws s3 ls
2019-10-09 11:56:02 customer-bucket-44
2019-08-13 10:42:20 customer-bucket-43
2019-06-25 14:52:17 customer-bucket-42