How to take advantage of multiple profiles feature? (with examples and tips)
Why and How?
The cloud environment should have multiple accounts, according to AWS best practice "Well-Architected Framework". Based on the security requirements, each account has different groups, roles, and users.
In such a configuration, you may have multiple profiles to use on a daily basis, either between different accounts or even within the same account, with each profile having different permissions or roles.
Setting Multiple profiles
Here is how you can add multiple profiles on AWS CLI
To create multiple AWS CLI profiles, you can use the aws configure command. This command will prompt you for information such as your AWS Access Key ID and Secret Access Key, as well as the default region and output format for your profile.
To create a new profile, you can use the --profile option, followed by the name of your profile. For example, if you wanted to create a profile named "dev", you could use the following command:
aws configure --profile dev
You can create as many profiles as you need, each with its own set of credentials and configuration options.
To use a specific profile, you can use the --profile option followed by the name of the profile you want to use. For example, if you wanted to use the "dev" profile you created earlier, you could use the following command:
aws s3 ls --profile dev
Now let's walk through the steps:
Open the command line or terminal.
Type in the following command:
aws configure
When prompted, enter the access key ID and secret access key for the first profile.
When prompted for the default region name and output format, enter the desired values for the first profile.
Repeat steps 2-4 for each additional profile, using a different name and access key ID/secret access key for each one.
To switch between profiles, use the --profile flag followed by the profile name in subsequent AWS CLI commands. For example, to use the "dev" profile, you would use the command: aws --profile dev [command] [options]
- Here is an example:
PS C:\> aws configure
AWS Access Key ID [None]: ANY0TH3R4CC3SSK3YL6V
AWS Secret Access Key [None]: 0C+tH1Sc0uLdb3aNYS3CR3tk3YG3n3RAt3d92
Default region name [None]: us-east-1
Default output format [None]: json
- Add another profile:
PS C:\> aws configure --profile userdev2
AWS Access Key ID [None]: ANY0TH3R4CC3SSK3YOOZ
AWS Secret Access Key [None]: cP-0C+tH1Sc0uLdb3aNYS3CR3tk3YG3n3RAt3d6z
Default region name [None]: us-east-1
Default output format [None]: json
- To list the available profiles, run the this command:
PS C:\> aws configure list-profiles
default
userdev2
- To view the default profile, run the below command:
PS C:\> aws configure list
Name Value Type Location
---- ----- ---- --------
profile userdev env ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']
access_key ****************YL6V env
secret_key ****************3d92 env
region us-east-1 config-file ~/.aws/config
- To view another profile, add "--profile" and the name of the profile to the above command:
PS C:\> aws configure list --profile userdev2
Name Value Type Location
---- ----- ---- --------
profile userdev2 manual --profile
access_key ****************AGGH shared-credentials-file
secret_key ****************Fpne shared-credentials-file
region us-east-1 config-file ~/.aws/config
So what is the default profile?
The default profile is determined by the settings in the ~/.aws/credentials file on your local machine. You do not need to add "--profile" in your AWS CLI command, you can just type: aws [command] [options]
You can change the default profile manually by editing the ~/.aws/credentials file or you can run this command:
- Windows - PowerShell:
PS C:\> $Env:AWS_PROFILE = 'userdev2'
- Windows - CMD:
The below command will change the variable in the current CMD session only!
set AWS_PROFILE=userdev2
The below command will change the variable in all NEW CMD sessions
setx AWS_PROFILE userdev2
Note: make sure that the below variables are not set, otherwise setting AWS_PROFILE to the new profile will not force changing the credentials
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- Linux:
$ export AWS_PROFILE=userdata
Now run this command to verify that the default profile has been changed
aws configure list
You can run the following command to check the AWS account and IAM user of the current profile
$ aws sts get-caller-identity
{
"UserId": "AUs3r1DF0rtH1sUs3rZL",
"Account": "432109876543",
"Arn": "arn:aws:iam::432109876543:user/userdev"
}
For more details, you may refer to the AWS CLI - Configuration basics.
You may be interested in:
How to use (AWS CLI -- Auto-prompt) to help you build your command faster!
Please feel free to share your feedback.
Top comments (0)