DEV Community

Cover image for Switch & Leapp-cli - AWS session management 100% command line
Gernot Glawe for AWS Community Builders

Posted on

Switch & Leapp-cli - AWS session management 100% command line

According to the well architected framework you should not store keys as cleartext. So why do you store your AWS credentials in a credential file as clear unencrypted text? The answer is: Because it is convenient! I show you a way to handle your static or SSS AWS credentials simple and secure.

You need three little tools:

Leap, the new leapp-cli and switchaws. 
You will get a zero byte credentials file, temporal credentials and command line handling with fast & easy installable tools

Quick Start for the impatient

Assuming you have an AWS SSO login and a profile called letsbuild. After installing the tools you can start the session with these two commands:


leapp session start letsbuild
Enter fullscreen mode Exit fullscreen mode


switch letsbuild
Enter fullscreen mode Exit fullscreen mode


ls -l ~/.aws/credentials
-rw-------@ 1 jdoe  staff  0  3 Mär 12:45 /Users/jdoe/.aws/credentials
Enter fullscreen mode Exit fullscreen mode


ls -l ~/.aws/credentials
-rw-------@ 1 jdoe  staff  831  3 Mär 12:45 /Users/jdoe/.aws/credentials
Enter fullscreen mode Exit fullscreen mode

and also filled environment variables like:

Enter fullscreen mode Exit fullscreen mode

So you can start using the profile:

aws sts get-caller-identity
    "Account": "777555666888",
    "Arn": "arn:aws:iam::777555666888:user/jdoe"

Enter fullscreen mode Exit fullscreen mode

Alternative approaches

Using profiles only with leap

1) start session
leapp session start letsbuild

2) use profiles with each call:

aws sts get-caller-identity --profile letsbuild

Configure leaps for default profile

Default profile

The downside: 
The aws cli first looks for credentials in the environment variables. If it finds AWS_ACCESS_KEY_ID & co , the profile in the credentials file will not be used.

What do you get out of this approach?

Secure storage of credentials keys

  • Not stored as clear text as file, but in the MAC key chain

Secure usage of temporal credentials

With AWS SSO you always get temporal credentials. With a static IAM user access key, you would use static credentials. leapp uses these static keys to generate temp credentials.

Easy installation and long term stability

I have used awsume a long time. Then I got a new Macbook and lost 1/2 hour installing different python versions. So I programmed switchaws in go to get a single executable. And, yes: I declare guilty of the "not invented here" syndrom :) .

Installation is straightforward:

1) copy the matching binary link in a directory which is in your $PATH

2) copy the wrapper tile also in that directory

3) Set an alias

and you are done!


Leapp works great with either static ACCESS_KEY or sso.


Photo by Isaac Li Shung Tan on Unsplash

Top comments (0)