DEV Community

Alex Yaroslavsky
Alex Yaroslavsky

Posted on

Multiple AWS accounts and CLI

After following this guide you will able to easily and seamlessly switch between multiple AWS accounts and roles (with or without Okta) using the CLI.


Check out the first article in the series for requirements and initial configuration.

How To:

The following instructions are meant to be used in Linux or WSL, tested with Ubuntu.

Configure non Okta accounts

aws configure --profile profile
aws configure --profile multi-role-profile

Configure Okta accounts

Create a file ~/.okta-aws with the following contents:

username = <username>
factor = OKTA
app-link = https://<your-company><app-link>
base-url = <your-company>
duration = 3600

username = <username>
factor = OKTA
app-link = https://<your-company><app-link>
base-url = <your-company>
duration = 3600

Initialize the profiles:

okta-awscli --okta-profile okta-profile --profile okta-profile
okta-awscli --okta-profile okta-multi-role-profile --profile okta-multi-role-profile

Configure accounts with multiple roles

Some accounts might use role switching, add similar sections to ~/.aws/credentials per role (notice that source_profile points to a previously defined profile):

role_arn = <role-arn>
source_profile = multi-role-profile

role_arn = <role-arn>
source_profile = okta-multi-role-profile

Associate EKS clusters with profiles

Run the following per EKS cluster that you want to have kubectl access to, <profile-name> is a name of the AWS profile defined above that has permissions for this EKS cluster:

aws --profile <profile-name> eks update-kubeconfig --name <eks-cluster-name>

Create scripts for fast account switching

The scripts switch to the relevant AWS account, point kubectl to the relevant cluster, and set a default kubectl namespace.
Create one script file per profile, and place it in your home directory.

File okta-multi-role-profile-role1:

export AWS_DEFAULT_PROFILE=okta-multi-role-profile-role1
kubectl config use-context <eks-cluster-arn>
kubectl config set-context --current --namespace=<namespace>
aws sts get-caller-identity
if [[ $PS1 != *"AWS_DEFAULT_PROFILE"* ]]; then
echo "Switched to okta-multi-role-profile-role1"

Switch between accounts

To quickly switch between accounts just do the following:
source <profile-file>

For example:
source okta-multi-role-profile-role1

Top comments (0)