DEV Community

Cover image for Everything you need to know about AWS CLI Profiles
Andreas Bergström
Andreas Bergström

Posted on • Edited on

Everything you need to know about AWS CLI Profiles

Hey there, fellow AWS explorer! Ready to multi-task? We're about to dive into the world of AWS CLI and discover how to manage multiple profiles in your AWS CLI configuration files. This is going to be your secret sauce if you're juggling more than one AWS account or separating various projects or environments like a true ninja.

After reading this article you will have learned to:

  • Configure multiple profiles for the AWS CLI, and easily switching between them using aliases. No more logging in and out or setting environment variables, yey!
  • Store the secrets in your OS'es keychain instead of plaintext. You already knew plaintext in disk files was about idea so why would you do it for something as critical as AWS credentials?
  • Ditching these keys altogether and start using SSO instead. Just when you thought you were done we will redo it with SSO instead.

So, here's the lowdown. AWS CLI uses two nifty little files tucked away in your home directory under the .aws folder to store your credentials and configuration:

  • ~/.aws/credentials: Think of this as your secret vault. It's where your AWS access keys are kept under lock and key.
  • ~/.aws/config: This one's your guidebook. It's got your default region and output format for your AWS CLI commands.

Laying the Groundwork for Multiple Profiles

Setting up multiple profiles is as easy as pie. All you have to do is add new entries to your ~/.aws/credentials and ~/.aws/config files.

Let's say you've got two AWS accounts - one for your personal experiments (launching that personal blog, maybe?) and another for your top-secret work (ahem, world domination plans, perhaps?). Here's how you can set it up:

~/.aws/credentials



[default]
aws_access_key_id = YOUR_DEFAULT_ACCESS_KEY
aws_secret_access_key = YOUR_DEFAULT_SECRET_KEY

[personal]
aws_access_key_id = YOUR_PERSONAL_ACCESS_KEY
aws_secret_access_key = YOUR_PERSONAL_SECRET_KEY

[work]
aws_access_key_id = YOUR_WORK_ACCESS_KEY
aws_secret_access_key = YOUR_WORK_SECRET_KEY


Enter fullscreen mode Exit fullscreen mode

Each section in this file is a profile. The [default] profile is like your trusty old sidekick - always there when no other profile is specified.

~/.aws/config



[default]
region = us-west-2
output = json

[profile personal]
region = us-west-1
output = text

[profile work]
region = eu-west-1
output = json


Enter fullscreen mode Exit fullscreen mode

Just like its mate, the [default] profile here is your go-to when no profile is explicitly called out. Just remember, it likes to go by profile here - a little different from the credentials file.

Flipping Through Profiles

Want to switch hats between profiles when using the AWS CLI? It's as simple as using the --profile flag. For instance, if you want to take a peek at all the S3 buckets in your personal account, here's the magic spell:



aws s3 ls --profile personal


Enter fullscreen mode Exit fullscreen mode

And if you decide to go commando and don't specify a profile, AWS CLI will always have your back with the [default] profile.

Choosing Your Default Profile

If you're feeling too lazy to specify the --profile flag every single time, there's a shortcut. You can set the AWS_PROFILE environment variable in your terminal, and voila, you've got your default profile! Here's how:



export AWS_PROFILE=personal


Enter fullscreen mode Exit fullscreen mode

And just like that, every AWS CLI command you run will use the 'personal' profile until you decide to change the AWS_PROFILE variable or until the session calls it a day.

Setting Up Aliases for Different Profiles

Alright, ready to become even more of a command line whizz? We're about to show you a really fun trick using aliases. If you're constantly toggling between profiles and feeling like the --profile option or export command slows you down, there's a quicker and, dare I say, more stylish way.

Alias in Linux (or any Unix-based system) is like your custom keyboard shortcut. It's a way to run a command or a series of commands using a user-defined string. You can create an alias in your shell's profile file - like .bashrc, .bash_profile, or .zshrc if you're using Zsh.

So, if you're a bit impatient (like most of us these days!) and don't want to type AWS_PROFILE=personal aws every single time, you can create an alias like this:



alias awspersonal="AWS_PROFILE=personal aws"


Enter fullscreen mode Exit fullscreen mode

Now, isn't that neat? This command will set the AWS_PROFILE environment variable to personal only for the duration of that aws command.

With this alias set up, you can just type awspersonal in the terminal, followed by your AWS CLI command, to use your personal profile. For instance:



awspersonal s3 ls


Enter fullscreen mode Exit fullscreen mode

Making Aliases Permanent

"But wait," I hear you say, "I tried this, and my aliases disappeared when I closed my terminal!"

Not to worry, I've got you covered. If you want your alias to stick around for future sessions, you'll need to add it to your shell's profile script (~/.bashrc, ~/.bash_profile, or ~/.zshrc etc.). Simply open the file in your preferred text editor, append your alias command at the bottom, and save it.



echo 'alias awspersonal="AWS_PROFILE=personal aws"' >> ~/.bashrc


Enter fullscreen mode Exit fullscreen mode

(Note: Replace ~/.bashrc with your shell's profile script path if you're not using Bash.))

Now, every time a new shell session starts, your aliases are loaded and ready for action!

And there you have it! That's your masterclass in juggling multiple AWS profiles, switching them up, and making things zippy with aliases. Managing multiple AWS profiles doesn't have to be a juggle - it can be more like a well-choreographed dance. Always remember: your secret AWS access keys are your treasure, guard them well. Keep exploring, keep innovating, and above all, have fun while doing it!

Safeguarding AWS Credentials with OS Keychain

meme for storing plaintext secrets on disk

We've all heard it before, but it bears repeating - security is paramount! It's a huge no-no to leave our AWS access keys and secret keys laying around in plaintext files. It's like leaving your house keys under the doormat; sure, it's convenient, but any passers-by could find them and unlock your house. Instead, let's tuck those keys away safely in your operating system's keychain. This way, they're encrypted and locked away, but still readily available for you to use. Here's how to do it.

macOS Keychain

If you're rocking a macOS, you can use the security command-line tool to add credentials to your keychain.

For instance, to add an AWS access key, you can use:



security add-generic-password -a AWS -s AWS_ACCESS_KEY_ID -w <Your_Access_Key_ID>


Enter fullscreen mode Exit fullscreen mode

And for the secret key:



security add-generic-password -a AWS -s AWS_SECRET_ACCESS_KEY -w <Your_Secret_Access_Key>


Enter fullscreen mode Exit fullscreen mode

The -a option specifies the account name, -s is for the service name, and -w is for the password (your AWS key).

You can then fetch these keys from your keychain when you need them:



AWS_ACCESS_KEY_ID=$(security find-generic-password -a AWS -s AWS_ACCESS_KEY_ID -w)
AWS_SECRET_ACCESS_KEY=$(security find-generic-password -a AWS -s AWS_SECRET_ACCESS_KEY -w)


Enter fullscreen mode Exit fullscreen mode

Windows Credential Manager

On Windows, you can use the Credential Manager to store your AWS keys. To add credentials, you can use the cmdkey utility:



cmdkey /add:AWS_ACCESS_KEY_ID /user:AWS /pass:<Your_Access_Key_ID>
cmdkey /add:AWS_SECRET_ACCESS_KEY /user:AWS /pass:<Your_Secret_Access_Key>


Enter fullscreen mode Exit fullscreen mode

You can then list and use the credentials in your scripts with the cmdkey /list command.

Linux Secret Service

On Linux, you can use the Secret Service API via the secret-tool command if it's available on your distro. Here's how you can store the AWS keys:



secret-tool store --label='AWS' AWS_ACCESS_KEY_ID <Your_Access_Key_ID>
secret-tool store --label='AWS' AWS_SECRET_ACCESS_KEY <Your_Secret_Access_Key>


Enter fullscreen mode Exit fullscreen mode

And retrieve them:



AWS_ACCESS_KEY_ID=$(secret-tool lookup AWS_ACCESS_KEY_ID <Your_Access_Key_ID>)
AWS_SECRET_ACCESS_KEY=$(secret-tool lookup AWS_SECRET_ACCESS_KEY <Your_Secret_Access_Key>)


Enter fullscreen mode Exit fullscreen mode

Storing your AWS keys in your operating system's keychain or credential manager is a fantastic way to balance convenience and security. You can readily access your keys, but they're encrypted and stored securely, not left in plaintext. As a best practice, continue to rotate these keys periodically and, of course, never share them.

Using SSO for AWS CLI Configuration

girl looking at SSO instead of secret keys

Handling Access Keys and Secret Access Keys can be tricky and risky if not managed properly. But worry not, as AWS has got us covered with AWS Single Sign-On (SSO). AWS SSO makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. Here's how you can switch gears from access keys to SSO in AWS CLI.

Configuring AWS SSO

Before we start, make sure that you have the latest version of AWS CLI (version 2.x) installed, as SSO is not supported in version 1.x.

First, you'll need to configure SSO with the aws configure sso command. This will start a wizard that guides you through the process. It will prompt you for the SSO start URL, the region your SSO directory is in, and the AWS account and role that you want to use. If you don't know the SSO start URL or the region, you can get it from your AWS SSO portal.

Here is a sample configuration process:



$ aws configure sso
SSO start URL [None]: https://your-aws-sso-portal.awsapps.com/start
SSO Region [None]: eu-north-1
Attempting to open SSO authorization page in default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-north-1.amazonaws.com/

Then enter the code:

ABCD-EFGH
Successfully logged into Start URL: https://your-aws-sso-portal.awsapps.com/start
Found 1 AWS account(s) available to user: your-user-name
Using the account ID 123456789999
Found 1 role(s) available to user: your-user-name
Using the role name "AdministratorAccess"
CLI default client Region [None]: eu-north-1
CLI default output format [None]: json
CLI profile name [AdministratorAccess-123456789999]: your-profile-name


Enter fullscreen mode Exit fullscreen mode

This command also signs you into AWS SSO in the browser, so make sure you have access to the sign-in credentials.

The above process will create an AWS profile that uses AWS SSO for authentication. The profile will look something like this in your ~/.aws/config file:



[profile your-profile-name]
sso_start_url = https://your-aws-sso-portal.awsapps.com/start
sso_region = eu-north-1
sso_account_id = 123456789999
sso_role_name = AdministratorAccess
region = eu-north-1
output = json


Enter fullscreen mode Exit fullscreen mode

Now, you can use AWS CLI with your SSO profile:



aws s3 ls --profile your-profile-name


Enter fullscreen mode Exit fullscreen mode

Once your SSO session expires, the AWS CLI automatically initiates the sign-in process again.

Using AWS SSO with AWS CLI streamlines access to AWS resources across multiple accounts. It adds a layer of security by eliminating the need to manage long-term credentials. So why not give it a try? Have fun and keep secure while you're managing your AWS resources!

Top comments (0)