When using Access Keys I got used to setting the default profile in my credentials file and it worked just fine. When I began having to manage more accounts and switched to SSO, updating the default profile becomes more of a pain. I will show you a couple of ways to authenticate the SDK using named profiles.
I will be showing how to authenticate the AWS SDK against a specific AWS Account using the following methods:
- Setting environment variables
- Getting credentials in the code
Setting environment variables
The easiest way you can run the AWS SDK from your local machine is by setting the AWS_PROFILE environment variable (if not set it will default to the default profile).
In your terminal you can set the AWS_PROFILE environment variable so the SDK can find the profile from the ~/.aws/config file and use those values. When using AWS SSO you will need to log in by running aws sso login --profile my-profile.
Look at this Ben Kehoe's post for an explanation on how this command works.
How do you set environment variables?
Linux/macOS
$ export AWS_PROFILE=my-profile
$ export AWS_REGION=us-east-1
Powershell
PS C:\> $Env:AWS_PROFILE="my-profile"
PS C:\> $Env:AWS_REGION="us-east-1"
Windows Command Prompt
C:\> setx AWS_PROFILE my-profile
C:\> setx AWS_REGION us-east-1
You can now use any client by initializing it as shown below.
const { SecretsManagerClient } = require('@aws-sdk/client-secrets-manager');
const secretsManagerClient = new SecretsManagerClient();
There are more environment variables that you can set in you terminal to accomplish different things, here is a list of supported environment variables.
Getting credentials in code
Another way to provide the credentials to the SDK is by using the credentials-provider class. This requires your code to be aware of any parameters you need to set.
To make this work the same way as the environment variable route you will need to provide the profile as an input in your code.
Once you are signed in to your SSO with aws sso login --profile my-profile, you can get the credentials using the credential-providers package as shown below (If using the default profile you can start the client the same way than with environment variables)
const { SecretsManagerClient } = require('@aws-sdk/client-secrets-manager');
const { fromSSO } = require('@aws-sdk/credential-providers');
const credentials = await fromSSO({
profile: inputtedProfile
})();
With the AwsCredentialIdentityProvider object you can initialize any client by providing the credentials and the region as shown below:
const secretsManagerClient = new SecretsManagerClient({
credentials: credentials,
region: inputtedRegion
});
Conclusion
Running the SDK from your local machine is very important and valuable to be able to provide tooling and improve your developer experience.
We went through some of the ways you can authenticate code that is being executed locally when you have several profiles .
There are other ways you can authenticate, so if these options do not work for you dueto organization security policies or any other reason, I recommend looking into the documentation or reach out to the community to find which one fits you best.
Twitter AWS Community
AWS Developers Slack Workspace
Top comments (2)
One note here: you say "Once you signed in to a specific profile by doing
aws sso login --profile my-profile", but you don't actually sign in to a profile. You only need to sign in once for all your profiles (that share the same SSO/Identity Center start URL). I wrote an explainer on this subject: medium.com/@ben11kehoe/you-only-ne...Wow that is a great explanation, I will update the post to reflect this.
Thanks Ben!