DEV Community

Tejas for Distinction Dev

Posted on

Using an Assumed Role with AWS CLI

Configuring Default Profile

To communicate with your AWS Resources and different AWS APIs, AWS provides its CLI commands and you can do so much work using the commands. To use these commands you need to get the profiles set. So let’s do this!

To configure a default AWS profile for your CLI, AWS provides a very handy command.

You can set a default profile by running this command:

    aws configure
Enter fullscreen mode Exit fullscreen mode

Terminal prompts for AWS Access Key, Secret Key, Region, and Output Format. Configuring a default profile is useful if you are going to use that profile frequently.

After running this and providing appropriate values, your ~/.aws/config file will look like this:

[default]
region=ap-south-1
output=json
Enter fullscreen mode Exit fullscreen mode

~/.aws/credentials file will look like below:

[default]
aws_access_key_id=YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
Enter fullscreen mode Exit fullscreen mode

Note: In Windows, the AWS directory will be located in C:/Users/<userid>/.aws

Configuring Named Profiles

AWS CLI can have multiple profiles so that you can switch between different profiles to work with different projects. You can add the profile name you want using the —-profile option.

For example, if you want to have a profile named dev_account, you can do that by running:

aws configure --profile dev_account
Enter fullscreen mode Exit fullscreen mode

The same process would follow as configuring the default profile.

Great! You have configured a named profile for yourself🙌.

Now, your config file will look like this with multiple profiles configured:

[default]
region=ap-south-1
output=json
[profile dev_account]
region=us-east-1
output=json
Enter fullscreen mode Exit fullscreen mode

and your credentials file will look like this:

[default]
aws_access_key_id=YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
[dev_account]
aws_access_key_id=YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
Enter fullscreen mode Exit fullscreen mode

Get the list of profiles by running the following in the terminal:

aws configure list-profiles
Enter fullscreen mode Exit fullscreen mode

It will display profiles with the name you added now. Cheers🚀.

Configuring an IAM Role using CLI

You can also be having different roles having different permissions. So it is useful to configure them into CLI and to access the roles using commands.

For example, if you want a profile for a role named dev_account_readonly, you can do that by running:

aws configure --profile dev_account_readonly
Enter fullscreen mode Exit fullscreen mode

The terminal prompts for the same configurations, but you can skip entering Access Key and Secret Access Key while creating a role profile, these credentials will be taken from the source profile we set ahead.
To set the required properties for the role profile, use the below commands and provide appropriate values:

aws configure set source_profile dev_account --profile dev_account_readonly
aws configure set role_arn ROLE_ARN --profile dev_account_readonly
aws configure set mfa_serial MFA_SERIAL_ARN --profile dev_account_readonly
Enter fullscreen mode Exit fullscreen mode

Here, we set the source profile as the profile that has the permission to assume the role and IAM Role ARN. If the account is using Multi-Factor Authentication, then you also need to set the ARN of that MFA device.

After configuring the role your config file will be looking like this:

[default]
region=ap-south-1
output=json
[profile dev_account]
region=us-east-1
output=json
[profile dev_account_readonly]
region=us-east-1
output=json
source_profile=dev_account
role_arn=ROLE_ARN
mfa_serial=MFA_SERIAL_ARN
Enter fullscreen mode Exit fullscreen mode

To verify if the role has been configured or not, you can do so by running below command:

aws iam get-role --role-name dev_account_readonly --profile dev_account_readonly
Enter fullscreen mode Exit fullscreen mode

Replace the role and profile name with the names you set. All the information regarding the IAM Role will be returned in the JSON format.

That’s all you require for setting the profiles in your CLI and use the Assumed Role🎉!

Top comments (0)