data_with_adam_blog
manage multiple aws credential in cli

manage multiple aws credential in cli

document the cli commands for aws configure

Adam Zhang's photo
Adam Zhang
·

3 min read

Table of contents

Overview

The goal of the note is to summarize:

  • how to use aws cli v2 to configure your user credential

  • how to manage multiple user profiles with aws cli

  • internal workings about aws configure command

aws configure

Sometimes, you need to use different access keys to access different AWS services, the trick is to use the different profiles in aws.

Note: in aws cli, their help is called without --help or -h, to open manual in aws, you do aws help and aws <subcommand> help without the dash.

aws configure is a good subcommand to do those tasks for you.

Create an AWS profile

If you are only working with one aws credential (access key, secret access key) in one region, just using this is fine

# add new a new profile, default profile is "default"
aws configure

Then you will be prompted to enter

  • access_key

  • secret_key

  • region

  • output format (optional)

After you follow the prompt, you will have a profile called default that contains all the credentials.

If you wish to manage multiple profiles, it's better to create some meaningful names for them with the command

aws configure --profile <profile-name>

then you should have a profile called <profile-name>

aws configure list and list-profiles

It's equivalent to ls command

# list current profile, currently we are at default profile
aws configure list

# output:
# information in <default> profile
     Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     *******************A shared-credentials-file    
secret_key     *******************H shared-credentials-file    
    region             ca-central-1      config-file    ~/.aws/config

You can see the region, access_key and secret_key and they are stored in ~/.aws/config

You could also list out all profiles like this

# list out all profiles
aws configure list-profiles

# output
default
<profile-name>

where credential stored

By default on Mac and linux, the aws credential is stored in ~/.aws. Inside the directory, it has two files:

  • config: store region and the output format of each profile

  • credentials: store your aws_access_key and aws_secret_access_key of each profile

# navigate 
cd ~/.aws
ls

# output
.
├── config
└── credentials

1 directory, 2 files

# print stuff to the terminal
cat ~/.aws/config

it will output info like

[default]
region = ca-central-1
[profile <profile-name>]
region = ca-central-1

To switch between different profile

You can use environment variables to switch between different profiles. Environment variables are a set of dynamic values that can affect the behaviour of a running process or program on a computer

# list all environemnt variables
printenv

You could use the AWS_PROFILE to manage your profile

# check out the value, defult to Null
echo $AWS_PROFILE

You could change the environment variable for this shell session and it's child session (lifecycle is when you close the terminal session)

# switch profile to default
export AWS_PROFILE=default

# switch profiles to aws
export AWS_PROFILE=<profile-name>

You can check it by this to print your credential in the console to see if the profile changed

aws configure list
AWS