Manage Multiple Accounts with the AWS CLI

avatar

Borislav Hadzhiev

Sun Sep 26 20214 min read

banner

Photo by Kalen Emsley

Manage Multiple Accounts with the AWS CLI #

In order to manage multiple accounts with the AWS CLI, we have to:

  1. Use the aws configure --profile myProfile command to configure 2 different profiles
  2. Enter the corresponding to the account access key and secret access key values when prompted
  3. Use the --profile parameter to denote the account when running a command, e.g. - aws s3 ls --profile admin

The first step to configuring a profile for the AWS CLI is to decide whether it will be a default or a named profile.

A default profile allows you to run commands without specifying the --profile parameter.

To configure a default profile for one of your accounts, run the aws configure command:

shell
# Default profile aws configure

aws configure default

You will be prompted for an Access Key Id, Secret Access Key, region and output type.

You have to generate an Access Key Id and Secret Access Key for both of your accounts. You can do that by clicking on your user in the IAM console. In theSecurity credentials tab click on Create access key and save both files.

generate access keys

To configure a named profile, run the aws configure command, passing the --profile parameter. Give your profile a name that makes sense, e.g. corresponding to the role.

When you get prompted, enter the Access key and Secret access key values for the second account.

shell
# Named a profile named admin aws configure --profile anotherAccount

aws configure named

The aws configure command creates 2 files on your machine:

  • credentials - contains the Access key Ids and Secret Access Keys for all profiles
  • config - contains the region and output settings for all profiles

The path of the files depends on your operating system:

shell
# on Linux and macOS ~/.aws/credentials ~/.aws/config # on Windows C:\Users\USERNAME\.aws\credentials C:\Users\USERNAME\.aws\config

To print a profile's configuration options, run the configure list command:

shell
aws configure list --profile tester

list configuration for profile

To run a command with your named profiles, make sure to include the --profile parameter, e.g.:

shell
# profile named admin aws s3 ls --profile admin # default profile aws s3 ls

When an AWS CLI command is invoked it looks for your credentials in:

  1. Command line options - have the highest precedence and override any environment variables or configuration stored in config and credentials files.

    The command line options are: --region, --profile and --output.

  2. Environment variables on the machine - have higher precedence than the config and credentials files but get overridden by command line options.

    The environment variables are: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_OUTPUT, AWS_DEFAULT_REGION, AWS_PROFILE.

  3. The config and credentials files on your machine - have the lowest precedence - lower than environment variables and command line options.

This means that you can use the environment variables on the machine to override the contents of your config and credentials files.

The most commonly used environment variable is AWS_PROFILE. It allows you to specify which named profile, should become your default profile. This allows you to call commands without setting the --profile parameter.

For example, if you have 2 named profiles - admin and tester, you would always have to specify --profile admin or --profile tester in your AWS CLI commands.

To make one of the named profiles default, set the AWS_PROFILE environment variable.

How you set the AWS_PROFILE environment variable depends on your operating system:

shell
# Linux and MacOS export AWS_PROFILE=admin # Windows Command Prompt setx AWS_PROFILE admin # PowerShell $Env:AWS_PROFILE="admin"

To make the environment variable persist on Linux and MacOS, add the export AWS_PROFILE=your_profile line to your shell's startup script, e.g. ~/.bashrc.

In the screenshot below I've set my default profile to be the named profile admin. This means that if I run an AWS CLI command without passing the --profile parameter, the AWS CLI will look for the credentials of the admin named profile.

aws profile env variable

You can always override the default profile by setting the --profile parameter in a command. Command line options have the highest precedence.

Setting environment variables can sometimes lead to confusion, because they override the contents of your config and credentials files.

If you're unsure whether an environment variable is set on your machine, try to print it using the command that corresponds to your operating system:

shell
# Linux and macOS echo $AWS_PROFILE # on Windows with CMD echo %AWS_PROFILE% # on Windows with PowerShell echo $Env:AWS_PROFILE

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee