Manage Multiple Accounts with the AWS CLI

# Manage Multiple Accounts with the AWS CLI

To manage multiple accounts with the AWS CLI, we have to:

1. Use the aws configure --profile myProfile command to configure 2 different profiles.
2. Enter the corresponding access key and secret access key values when prompted.
3. Use the --profile parameter to denote the account when running a command, e.g. - aws s3 ls --profile admin.

The first step to configuring a profile for the AWS CLI is to decide whether it will be a default or a named profile.

A default profile allows you to run commands without specifying the --profile parameter.

To configure a default profile for one of your accounts, run the aws configure command.

Copied!
# Default profile
aws configure

You will be prompted for an Access Key ID, Secret Access Key, region and output type.

To configure a named profile, run the aws configure command, passing the --profile parameter. Give your profile a name that makes sense, e.g. corresponding to the role.

When you get prompted, enter the Access key and Secret access key values for the second account.

Copied!
# Named a profile named admin
aws configure --profile anotherAccount

The aws configure command creates 2 files on your machine:

• credentials - contains the Access key IDs and Secret Access Keys for all profiles.
• config - contains the region and output settings for all profiles.

The path of the files depends on your operating system:

Copied!
# on Linux and macOS
~/.aws/credentials
~/.aws/config

# on Windows
C:\Users\USERNAME\.aws\credentials
C:\Users\USERNAME\.aws\config

To print a profile's configuration options, run the configure list command:

Copied!
aws configure list --profile tester

To run a command with your named profiles, make sure to include the --profile parameter, e.g.:

Copied!
# profile named admin
aws s3 ls --profile admin

# default profile
aws s3 ls

When an AWS CLI command is invoked, it looks for your credentials in:

1. Command line options - have the highest precedence and override any environment variables or configuration stored in config and credentials files.

   The command line options are: --region, --profile and --output.

2. Environment variables on the machine - have higher precedence than the config and credentials files but get overridden by command line options.

   The environment variables are: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_OUTPUT, AWS_DEFAULT_REGION, AWS_PROFILE.

3. The config and credentials files on your machine - have the lowest precedence - lower than environment variables and command line options.

The most commonly used environment variable is AWS_PROFILE. It allows you to specify which named profile, should become your default profile. This allows you to call commands without setting the --profile parameter.

For example, if you have 2 named profiles - admin and tester, you would always have to specify --profile admin or --profile tester in your AWS CLI commands.

To make one of the named profiles default, set the AWS_PROFILE environment variable.

How you set the AWS_PROFILE environment variable depends on your operating system:

Copied!
# Linux and MacOS
export AWS_PROFILE=admin

# Windows Command Prompt
setx AWS_PROFILE admin

# PowerShell
$Env:AWS_PROFILE="admin"

To make the environment variable persist on Linux and MacOS, add the export AWS_PROFILE=your_profile line to your shell's startup script, e.g. ~/.bashrc.

In the screenshot below I've set my default profile to be the named profile admin. This means that if I run an AWS CLI command without passing the --profile parameter, the AWS CLI will look for the credentials of the admin named profile.

Setting environment variables can sometimes lead to confusion because they override the contents of your config and credentials files.

If you're unsure whether an environment variable is set on your machine, try to print it using the command that corresponds to your operating system:

Copied!
# Linux and macOS
echo $AWS_PROFILE

# on Windows with CMD
echo %AWS_PROFILE%

# on Windows with PowerShell
echo $Env:AWS_PROFILE

# Further Reading

• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How does AWS CDK work
• What is a Token in AWS CDK
• CDK Constructs - Complete Guide
• What is an identifier (id) in AWS CDK
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK
• SignatureDoesNotMatch Error in AWS CLI [Solved]