[How2Tips] AWS - Using multiple profiles

Published on

Jan 18, 2017


Reading time : 1 min

If you deal with multiple AWS accounts on a daily basis, it might feel painful to update your environment variables or your credentials using aws configure again and again. Even more, doing such a thing repeatedly could lead to starting a CloudFormation stack with the wrong set of credentials, implying the wrong customer billed for tens or hundreds of dollars. So here’s a little tip:

AWS Profiles

If you ever looked at ~/.aws/credentials file, you might have seen your credentials defined under the [default] section. Luckily you can define multiple profiles in the same credentials file either by using aws configure --profile , or by editing it manually (so you can check there’s no “default” section).

For example :

; ~/.aws/credentials

aws_secret_key_id = ...
aws_secret_access_key = ...

aws_secret_key_id = ...
aws_secret_access_key = ...

[profile client_1]
region = eu-west-1
output = text

[profile client_2]
region = eu-central-1
output = text

You can now use one of this profiles that way: aws --profile client_1 ec2 describe-instances.

If you try to run any aws command without specifying the profile (i.e. aws ec2 describe-instances), you'll face an error message. This is because there’s a "default" profile.

As you can see, it's not really practical to specify a CLI option each time we use AWS. And it's totally useless when it comes to run some automation tools (like Ansible). Fortunately, we can define the profile using an env variable.

export AWS_DEFAULT_PROFILE=client_1 # used by aws cli
export AWS_PROFILE=client_1 # used by boto (lib used in ansible)
aws ec2 describe-instances

Automatically define the default profile

So far, so good... But still, we have to manually care about environment variables which is error-prone. If you don't want to define them manually over and over, you can use virtualenvwrapper.

For a virtualenv named client_1:

# ~/.virtualenvs/client_1/bin/postactivate
export AWS_DEFAULT_PROFILE=client_1
export AWS_PROFILE=client_1

# ~/.virtualenvs/client_1/bin/predeactivate

Now each time you run workon client_1, AWS_DEFAULT_PROFILE and AWS_PROFILE will be defined. And each time you run deactivate, it will unset those environment variables :)

Any questions ? Ping us at @KNPLabs

Thanks to Albin for the article !

Written by

Albin Kerouanton
Albin Kerouanton