[How2Tips] AWS - Using multiple profiles
Jan 18, 2017
Reading time : 1 min
If you deal with multiple AWS accounts on a daily basis, it might feel painful to update your environment variables or your credentials using aws configure again and again. Even more, doing such a thing repeatedly could lead to starting a CloudFormation stack with the wrong set of credentials, implying the wrong customer billed for tens or hundreds of dollars. So here’s a little tip:
If you ever looked at ~/.aws/credentials file, you might have seen your credentials defined under the [default] section. Luckily you can define multiple profiles in the same credentials file either by using aws configure --profile
For example :
; ~/.aws/credentials [client_1] aws_secret_key_id = ... aws_secret_access_key = ... [client_2] aws_secret_key_id = ... aws_secret_access_key = ... [profile client_1] region = eu-west-1 output = text [profile client_2] region = eu-central-1 output = text
You can now use one of this profiles that way: aws --profile client_1 ec2 describe-instances.
If you try to run any aws command without specifying the profile (i.e. aws ec2 describe-instances), you'll face an error message. This is because there’s a "default" profile.
As you can see, it's not really practical to specify a CLI option each time we use AWS. And it's totally useless when it comes to run some automation tools (like Ansible). Fortunately, we can define the profile using an env variable.
export AWS_DEFAULT_PROFILE=client_1 # used by aws cli export AWS_PROFILE=client_1 # used by boto (lib used in ansible) aws ec2 describe-instances
Automatically define the default profile
So far, so good... But still, we have to manually care about environment variables which is error-prone. If you don't want to define them manually over and over, you can use virtualenvwrapper.
For a virtualenv named client_1:
# ~/.virtualenvs/client_1/bin/postactivate export AWS_DEFAULT_PROFILE=client_1 export AWS_PROFILE=client_1 # ~/.virtualenvs/client_1/bin/predeactivate unset AWS_DEFAULT_PROFILE unset AWS_PROFILE
Now each time you run workon client_1, AWS_DEFAULT_PROFILE and AWS_PROFILE will be defined. And each time you run deactivate, it will unset those environment variables :)
Any questions ? Ping us at @KNPLabs
Thanks to Albin for the article !