220

I've got two different apps that I am hosting (well the second one is about to go up) on Amazon EC2.

How can I work with both accounts at the command line (Mac OS X) but keep the EC2 keys & certificates separate? Do I need to change my environment variables before each ec2-* command?

Would using an alias and having it to the setting of the environment in-line work? Something like: alias ec2-describe-instances1 = export EC2_PRIVATE_KEY=/path; ec2-describe-instances

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
Matt Culbreth
  • 2,835
  • 2
  • 19
  • 17

11 Answers11

508

You can work with two accounts by creating two profiles on the aws command line. It will prompt you for your AWS Access Key ID, AWS Secret Access Key and desired region, so have them ready.

Examples:

$ aws configure --profile account1
$ aws configure --profile account2

You can then switch between the accounts by passing the profile on the command.

$ aws dynamodb list-tables --profile account1
$ aws s3 ls --profile account2

Note:

If you name the profile to be default it will become default profile i.e. when no --profile param in the command.


More on default profile

If you spend more time using account1, you can make it the default by setting the AWS_DEFAULT_PROFILE environment variable. When the default environment variable is set, you do not need to specify the profile on each command.

Linux, OS X Example:

$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables

Windows Example:

$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls
slm
  • 15,396
  • 12
  • 109
  • 124
iBrianCox
  • 5,081
  • 2
  • 9
  • 3
  • 2
    To configure region - here is list of region "codes" - http://docs.aws.amazon.com/general/latest/gr/rande.html – arcseldon Nov 05 '16 at 09:49
169

How to set "manually" multiple AWS accounts ?

1) Get access - key

AWS Console > Identity and Access Management (IAM) > Your Security Credentials > Access Keys

2) Set access - file and content

~/.aws/credentials

[default]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

[{{profile_name}}]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

3) Set profile - file and content

~/.aws/config

[default]
region={{region}}
output={{output:"json||text"}}

[profile {{profile_name}}]
region={{region}}
output={{output:"json||text"}}

4) Run - file with params

Install command-line app - and use AWS Command Line it, for example for product AWS EC2

aws ec2 describe-instances -- default

aws ec2 describe-instances --profile {{profile_name}} -- [{{profile_name}}]


Ref

Bruno
  • 6,623
  • 5
  • 41
  • 47
  • 3
    @iBrianCox -- This information should preferably be merged into the most upvoted answer (https://stackoverflow.com/a/34246053/1199564) because it allows a user to understand how to move settings from one profile to another if, for example, you started out with only the default profile and want to continue with dedicated, separate profiles. – mgd Mar 14 '18 at 08:24
  • @slm please read my comment above (was only able to do one mention per comment) – mgd Mar 14 '18 at 08:25
  • @mgd thank you for suggestion, but no - because at first that answer is not my - and second this is a different approach how to set it – Bruno Mar 14 '18 at 20:25
  • @mgd Q can you more describe what you mean "one mention per comment" ? – Bruno Mar 14 '18 at 20:26
  • What I meant was that in my first comment I intended to mention _both_ iBrianCox and slm (author and editor of the other answer respectively) but you are only allowed to do one mention per comment so I had to add another comment in order to mention both. You are correct that your answer is a different approach but it is very helpful to know where the information is stored, in particular if you intend to copy settings between profiles. – mgd Mar 14 '18 at 20:48
  • 1
    After saving your `config` and `credentials` files, you may want to verify that all is working well. One nice way to do this is by running this command: `aws sts get-caller-identity` and then run it again with `aws sts get-caller-identity --profile blah` (where `blah` is a non-default profile). You should see a different UserId, Arn (and possibly account, depending on where the users live), in the output of one command vs the other. [Source](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html). – Colm Bhandal May 30 '22 at 09:01
30

IMHO, the easiest way is to edit .aws/credentials and .aws/config files manually.

It's easy and it works for Linux, Mac and Windows. Just read this for more detail (1 minute read).

.aws/credentials file:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

.aws/config file:

[default]
region=us-west-2
output=json

[profile user1]    <-- 'profile' in front of 'profile_name' (not for default)!!
region=us-east-1
output=text
oz19
  • 1,616
  • 1
  • 17
  • 22
  • If I have same username from different accounts, how this file would look like? Which account the `default` will consider in this case? – 66lotte Jun 13 '23 at 16:44
22

You should be able to use the following command-options in lieu of the EC2_PRIVATE_KEY (and even EC2_CERT) environment variables:

  • -K <private key>
  • -C <certificate>

You can put these inside aliases, e.g.

alias ec2-describe-instances1 ec2-describe-instances -K /path/to/key.pem
slm
  • 15,396
  • 12
  • 109
  • 124
vladr
  • 65,483
  • 18
  • 129
  • 130
17

Create or edit this file:

vim ~/.aws/credentials

List as many key pairs as you like:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

Set a local variable to select the pair of keys you want to use:

export AWS_PROFILE=user1

Do what you like:

aws s3api list-buckets  # any aws cli command now using user1 pair of keys

You can also do it command by command by including --profile user1 with each command:

aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys

More details: Named profiles for the AWS CLI

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
ox.
  • 3,579
  • 1
  • 21
  • 21
  • 1
    i tried to tailor this answer more to the specific question - just trying to help – ox. Dec 12 '21 at 01:13
7

The new aws tools now support multiple profiles.

If you configure access with the tools, it automatically creates a default in ~/.aws/config.

You can then add additional profiles - more details at: Getting started with the AWS CLI

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
chris
  • 36,094
  • 53
  • 157
  • 237
3

I created a simple tool, aaws, to switch between AWS accounts.

It works by setting the AWS_DEFAULT_PROFILE in your shell. Just make sure you have some entries in your ~/.aws/credentials file and it will easily switch between multiple accounts.

/tmp
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
/tmp
$ aaws luk3

[luk3]  /tmp
$ aws s3 ls
2013-11-05 21:40:04 luk3thomas.com
luk3thomas
  • 2,512
  • 1
  • 18
  • 20
1

I wrote a toolkit to switch default AWS profile.

The mechanism is physically moving the profile key to the default section in config and credentials files.

The better solution today should be one of the following ways:

  • Use aws command option --profile.
  • Use environment variable AWS_PROFILE.

I don't remember why I didn't use the solution of --profile, maybe I was not realized its existence.

However the toolkit can still be useful by doing other things. I'll add a soft switch flag by using the way of AWS_PROFILE in the future.

$ xsh list aws/cfg
[functions] aws/cfg/move
[functions] aws/cfg/set
[functions] aws/cfg/activate
[functions] aws/cfg/get
[functions] aws/cfg/delete
[functions] aws/cfg/list
[functions] aws/cfg/copy

Repo: https://github.com/xsh-lib/aws

Install:

curl -s https://raw.githubusercontent.com/alexzhangs/xsh/master/boot | bash && . ~/.xshrc
xsh load xsh-lib/aws

Usage:

xsh aws/cfg/list
xsh aws/cfg/activate <profilename>
alex
  • 799
  • 7
  • 8
0

To use an IAM role, you have to make an API call to STS:AssumeRole, which will return a temporary access key ID, secret key, and security token that can then be used to sign future API calls. Formerly, to achieve secure cross-account, role-based access from the AWS Command Line Interface (CLI), an explicit call to STS:AssumeRole was required, and your long-term credentials were used. The resulting temporary credentials were captured and stored in your profile, and that profile was used for subsequent AWS API calls. This process had to be repeated when the temporary credentials expired (after 1 hour, by default).

More details: How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
swarnim gupta
  • 213
  • 1
  • 5
0

Check out aws-vault that has something similar to mutliple profiles in just pure aws but it also stores your access key some place more secure than a plain text file.

If you look on their releases page there are pre-compiled binaries.

The way aws-vault works is to basically create a subshell with the right environment variables set. In my case, I created a profile named 'chrisp' and to deploy my CDK stack I run:

aws-vault exec chrisp yarn cdk deploy MyStackName

where 'chrisp' is the profile name. This works equally well with any command, in fact, a good way to test it is to do this:

aws-vault exec chrisp sts get-caller-identity

that will let you know that it's working and that it picks the right identity based on the provided keys.

wz2b
  • 1,017
  • 7
  • 24
0

You can write shell script to set corresponding values of environment variables for each account based on user input. Doing so, you don't need to create any aliases and, furthermore, tools like ELB tools, Auto Scaling Command Line Tools will work under multiple accounts as well.

Roman Newaza
  • 11,405
  • 11
  • 58
  • 89