When using AWS CLI, is there a way I can specify it to use the credential file instead of the values stored in the env variables?
$ aws ec2 describe-instances --profile saml
saml is a profile name inside the credentials file stored in ~/.aws/credentials. I want the AWS CLI to use this credential file by default and not use the ones stored in the env variable. How can I do this?
You could use env to unset the variables temporarily:
env --unset=AWS_ACCESS_KEY_ID --unset=AWS_SECRET_ACCESS_KEY aws ec2 describe-instances --profile saml
Since the variables would become unset, aws would use your credentials file instead.
Unfortunately, you can't specify priority for the credential file over environment variables.
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-environment
Environment variables override configuration and credential files and can be useful for scripting or temporarily setting a named profile as the default.
Building what was mentioned in another answer, you could write a wrapper script which would:
I tested this out with the below (very basic) bash script. I have an environment variable called $REGION. Consider the below shell script called "script.sh".
#!/bin/bash
export REGION=""
echo "REGION = "$REGION
Before calling the script, I 'echo $REGION' to prove it does exist:
ubuntu@ip-172-31-24-61:~$ echo $REGION
us-east-1
I then call the script, which nulls out the variable and echo's it showing it's now empty.
ubuntu@ip-172-31-24-61:~$ ./script.sh
REGION =
Once the script terminates, I 'echo $REGION' from the command line and the environment variable is perfectly fine.
ubuntu@ip-172-31-24-61:~$ echo $REGION
us-east-1
If you apply this to your use case, you could write a wrapper script that nulls out the environment variable (by just export AWS_ACCESS_KEY_ID=""), passes all of the command line options through to the AWS CLI. When the CLI executes, it will not see the environment variables because they have been nulled out in the scope of its execution.
The one thing I don't know how to do is to have a bash script take all of an unknown number of command line arguments and pass them all through to another command. I don't envision it's difficult, I just don't know how to do it.
But, I'm sure if you create another question, someone can help!
The alternative is, simply DELETE the environment variables if you won't EVER use them.
EDIT 2 I've found out how to make a VERY simple wrapper script that should solve your problem. Before you implement this, I would strongly suggest looking at the following links to get a better idea of how this works and what other methods may be out there for accomplishing this. For example, you can use $@ and maybe $* to do this and that may be the more generally accepted way.
#!/bin/bash
params=""
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
for arg; do
params="$params $arg"
done
aws $params
The two 'export' links null out the environment variables. Again, the environment variables will only be nulled out for the life of this wrapper script, because it's being done within the scope of the script and not globally.
Then, the for loop loops through all of the command line arguments you used to run the script, appends them to a string variable and then calls 'aws' with the string holding all of the command line arguments.
http://tldp.org/LDP/abs/html/wrapper.html
Bash: convert command line arguments into array
https://linuxconfig.org/bash-script-how-to-check-number-of-supplied-command-line-arguments
Check number of arguments passed to a Bash script
The aws command line doesn't support to specify different configuration file.
What you can do, is make a wrapper, and write to the file ~/.aws/credentials before running the aws command, and deleting the credential file afterwards
