How to temporarily switch profiles for AWS CLI?

Question

Updated answer (7/10/2021): For AWS CLI v1, do this:

export AWS_DEFAULT_PROFILE=user2

For AWS CLI v2, the following will work:

export AWS_PROFILE=user2

The full question is below for context:

(1.) After successfully configuring a second profile for the AWS CLI, I unsuccessfully tried to set the profile to user2 in my bash session with the following command:

export AWS_PROFILE=user2

... per the advice here: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

(2.) The following command works:

aws s3 ls --profile user2

So I know that the AWS CLI and the user2 profile are both working on my computer.

(3.) However, when I subsequently (that is, after entering "export AWS_PROFILE=user2") try something like:

aws s3 ls

... AWS's response assumes that I want to query it as the default user (NOT user2)

(4.) So the only way I can use the user2 profile from the command line is by continuing to append "--profile user2" to every single command, which is tedious.

(5.)

echo $AWS_PROFILE

yields:

>> user2

, as expected.

Any idea what's going on here? I'm sure I'm making some dumb mistake somewhere.

What you are looking for is the expected behavior. Refer this AWS document: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence. Can you confirm that you are setting the environment variables in the same session as where you are running the aws command? — krishna_mee2004, Apr 08 '18 at 12:39
What do you get from `AWS_PROFILE=user2 aws s3 ls`? Does *that* use `user2` successfully? — Grisha Levit, Apr 08 '18 at 15:23
This will also help you understand what awscli is doing wrt credentials: aws s3 ls --debug | grep botocore.session — jarmod, Apr 08 '18 at 17:30
Krishna, I definitely am setting the AWS_PROFILE variable in the same session as the one that I am running the command in. The website you linked to is not helpful to me. — James Shapiro, Apr 08 '18 at 19:52
Grisha, the command you suggested does not use user2 successfully. — James Shapiro, Apr 08 '18 at 19:52
jarmod, I ran that command and it did not illuminate the nature of the problem for me. — James Shapiro, Apr 08 '18 at 19:56
What Grisha said is right. If you run that command, it should definitely be using user2 profile. — krishna_mee2004, Apr 08 '18 at 23:13

James Shapiro · Accepted Answer · 2021-07-10T16:49:59.947

111

For AWS CLI v1, the cleanest solution is:

export AWS_DEFAULT_PROFILE=user2

Afterward, commands like:

aws s3 ls

... are handled from the appropriate account.

For AWS CLI v2, the following will work:

export AWS_PROFILE=user2

edited Jul 10 '21 at 16:49

answered Apr 10 '18 at 07:54

James Shapiro

4,805
3
31
46

1

Per Diego's comment below, this variable name has been renamed to `AWS_PROFILE`. [More here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list). – emilebaizel Dec 21 '20 at 21:38
1

@emilebaizel actually "export AWS_PROFILE=[profile_name]" has never worked for me or for many others, hence the popularity of this question. – James Shapiro Dec 21 '20 at 22:25
does this still fail for you with the latest AWS CLI? – emilebaizel Dec 23 '20 at 17:18
1

@emilebaizel "export AWS_PROFILE=user2" does work in AWS CLI v2 – James Shapiro Jul 10 '21 at 16:49
1

For anyone interested here is a [link](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html#:~:text=output%3Dtext-,Using%20named%20profiles,-To%20use%20a) to official AWS documentation on this. – rsmets Sep 15 '22 at 22:59

Mac Ignacio · Answer 2 · 2022-04-02T02:09:19.427

24

The accepted answer assumes you are using a Linux or Mac terminal. I added commands for Windows, Linux and Mac OS.

Windows

CMD

set AWS_PROFILE=profile_name

Powershell

$env:AWS_PROFILE = 'profile_name'

Linux or Mac

export AWS_PROFILE=profile_name

These will set your aws profile that you will use every time you execute an aws command. But if you just want to switch profile temporarily for one aws command.

aws [command] [sub-command] --profile [profile-name]

edited Apr 02 '22 at 02:09

answered Aug 11 '21 at 07:24

Mac Ignacio

655
7
5

1

The windows answer here is for cmd. For powershell it is `$env:AWS_PROFILE = 'profile_name'` – DollarAkshay Dec 31 '21 at 14:52
This doesn't work. If I run aws configure list, I get access_key ****************BMSB shared-credentials-file secret_key ****************JStS shared-credentials-file then if I run set AWS_PROFILE=scoop_production and re-run aws configure list I get the same details, which aren't the correct details for scoop_production. – Nick Wright Jul 21 '23 at 13:08

score 9 · Answer 3 · answered Apr 08 '18 at 23:23

9

You can see how it works doing this

$ export AWS_PROFILE=myprofile
$ aws s3 ls --debug 2>&1 | grep profile
2018-04-08 19:19:17,990 - MainThread - botocore.session - DEBUG - Loading variable profile from environment with value 'myprofile'.

I doubt this works differently for you.

You can also verify that

$ AWS_PROFILE=myprofile aws s3 ls --debug 2>&1 | grep profile

and

$ aws s3 ls --profile myprofile --debug 2>&1 | grep profile

all give the same result.

answered Apr 08 '18 at 23:23

Diego Torres Milano

65,697
9
111
134

These commands do NOT yield the same result for me. The first two do not produce any output. The final one produces the following output: "2018-04-08 23:11:33,683 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'myprofile', '--debug'] 2018-04-08 23:11:33,683 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set. – James Shapiro Apr 09 '18 at 06:12
@JamesShapiro remove `| grep profile` from the first commands and see what's there – Diego Torres Milano Apr 09 '18 at 15:26

ox. · Answer 4 · 2021-12-12T01:04:42.103

6

create or edit this file:

% vim ~/.aws/credentials

list as many key pairs as you like:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

include --profile user1 to select a profile & do what you like:

aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys

.... OR ....

set a local variable to select the pair of keys you want to use:

% export AWS_PROFILE=user1

then do what you like:

aws s3api list-buckets  # any aws cli command now using user1 pair of keys

more details: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

edited Dec 12 '21 at 01:04

answered Dec 11 '21 at 20:26

ox.

3,579
1
21
21

That option is listed as suboptimal in the original problem description. It's not a good one, because it involves appending "--profile [user]" to every single CLI command that you run. – James Shapiro Dec 12 '21 at 00:53
I would suggest deleting, there is nothing in your answer that is not explicitly stated in the answers above. – James Shapiro Dec 12 '21 at 03:36

score 2 · Answer 5 · edited Dec 02 '20 at 04:52

2

user@machine:~/.aws$ aws --version
aws-cli/2.1.2 Python/3.7.3 Linux/5.4.0-53-generic exe/x86_64.linuxmint.20

I add aliases to my .bashrc if I have a lot of named profiles.

for example:

alias harry-tuttle='export AWS_PROFILE=harry-tuttle'

Then switching profiles becomes one command with less typing.

To see all your profiles:

aws configure list-profiles`

edited Dec 02 '20 at 04:52

agentsmith

1,226
1
14
27

answered Dec 01 '20 at 15:38

Jonathan Murray

21
2

hestellezg · Answer 6 · 2023-02-02T18:31:57.770

2

You could add the profile flag

aws s3 ls --profile marketingadmin

edited Feb 02 '23 at 18:31

answered Jan 13 '21 at 17:40

hestellezg

3,309
3
33
37

score 1 · Answer 7 · answered Mar 11 '19 at 14:43

AWS cli has 3 level of ways it will read variables

environment variables of key_id / key_secret
profile via cred/config (normally in ~/.aws/cre...)
manual value provided inline

see: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials

one way will be overwritten by another. based on OP, it might be that although DEFAULT_PROFILE is set as userX, the AWS_ACCESS_KEY_ID and/or AWS_SECRET_ACCESS_KEY environment variables is set to something else.

You can do an alias to a shell function that load credentials to the current environment thru the use of

"export AWS_ACCESS_KEY_ID=XXXXXXX;"... and more

or to be safer load via a secrets manager

"export AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile XXXX)"... and more

Export all access key/secrets etc and then check that the right credentials are loaded in memory thru

aws configure list

finally.. do a reset of the the variable to "default" .. as a good habit to ensure you do what you need as the AWS role; especially when using multiple profiles. hope this helps.

score 1 · Answer 8 · edited Jan 27 '21 at 13:13

1

For windows use

set AWS_DEFAULT_PROFILE=user2

edited Jan 27 '21 at 13:13

turbopasi

3,327
2
16
43

answered Jan 26 '21 at 12:53

kapil nagar

21
1

Hi and welcome to SO ! Please read [How to write a good answer](https://stackoverflow.com/help/how-to-answer). Try to include what your answer does better and/or differently compared to the already accepted one! – turbopasi Jan 26 '21 at 13:11

score 1 · Answer 9 · edited Mar 12 '23 at 14:52

I want to specify what's the case for windows users -

Use set for setting environment variable for the current terminal session.
```
set AWS_PROFILE=some_profile_name
```
Use setx for setting environment variable that stays even if the terminal is closed.
```
setx AWS_PROFILE=some_profile_name
```

One thing to keep in mind is that while using setx, the environment variable gets set in the new terminal session. The existing session will not yield the set environment variable value.

How to temporarily switch profiles for AWS CLI?

9 Answers9

Windows

CMD

Powershell

Linux or Mac

Linked