AWS CLI: Configuring authentication and profiles

2 min read | by Jordi Prats

With the .aws/config and .aws/credentials files we can are used for configuring and authenticating for the AWS cli or any tool that uses the AWS SDK with AWS.

Each file has a different purpose:

• ~/.aws/config: This file stores configuration settings for AWS CLI and SDKs, including profiles, regions, output format, and roles to assume.
• ~/.aws/credentials: This file holds AWS access key IDs and secret access keys.

To configure an account, first we'll need to add the credentials to the ~/.aws/credentials file, giving it a name and the access key and secret key:

[prod]
aws_access_key_id = YOUR_ADMIN_ACCESS_KEY_ID
aws_secret_access_key = YOUR_ADMIN_SECRET_ACCESS_KEY

If we can use the IAMUser directly, without assuming any role, we can just add the profile to the ~/.aws/config file with any settings we want to use by default, for example:

[default]
output=json
region = us-west-2

[profile prod]
region = us-east-1

If we nee to assume a role, we can use the role_arn setting to assume the role:

[profile prod-demo]
region = us-east-1
role_arn = arn:aws:iam::123456789012:role/demo-role
source_profile = prod

Given the case that we need to assume a specific role that cannot be assumed directly, we can use a chain of profiles to do so. For example, first-role will use the credentials to assume the role. We can then use the previous profile, first-role, to define the second role to assume:

[profile first-role]
region=eu-west-2
role_arn=arn:aws:iam::123456789012:role/first-role
source_profile=prod

[profile second-role]
region=eu-west-2
role_arn=arn:aws:iam::123456789012:role/second-role
source_profile=first-role

Once we have the profiles configured, we can use the --profile flag if available or the AWS_PROFILE environment variable to use the profile we want to use:

AWS_PROFILE=second-role aws s3 ls

Posted on 04/09/2024