Source & Binary

Using AWS CLI profiles

The AWS CLI is deceptively powerful and ubiquitous but can be tough to configure in a multi-account organization and the most obvious way to configure it — using an access key ID and secret access key — is far and away the most risky.

Fortunately, there are two less-well-known configurations that can help you address both: Profiles and the credential_process directive.

Define one or more profiles in ~/.aws/config, naming them whatever you like, that defer credential management to Substrate via substrate assume-role:

[profile whatever-you-want-to-call-it]
credential_process = substrate assume-role -format json -quiet -domain domain -environment environment -quality quality

Note well that, in order for this to succeed, you’ll need to have already run eval $(substrate credentials) to prime the environment to have any access to AWS at all.

Use your profile thus:

eval $(substrate credentials)
aws sts get-caller-identity --profile whatever-you-want-to-call-it

Or, if you so choose, use Granted to navigate the profiles you configure in ~/.aws/config.

A downside of using profiles is that they’re not shared amongst you and your teammates the way domains, environments, and qualities are but they can save a bit of typing and you will arrive at the same point so use whichever tool suits you in every situation — there’s no need to commit to one exclusively.