Back to posts
Setting Up AWS Profiles: A Comprehensive Guide

Setting Up AWS Profiles: A Comprehensive Guide

Sunil Biradar · August 11, 2024

As a developer working with AWS, managing multiple accounts and environments is a common challenge. In this post, I'll share my experiences and best practices for setting up AWS profiles, including using access keys, AWS Single Sign-On (SSO), and troubleshooting common issues.

Setting Up an AWS Profile with Access Keys

The most straightforward way to set up an AWS profile is using an access key ID and secret access key. Here's how:

  1. First, obtain your access key ID and secret access key from the AWS IAM console.

  2. Open your terminal and run:

    aws configure --profile myprofile

  3. Enter your access key ID, secret access key, preferred region, and output format when prompted.

This creates entries in your ~/.aws/credentials and ~/.aws/config files.

Understanding ~/.aws/config and ~/.aws/credentials

The ~/.aws/config file stores configuration settings for your AWS CLI profiles, while ~/.aws/credentials stores your access keys.

  • ~/.aws/config example:

    [profile myprofile]
region = us-west-2
output = json

  • ~/.aws/credentials example:

    [myprofile]
aws_access_key_id = IOSKJJESJSEXAMPLE
aws_secret_access_key = iejkfhskshfkfhNG/bPxRfiCYEXAMPLEKEY

Setting the AWS_PROFILE Environment Variable

To use a specific profile by default, you can set the AWS_PROFILE environment variable. I do this in my .zshrc file:

export AWS_PROFILE=myprofile

If you don't have a .zshrc file, you can use .bashrc or .bash_profile for Bash, or add the export command to whatever shell configuration file you're using.

Setting Up an AWS Account with SSO

AWS Single Sign-On (SSO) provides a more secure and convenient way to access multiple AWS accounts. Here's a detailed guide on how to set it up:

Prerequisites

  1. Ensure your organization has AWS SSO enabled.
  2. You should have received an invitation email to join your organization's AWS SSO.

Steps to Set Up AWS SSO Profile

  1. Accept the AWS SSO invitation:

    • Click on the link in your invitation email.
    • Follow the prompts to set up your AWS SSO account.

  2. Install the AWS CLI: If you haven't already, install the latest version of the AWS CLI.

  3. Configure the AWS CLI for SSO: In your terminal, run:

    aws configure sso

    You'll be prompted for several pieces of information:

    • SSO start URL (get this from your AWS administrator)
    • SSO Region
    • Allow CLI to open web browser for authentication (usually yes)
    • CLI default client Region
    • CLI default output format
    • CLI profile name (choose a meaningful name)

  4. Authenticate: The CLI will open a web browser. Log in with your SSO credentials.

  5. Choose account and role: If you have access to multiple accounts or roles, you'll be prompted to choose.

  6. Verify the configuration: Check your ~/.aws/config file. You should see something like this:

    [profile AWSAdministratorAccess-908943984]
sso_session = my-aws-profile-sso
sso_account_id = 908943984
sso_role_name = AWSAdministratorAccess
region = us-west-2
output = json

[sso-session my-aws-profile-sso]
sso_start_url = https://d-027438448.awsapps.com/start#
sso_region = us-west-2
sso_registration_scopes = sso:account:access

  7. Using the SSO profile: To use this profile, you can either:

    • Set it as your default: export AWS_PROFILE=AWSAdministratorAccess-908943984
    • Specify it when running AWS CLI commands: aws s3 ls --profile AWSAdministratorAccess-908943984

  8. Logging in: Your SSO credentials expire periodically. To log in again, simply run:

    aws sso login --profile AWSAdministratorAccess-908943984

    This will open a browser window for authentication.

Benefits of Using AWS SSO

  • Increased security: No long-term access keys stored on your machine.
  • Easy access to multiple accounts: Switch between accounts and roles easily.
  • Centralized control: Your AWS administrator can manage access across multiple accounts from a central location.

Remember, when working with different environments like UAT, always double-check that you're using the correct profile to avoid unintended changes to the wrong environment.

Troubleshooting

Recently, I encountered an issue when trying to set up a new profile for a UAT environment. I didn't have an access key ID or secret key, and I saw an "Access Denied" message in the IAM dashboard.

In such cases, it's crucial to work with your AWS administrator. They may need to:

  1. Grant you the necessary permissions to access required services.
  2. Provide you with the correct IAM role to assume.
  3. Set up AWS SSO for easier access management across multiple accounts.

Remember, when working with different environments like UAT, always double-check that you're using the correct profile to avoid unintended changes to the wrong environment.

Conclusion

Managing multiple AWS profiles can be complex, but with the right setup, it becomes much more manageable. Whether you're using access keys or SSO, the key is to organize your configurations clearly and securely. AWS SSO, in particular, offers a robust and secure way to manage access across multiple accounts and roles.

Always follow your organization's best practices and consult with your AWS administrators when you're unsure about access or permissions. With these tools and practices, you'll be well-equipped to navigate the complexities of multi-account AWS environments.

Happy cloud computing!