Simple script to manage multiple AWS credentials when using the CLI or SDKs. As much as using aws_access_key_id and aws_secret_access_key is not ideal, it is the only sane way to work with AWS programmatically or via CLIs from a non-EC2 environment, such as a developer laptop. This is achieved via a credentials file under ~/.aws by default.

More often that not, the developers would need multiple sets of credentials - say, for a personal account + dev account at work + test account at work.

There is a provision of profiles that can be used to set up multiple credentials in one file. I personally find this a bit hard to manage, and would rather split the credentials in their own credentials file. Then we can either use the environment variable AWS_SHARED_CREDENTIALS_FILE to point to the desired file, or use symlinks.

This post shows my set up, which works pretty well. There is still human factor involved, just like it would be to remember to set the right profile.

First, I split out the credentials into their own files (vs. profiles). This has credentials for 3 IAM users, each with different policies attached, and my personal profile being entirely different account altogether.

$ cat credentials
[default]
#personal
aws_access_key_id = AKIA****************
aws_secret_access_key = a************************************ABC
[svcserverless]
aws_access_key_id = AKIA****************
aws_secret_access_key = b************************************DEF
[svcec2readonly]
aws_access_key_id = AKIA****************
aws_secret_access_key = c************************************GHI

When split, we end up with 3 credentials files.

credentials.personal

[default]
aws_access_key_id = AKIA****************
aws_secret_access_key = a************************************ABC

credentials.svcserverless

[default]
aws_access_key_id = AKIA****************
aws_secret_access_key = b************************************DEF

credentials.svcec2readonly

[default]
aws_access_key_id = AKIA****************
aws_secret_access_key = c************************************GHI

Next comes a script which will switch the credentials file according to what’s needed.

switch.sh

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo "Error: Provide the AWS credentials profile name"
    exit -1
fi
rm ~/.aws/credentials
ln -s ~/.aws/credentials.$1  ~/.aws/credentials

I copied this script to ~/bin which is in my $PATH after chmod +x‘ing it.

$ chmod +x switch.sh
$ cp switch.sh ~/bin

This makes credential switching much easier, like so -

$ switch.sh svcserverless

$ ls -altrh ~/.aws
-rw-------   1 mpandit  staff    43B Apr 24  2018 config
-rw-------   1 mpandit  staff   116B Jan  3 18:48 credentials.svcserverless
-rw-------   1 mpandit  staff   116B Jan  3 18:49 credentials.svcec2readonly
-rw-------   1 mpandit  staff   116B Jan  3 18:50 credentials.personal
lrwxr-xr-x   1 mpandit  staff    40B Jan  3 23:23 credentials -> /Users/mpandit/.aws/credentials.svcserverless

$ aws s3 ls
2018-04-12 17:14:15 mpandit-serverless-dev-deploy
2018-05-23 13:45:31 mpandit-serverless-deployment-bucket
2018-04-23 12:33:37 mpandit-sls-deployment-bucket-test

$ switch.sh personal

$ aws s3 ls  
2018-04-14 00:12:59 aws-java-maven-dev-serverlessdeploymentbucket-lm2r7tvgdp3v
2017-10-13 11:03:23 aws-java-maven-test-serverlessdeploymentbucket-1jt3eyy0xc3f0
2017-08-23 13:11:36 cf-templates-olp5joy4pfd0-us-east-1
2017-03-03 22:36:54 helloworld-dev-serverlessdeploymentbucket-3c6q18d7rv4g
2017-09-29 01:36:06 lobster1234-cloudtrail-audit-log
2017-06-22 12:01:16 lobster1234-infrastructure
2018-11-22 19:42:36 mpandit-versioned
2018-12-14 01:32:50 myblog-jekyll-output

As mentioned earlier, another way to achieve this is using the environment variable, AWS_SHARED_CREDENTIALS_FILE, which would mean setting up this environment variable to the location of the credentials file.

export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials.personal

or

export AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials.svcserverless

Comments