Managing AWS CLI Credentials & Using Multiple Accounts: An Easy Guide

The AWS Command Line Interface (CLI) is a powerful tool for interacting with AWS services. To get started, you need to configure credentials, and as your work scales, you might need to manage multiple AWS accounts. This guide walks you through the steps to set up and manage AWS CLI credentials and use multiple accounts effectively.

Prerequisite: Install AWS CLI

On Linux

Download the AWS CLI Installation File: Run the following commands to download and install the latest version of AWS CLI:
```
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
```

Extract the Installer:

 unzip awscliv2.zip

If unzip is not installed, use:

 sudo apt install unzip -y  # For Ubuntu/Debian
 sudo yum install unzip -y  # For CentOS/RHEL

Run the Installer:
```
 sudo ./aws/install
```
Verify the Installation:
```
 aws --version
```
Output should be something like: aws-cli/2.x.x Python/3.x.x Linux.

On macOS

Install Using Homebrew: If Homebrew is installed, you can quickly install AWS CLI:
```
 brew install awscli
```
Verify the Installation:
```
 aws --version
```
Output will display the AWS CLI version installed.

Alternative Manual Installation:

Download the installer:

  curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"

Install the package:

  sudo installer -pkg AWSCLIV2.pkg -target /

On Windows

Download the Installer:
- Download the AWS CLI MSI installer for Windows from the official AWS website.
Run the Installer:
- Double-click the downloaded .msi file and follow the instructions.
Verify the Installation:
- Open Command Prompt or PowerShell and run:
```
  aws --version
```

Part 1: Setting Up AWS CLI Credentials

AWS CLI uses credentials to authenticate with AWS services. Here's how to set them up.

Step 1: Locate the AWS Credentials File

AWS CLI stores credentials in a file named credentials, located in the .aws directory in your home folder:

~/.aws/credentials

Step 2: Open the Credentials File

To edit the credentials file, use a text editor like nano or vim. For example:

nano ~/.aws/credentials

The file might look like this:

[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

Step 3: Modify or Add Credentials

Replace YOUR_ACCESS_KEY_ID and YOUR_SECRET_ACCESS_KEY with your AWS credentials.

If you're adding credentials for multiple accounts, add separate profiles:

[default]
aws_access_key_id = DEFAULT_ACCESS_KEY_ID
aws_secret_access_key = DEFAULT_SECRET_ACCESS_KEY

[dev-account]
aws_access_key_id = DEV_ACCESS_KEY_ID
aws_secret_access_key = DEV_SECRET_ACCESS_KEY

[prod-account]
aws_access_key_id = PROD_ACCESS_KEY_ID
aws_secret_access_key = PROD_SECRET_ACCESS_KEY

Step 4: Save and Exit

After editing, save the file:

In nano, press CTRL+O, then ENTER to save, and CTRL+X to exit.
In vim, press ESC, type :wq, and hit ENTER.

Step 5: Verify the Change

Run the following command to verify that your credentials are updated:

aws configure list

Part 2: Managing Multiple AWS Accounts

AWS CLI allows you to manage multiple AWS accounts using profiles. Each profile has its own set of credentials and configurations.

1. Add Profiles for Each Account

To create profiles for different accounts, use the following command:

aws configure --profile profile-name

For example, to create a profile for your development account:

aws configure --profile dev-account

AWS CLI will prompt you for:

AWS Access Key ID
AWS Secret Access Key
Default region name (e.g., us-east-1)
Output format (e.g., json)

Repeat this process for all accounts you need to configure.

2. Example Configuration File

Your ~/.aws/credentials file might look like this:

[default]
aws_access_key_id = DEFAULT_ACCESS_KEY_ID
aws_secret_access_key = DEFAULT_SECRET_ACCESS_KEY

[dev-account]
aws_access_key_id = DEV_ACCESS_KEY_ID
aws_secret_access_key = DEV_SECRET_ACCESS_KEY

[prod-account]
aws_access_key_id = PROD_ACCESS_KEY_ID
aws_secret_access_key = PROD_SECRET_ACCESS_KEY

And your ~/.aws/config file could look like this:

[default]
region = us-east-1
output = json

[profile dev-account]
region = us-east-1
output = json

[profile prod-account]
region = eu-west-1
output = json

3. Use Profiles in CLI Commands

When running CLI commands, specify the profile using the --profile flag:

aws s3 ls --profile dev-account

4. Set a Default Profile

If you frequently use a specific profile, set it as the default by exporting the AWS_PROFILE environment variable:

export AWS_PROFILE=dev-account

To make this permanent, add the command to your shell configuration file (e.g., ~/.bashrc or ~/.zshrc).

5. Switch Profiles Temporarily

You can also use a specific profile for a single command without exporting it:

AWS_PROFILE=prod-account aws ec2 describe-instances

6. Verify the Active Profile

To check the active profile, run:

aws configure list

Or print the AWS_PROFILE environment variable:

echo $AWS_PROFILE

Part 3: Best Practices for AWS CLI Credential Management

Use IAM Roles Where Possible: For enhanced security, use IAM roles instead of hardcoding credentials.
Avoid Sharing Credentials: Never share your credentials with others.
Rotate Keys Regularly: Rotate your AWS Access and Secret Keys periodically.
Use Environment Variables for Temporary Profiles: When working with temporary accounts, use environment variables to avoid modifying the credentials file.

Conclusion

Managing AWS CLI credentials and using multiple AWS accounts can seem daunting, but it's straightforward once you break it down. By following this guide, you can configure your credentials, set up multiple profiles, and switch between them seamlessly. This approach not only streamlines your workflow but also enhances security by isolating account configurations.

Happy coding with AWS CLI!

Managing AWS CLI Credentials and Using Multiple Accounts: A Beginner's Guide