Using multiple AWS accounts from the command line can significantly enhance your operational efficiency and security. This article provides a comprehensive guide on setting up and managing multiple AWS accounts using the AWS Command Line Interface (CLI).

Understanding AWS Command Line Interface

The AWS CLI is a unified tool that enables you to manage your AWS services from a terminal session. It supports multiple profiles, which means you can configure different sets of credentials for different AWS accounts and switch between them as needed.

Installing AWS CLI

Before utilizing multiple account management functionalities, you need to ensure that you have AWS CLI installed on your system.

1# On macOS or Linux
2curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
3sudo installer -pkg AWSCLIV2.pkg -target /
4
5# On Windows
6msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

Verify the installation by running:

aws --version

Configuring AWS Credentials

AWS CLI uses credentials stored in the ~/.aws/credentials file. To set up multiple accounts, you need to create profiles in this file. Each profile is identified by a unique name.

Adding Profiles

Suppose you have two AWS accounts named dev and prod. The ~/.aws/credentials file might look like this:

1[default]
2aws_access_key_id=YOUR_DEFAULT_ACCESS_KEY
3aws_secret_access_key=YOUR_DEFAULT_SECRET_KEY
4
5[dev]
6aws_access_key_id=DEV_ACCESS_KEY
7aws_secret_access_key=DEV_SECRET_KEY
8
9[prod]
10aws_access_key_id=PROD_ACCESS_KEY
11aws_secret_access_key=PROD_SECRET_KEY

Using AWS CLI with Specific Profiles

Once you have multiple profiles configured, you can explicitly specify which profile to use when running an AWS CLI command by using the --profile option.

Example: Listing S3 Buckets

To list S3 buckets in the dev account:

aws s3 ls --profile dev

For the prod account:

aws s3 ls --profile prod

Setting a Default Profile

You can set the default profile by exporting the AWS_PROFILE environment variable. This is particularly useful if you want to temporarily switch profiles without altering individual commands.

export AWS_PROFILE=dev

To permanently set the default profile in shells like Bash or Zsh, you can add the export line to your ~/.bashrc or ~/.zshrc file.

Advanced Profile Configurations

Apart from basic credentials, you can specify more settings in the ~/.aws/config file.

Example Configuration

1[default]
2region=us-west-2
3output=json
4
5[profile dev]
6region=us-east-1
7output=text
8
9[profile prod]
10region=eu-west-1
11output=json

Switching Between Multiple AWS CLI Profiles

Here is a succinct comparison of using profiles versus exporting environment variables to manage AWS accounts:

Security Best Practices

1. Use IAM Roles: Instead of using access keys, leverage IAM roles for more secure and scalable permissions management.
2. Regularly Rotate Access Keys: Ensure credentials are rotated regularly to mitigate security risks.
3. Use AWS Secrets Manager: Securely store and retrieve your credentials to avoid hardcoding them into scripts or storing them in plaintext.

Automating Profile Management

For complex environments, consider automating profile management leveraging scripts, or tools like AWS SSO (Single Sign-On) to make switching between multiple accounts seamless.

Conclusion

Managing multiple AWS accounts from the command line using AWS CLI profiles offers a robust and flexible approach to enhancing your operational efficiency. By setting up profiles correctly, you can easily switch contexts between different AWS environments, ensuring swift and secure cloud operations.

Being comfortable with this setup allows IT and DevOps teams to streamline their workflows while maintaining best practices for security and management.