Setting Up AWS Profiles
- 2 minutes read - 396 wordsCreating AWS Accounts
Best practices when using AWS at an enterprise level are to use a multi-account strategy, which helps provide isolation, greater control and limited blast radius. This is highlighted in the AWS Landing Zone.
In order to play around with new services like AWS Organizations and fully understand cross-account access and implications, I have set up 3 separate AWS accounts
Set up AWS CLI
I find it easier to use the AWS Command Line Interface (CLI) to call the APIs of AWS services directly. Almost all of the examples in the blog posts to follow will use the AWS CLI. It’s simple enough to get started, and if you need any help in installing or configuring it, you can refer to the AWS CLI User Guide
Set up AWS Profiles
The easiest way to manage AWS profiles is to use the aws configure command, which saves frequently used configuration settings and credentials in files that are maintained by the AWS CLI.
I created an IAM user for use with the “teachmyselfcloud” main account. When creating a new user, you can retrieve the AWS Access Key ID and AWS Secret Access Key which are the credentials associated with the user. The only time you can view or download these keys are when they are first created.
I ran the following command to save this information for the user and associate it with a profile called teachmyselfcloud:
$ aws configure --profile teachmyselfcloud
AWS Access Key ID [None]: {ACCESS_KEY_ID}
AWS Secret Access Key [None]: {SECRET_ACCESS_KEY}
Default region name [None]: eu-west-2
Default output format [None]: json
This creates a credentials file:
~/.aws/credentials
[teachmyselfcloud]
aws_access_key_id={ACCESS_KEY_ID}
aws_secret_access_key={SECRET_ACCESS_KEY}
and a config file:
~/.aws/config
[teachmyselfcloud]
region=eu-west-2
output=json
This then means I can execute an AWS API call via the API (like listing all S3 buckets), assuming this profile as follows:
aws s3 ls --profile teachmyselfcloud
Assuming a Role
Access keys are long term credentials for an IAM user. As a best practice, you should use temporary security credentials (by assuming an IAM role), instead of using access keys.
You can assume a role easily using the AWS CLI. You do this by defining a role in the ~/.aws/config file as follows:
[profile s3assumerole]
role_arn = arn:aws:iam::111111111111:role/S3AssumeRoleReadOnly
source_profile = teachmyselfcloud
The source_profile must point to a separate profile that contains IAM user credentials and that has permission to assume the role e.g. sts:assume-role