I am using AWS Organizations from my master account to create sub-accounts like prod, dev, playground etc.
Inside the AWS Console it is easy to switch between the accounts by clicking the "Switch Role" button.
How do I achieve the same from the aws-cli using profiles? Can somebody list the least amount of steps necessary to achieve that?
When I search the internet (and I have) I find very different solutions and many of them involving creating new roles from scratch. However, I figure that I should be able to use the AWSServiceRoleForOrganizations role already created by AWS Organizations.
Thank you
CodePudding user response:
I figured it out. In the credentials file add:
[master] aws_access_key_id = xxxxxxxxxxxxxxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxx
[sub-account] role_arn = arn:aws:iam::XXXXXXXXXXXX:role/OrganizationAccountAccessRole source_profile = master
Where XXXXXXXXXXXX is the account number of the sub-account.
CodePudding user response:
In your ~/.aws/config
and ~/.aws/credentials
file you need to add different profiles and credentials .
Place your keys in your ~/.aws/credentials
file.
[default]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX
[dev]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX
[playground]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX
[prod]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX
Modify your ~/.aws/config
file. Remember to Add the prefix 'profile'
[default]
region=us-west-2
[profile dev]
region=us-east-1
[profile playground]
region=us-east-1
[profile prod]
region=us-east-1
Now you can switch between profile by using the --profile
flag
aws s3 ls --profile dev # will use keys and config from dev profile
aws s3 ls # will use keys and config from default profile
aws s3 ls --profile production # will use and config keys from prod profile