aws-profile

A bash function to read and switch AWS profiles in ~/.aws/credentials.

See also:

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Getting Started

Install jq. It is used to query JSON outputs from AWS CLI.

Source the aws_profile.sh file in ~/.bashrc, ~/.zshrc or similar shell-init, such as copy the file to /etc/profile.d/aws_profile.sh.

For example:

sudo curl -sSL https://raw.githubusercontent.com/dazza-codes/aws-profile/main/aws_profile.sh > /etc/profile.d/aws_profile.sh

For a user installation, use ~/bin/aws_profile.sh. For example:

mkdir -p  ~/bin
curl -sSL https://raw.githubusercontent.com/dazza-codes/aws-profile/main/aws_profile.sh > ~/bin/aws_profile.sh

Ensure the shell init includes ~/bin/ in the $PATH (it often does already). Add the following to ~/.bashrc (or similar shell init file).

if ! echo "$PATH" | grep -Eq "(^|:)${HOME}/bin($|:)"; then
    export PATH="${HOME}/bin:${PATH}"
fi

if [ -f ~/bin/aws_profile.sh ]; then
    source ~/bin/aws_profile.sh
fi

Usage

When more than one AWS profile is needed, it's advised to avoid setting any [default] profile. By using aws-profile, it is easy to activate or switch between profiles by setting the required environment variables.

source ./aws_profile.sh
aws-profile [profile-name | clear]

The profiles are defined in ~/.aws/credentials, e.g.:

[default]
aws_access_key_id = AWSAccessKeyID
aws_secret_access_key = AWSSecretAccessKey
region = us-east-1

[profile-XX]
aws_access_key_id = AWSAccessKeyID
aws_secret_access_key = AWSSecretAccessKey
region = us-east-1

It will report the current settings, reset them using profile-name, or clear them. It assumes a default profile is defined, but it is not required. For example

$ aws-profile your-profile-name

AWS_DEFAULT_PROFILE=your-profile-name
AWS_DEFAULT_REGION=us-east-1
AWS_ACCOUNT=999999999
AWS_ACCESS_KEY_ID=...blahblah
AWS_SECRET_ACCESS_KEY=...blahblah

$ aws-role arn:aws:iam::999999999:role/your-aws-role

Assuming role 'arn:aws:iam::999999999:role/your-aws-role'

AWS_DEFAULT_PROFILE=your-profile-name
AWS_DEFAULT_REGION=us-east-1
AWS_ACCOUNT=999999999
AWS_ROLE_SESSION_FILE=/tmp/aws-role-session-11972.json
AWS_ACCESS_KEY_ID=...blahblah
AWS_SECRET_ACCESS_KEY=...blahblah
AWS_SESSION_TOKEN=...blahblah

AWS EKS Configuration

This is an example of using bash (zsh) functions to manage EKS configurations.

#!/usr/bin/env bash

# shellcheck disable=SC1090
source ~/bin/aws_profile.sh

aws-cluster-eks-kubeconfig () {

        if [ "$AWS_DEFAULT_PROFILE" != "aws-cluster-eks-profile-e1" ]; then
                aws-profile aws-cluster-eks-profile-e1
        fi

        ## If the update-kubeconfig below works, should not need to assume a role
        #aws-role arn:aws:iam::999999999999:role/aws-cluster-eks-admin

        if [ ! -s ~/.kube/aws-cluster-eks-config.yaml ]; then
                aws eks update-kubeconfig \
                        --name aws-cluster-eks-config \
                        --alias aws-cluster-eks-config \
                        --profile aws-cluster-eks-profile-e1 \
                        --role-arn=arn:aws:iam::999999999999:role/aws-cluster-eks-admin \
                        --kubeconfig ~/.kube/aws-cluster-eks-config.yaml  
        fi
        
        export KUBECONFIG=~/.kube/aws-cluster-eks-config.yaml
        kubectl config use-context aws-cluster-eks-config
}

Terraform Integration

Note that if terraform scripts use a common variable like this:

variable "aws_default_profile" {
  default = "default"
}

The aws-profile function is also setting a useful override for that variable, i.e.

export TF_VAR_aws_default_profile="${profile_name}"