We often have to manage different sets of credentials for multiple AWS accounts. I was wondering what was the more efficient and secure way of handling those, and I decided to take some time aside to document that.

For reference, the official documentation can be found here.

Here is my current setup :

~/.aws/credentials

default]
aws_access_key_id = AKIA...
aws_secret_access_key = 123456

[mirego]
aws_access_key_id = AKIA...
aws_secret_access_key = 123456

[client_with_direct_access]
aws_access_key_id = AKIA...
aws_secret_access_key = 123456

If you happen to have an IAM account directly in the account that you wish to use, you can set those credentials there.

Otherwise, at Mirego, we usually use cross-account delegated access to enable developers to access cloud resources located in a customer account, in a secure way.

To avoid having to manage STS sessions manually, you can configure those roles like this :

~/.aws/config

[default]
region = us-east-1

[profile client1]
region = us-west-2
role_arn = arn:aws:iam::123456:role/rolename
source_profile = mirego

[profile client2-with-sso]
region = us-east-1
sso_start_url = https://sso-url.awsapps.com/start
sso_account_id = 123456
sso_role_name = xyz

[profile client2]
region = ca-central-1
role_arn = arn:aws:iam::123456:role/rolename
source_profile = mirego

As you can see, you can also specify useful defaults like the region to use for a specific account.

To use a profile, you can set the environment variable AWS_PROFILE to a profile configured above, or pass it directly as an optional argument like aws s3 ls --profile client1.

As a last tip, I would also recommend looking into this superb extension. It greatly improves the usability of frequently switching roles in the AWS console, by removing the limit of 5 roles that are "remembered" and automatically switching the AWS region as needed when assuming a new role.