This tutorials explains all the options available in aws configure command along with how to manage multiple profiles.
To use AWS CLI, you need to first make sure your AWS access key credentials are configured properly.
Once you have your AWS access_key_id and secret_access_key, you can either manually add them to the credentials file, or use aws configure command to set it up on your local machine.
- First Time Configuring AWS Credentials – Default Profile
- ~/.aws Directory – Config and credentials File for Default Profile
- Edit Default Profile Credentials – Connect to Different AWS Account
- Create Multiple AWS Profiles – Dev and Prod
- ~/.aws Directory – Config and credentials File for Multiple Profiles (Dev and Prod)
- Switching Between Different AWS Profiles using –profile Option
- Switching Between Different AWS Profiles using AWS_PROFILE Env Variable
- View Profile Information using list Option
- Change Default Config and Credentials FileName and Location
- View a Specific Profile Parameter Value using get Option
- Set a Specific Profile Parameter Value using set Option
- Add New Model using add-model Option
1. First Time Configuring AWS Credentials – Default Profile
When you execute aws configure command without any argument, you’ll be configuring aws credentials as your default profile.
$ aws configure AWS Access Key ID [None]: AAABBBCCCDDDEEEFFFGG AWS Secret Access Key [None]: aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn Default region name [None]: us-east-1 Default output format [None]: text
In the above:
- [None] – This indicates that you don’t have any existing access-key-id/secret-access-key setup on your system for default profile, and will prompt you for new values.
- Region Name – This is optional. If you leave this empty, you should specify region in all your AWS CLI commands using –region parameter, else you’ll get an error message.
- Output – This is optional. If you leave this empty, the output of all AWS CLI will be in json format. Available output options are: json, text, table
2. ~/.aws Directory – Config and credentials File for Default Profile
When you execute aws configure for the first time, it will create ~/.aws directory if it doesn’t already exits under your home directory with the following two files:
$ ls -1 ~/.aws config credentials $ cat ~/.aws/config [default] region = us-east-1 output = text $ cat ~/.aws/credentials [default] aws_access_key_id = AAABBBCCCDDDEEEFFFGG aws_secret_access_key = aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn
In the above:
- ~/.aws/credentials – This will contain your access_key_id and secret_access_key
- ~/.aws/config – This will contain the non-credential configuration information such as region and output
- [default] – This section indicates that these value belong to the default profile. Keep in mind that you can have more than one profile configured, which will allow you to execute AWS cli commands against different AWS accounts as shown in examples below.
3. Edit Default Profile Credentials – Connect to Different AWS Account
If you want to connect to a different AWS acount from your CLI, then you can change your existing default profile credentials by executing the “aws configure” command again.
$ aws configure AWS Access Key ID [****************FFGG]: ZZZZZZCCCDDDEEEFFFZZ AWS Secret Access Key [****************mmmn]: zzzzzzcccdddeeefffggghhhiiijjjkkklllmmzz Default region name [us-east-1]: us-west-2 Default output format [text]: json $ cat ~/.aws/config [default] region = us-west-2 output = json
Note:
- When it prompts for access_key_id and secret_access_key, it’ll show you the last 4 character of the existing values within [ ]
- If you press enter without giving any new value, it will just keep the existing values and not change anything.
4. Create Multiple AWS Profiles – Dev and Prod
When you are connecting to multiple AWS account just using the default profile, you’ve to keep changing the values of access_key_id and secret_access_key, which is not practical.
In that case, you can create multiple profiles.
Let us say you need to use AWS CLI commands to access your AWS-dev account and AWS-prod account. In this case, create a dev profile and a prod profile as explained below.
First, create dev profile as shown below. Use access_key_id and secret_access_key values of your AWS-dev account:
$ aws configure --profile dev AWS Access Key ID [None]: DEVBBBCCCDDDEEEFFDEV AWS Secret Access Key [None]: devbbbcccdddeeefffggghhhiiijjjkkklllmdev Default region name [None]: us-east-1 Default output format [None]:
Next, create prod profile as shown below. Use access_key_id and secret_access_key values of your AWS-prod account:
$ aws configure --profile prod AWS Access Key ID [None]: PRODBBCCCDDDEEEFPROD AWS Secret Access Key [None]: prodbbcccdddeeefffggghhhiiijjjkkklllprod Default region name [None]: us-west-2 Default output format [None]:
5. ~/.aws Directory – Config and credentials File for Multiple Profiles (Dev and Prod)
After adding new additional profiles (dev and prod), now we have total of 3 profiles including default profile as shown below in the configuration files.
$ cat ~/.aws/config [default] region = us-east-1 output = text [profile dev] region = us-east-1 [profile prod] region = us-west-2 $ cat ~/.aws/credentials [default] aws_access_key_id = AAABBBCCCDDDEEEFFFGG aws_secret_access_key = aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn [dev] aws_access_key_id = DEVBBBCCCDDDEEEFFDEV aws_secret_access_key = devbbbcccdddeeefffggghhhiiijjjkkklllmdev [prod] aws_access_key_id = PRODBBCCCDDDEEEFPROD aws_secret_access_key = prodbbcccdddeeefffggghhhiiijjjkkklllprod
In the above:
- [default] – This contains the credentials information when we just used ‘aws configure’ command without any parameter. This is our default profile. We don’t have a name for this profile.
- [dev] – This section contains dev profile credentials.
- [prod] – This section contains prod profile credentials.
Also Check Essential AWS EC2 Command Line Interface Commands with Example
6. Switching Between Different AWS Profile using –profile Option
By default, AWS CLI will use credentials from default profile. For example, the following command will list all the EBS volumes using your default profile credentials.
aws ec2 describe-volumes
If you want to connect to a different AWS account. For example to connect to AWS-dev account, use the dev profile as shown below:
aws ec2 describe-volumes --profile dev
The following will connect to prod profile:
aws ec2 describe-volumes --profile prod
Please note that the following commands are exactly the same. Both will use the default profile:
aws ec2 describe-volumes aws ec2 describe-volumes --profile default
Note: The –profile option can be used with all AWS CLI commands.
7. Switching Between Different AWS Profiles using AWS_PROFILE Env Variable
Specifying profile option in all your CLI can be bit cumbersome. To avoid this, you can set your profile using AWS_PROFILE environment variable.
First, set your AWS_PROFILE to connect to AWS-dev account.
export AWS_PROFILE=dev
From now on, any AWS CLI commands that you execute will connect to the AWS-dev account. You don’t need to specify –profile option anymore.
The following commands will use dev profile credentials (not the default credentials), as we’ve set the AWS_PROFILE to dev.
aws ec2 describe-volumes aws ec2 describe-instances aws s3 ls ..
If you want to connect to AWS-prod account, just set the AWS_PROFILE to prod as shown below.
export AWS_PROFILE=prod
After the above, the following commands will use prod profile credentials to connect to your AWS-prod account.
aws ec2 describe-volumes aws ec2 describe-instances aws s3 ls ..
Once you’ve set to either dev or prod, and if you want to connect to the AWS account that points to the default profile, you have two options.
You can set AWS_PROFILE to default as shown below.
export AWS_PROFILE=default
Or, you can simply unset the AWS_PROFILE environment variable, which will then automatically start using the default profile.
unset AWS_PROFILE
After the above, the following commands will use default profile credentials to connect to your AWS-prod account.
aws ec2 describe-volumes aws ec2 describe-instances aws s3 ls ..
8. View Profile Information using list Option
The easy way to view all the profiles that you’ve configured on your system is to view the content of config and credentials files.
cat ~/.aws/config cat ~/.aws/credentials
The list option in the aws configure command will display the information about the current profile as shown below.
$ aws configure list Name Value Type Location ---- ----- ---- -------- profile None None access_key ****************FFGG shared-credentials-file secret_key ****************mmmn shared-credentials-file region us-east-1 config-file ~/.aws/config
In the above, profile – The 1st line displays which profile you are using. In the “Value” column of the 1st line (i.e for profile), it says “”, this indicates that currently you are connected to “default” profile.
If you change the profile to “prod”, you’ll see the “Value” column of the 1st line will say “prod” as shown below.
$ export AWS_PROFILE=prod $ aws configure list Name Value Type Location ---- ----- ---- -------- profile prod manual --profile
You can also pass the profile name to view profile information without changing your current profile as shown below.
$ aws configure list --profile dev
9. Change Default Config and Credentials FileName and Location
Instead of the default ~/.aws/config and ~/.aws/credentials, you can also use a different location and file name using the following environment variables:
AWS_SHARED_CREDENTIALS_FILE – Set this value to the filename that contains your AWS credentials
AWS_CONFIG_FILE – Set this value to the filename that contains your AWS profile config information
For example:
export AWS_SHARED_CREDENTIALS_FILE=/var/tmp/mycredentials export AWS_CONFIG_FILE=/var/tmp/myconfig
Once you set the above values, all AWS CLI commands will start using profiles and corresponding credentials from the files in the above location:
aws ec2 describe-volumes aws ec2 describe-instances aws s3 ls ..
In the following output, the “Location” column of the last line (region) indicates which config file it is using.
$ aws configure list Name Value Type Location ---- ----- ---- -------- profile None None access_key ****************FFGG shared-credentials-file secret_key ****************mmmn shared-credentials-file region us-east-1 config-file /var/tmp/myconfig
10. View a Specific Profile Parameter Value using get Option
If you want to just view one value from your config or credentials file, use the get option in the aws configure commands using the following syntax.
The get command is helpful if you are scripting something and want to get profile information inside your shell script.
aws configure get varname [--profile profile-name]
The following will only display the access_key_id of the current profile.
$ aws configure get aws_access_key_id AAABBBCCCDDDEEEFFFGG
You can also use any one of the following:
aws configure get aws_access_key_id aws configure get aws_secret_access_key aws configure get region aws configure get output
You can also specify the name of the profile as shown below:
aws configure get dev.aws_secret_access_key aws configure get prod.aws_secret_access_key
11. Set a Specific Profile Parameter Value using set Option
Configure get and set commands can be helpful, if you are writing a shell script to manipulate the values of your config/credentials files.
Syntax:
aws configure set varname value [--profile profile-name]
You can just set a value of one specific parameter as shown below.
$ aws configure set region us-east-2
You can set the values of any of the following parameters:
aws configure set aws_access_key_id NEWABBCCCDDDEEEFPNEW aws configure set aws_secret_access_key newdbbcccdddeeefffggghhhiiijjjkkklllpnew aws configure set region us-east-2 aws configure set output json
You can also specify the name of the profile as shown below:
aws configure set dev.region us-east-2 aws configure set prod.output json
12. Add New Model using add-model Option
You can add models based on the information from a json file.
For example, if you have a AWS CLI version that doesn’t have Amazon Polly, then you can reinstall the AWS CLI to get the polly.
Or, you can download polly’s model file, and use the add-model option in aws configure as shown below.
aws configure add-model --service-model file:///var/tmp/polly.json
The above command will create ~/.aws/models directory and create the following sub-directory based on the information from the given json file.
ls -l ~/.aws/models/polly/2016-06-10/service-2.json
The following is the first few lines of the json file that was used in the above example.
$ head -10 ~/.aws/models/polly/2016-06-10/service-2.json { "version":"2.0", "metadata":{ "apiVersion":"2016-06-10", "endpointPrefix":"polly", "protocol":"rest-json", "serviceFullName":"Amazon Polly", "serviceId":"Polly", "signatureVersion":"v4", "uid":"polly-2016-06-10"
The above file is the same as the one that we used during our add-model.
diff -w ~/.aws/models/polly/2016-06-10/service-2.json /var/tmp/polly.json
You can also specify a different service-name by passing the –service-name parameter as shown below.
aws configure add-model --service-model file:///var/tmp/custom.json --service-name mycustom
The above will create a sub-directory under ~/.aws/models with the service-name that you’ve specified as shown below.
ls -l ~/.aws/models/mycustom/2016-06-10/service-2.json