15 AWS Configure Command Examples to Manage Multiple Profiles for CLI

To use AWS CLI, you need to first make sure your AWS access key credentials are configured properly.

Once you have your AWS access_key_id and secret_access_key, you can either manually add them to the credentials file, or use aws configure command to set it up on your local machine.

This tutorials explains all the options available in aws configure command along with how to manage multiple profiles:

1. First Time Configuring AWS Credentials – Default Profile
2. ~/.aws Directory – Config and credentials File for Default Profile
3. Edit Default Profile Credentials – Connect to Different AWS Account
4. Create Multiple AWS Profiles – Dev and Prod
5. ~/.aws Directory – Config and credentials File for Multiple Profiles (Dev and Prod)
6. Switching Between Different AWS Profiles using –profile Option
7. Switching Between Different AWS Profiles using AWS_PROFILE Env Variable
8. View Profile Information using list Option
9. Change Default Config and Credentials FileName and Location
10. View a Specific Profile Parameter Value using get Option
11. Set a Specific Profile Parameter Value using set Option
12. Add New Model using add-model Option

1. First Time Configuring AWS Credentials – Default Profile

When you execute aws configure command without any argument, you’ll be configuring aws credentials as your default profile.

$ aws configure
AWS Access Key ID [None]: AAABBBCCCDDDEEEFFFGG
AWS Secret Access Key [None]: aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn
Default region name [None]: us-east-1
Default output format [None]: text

In the above:

• [None] – This indicates that you don’t have any existing access-key-id/secret-access-key setup on your system for default profile, and will prompt you for new values.
• Region Name – This is optional. If you leave this empty, you should specify region in all your AWS CLI commands using –region parameter, else you’ll get an error message.
• Output – This is optional. If you leave this empty, the output of all AWS CLI will be in json format. Available output options are: json, text, table

2. ~/.aws Directory – Config and credentials File for Default Profile

When you execute aws configure for the first time, it will create ~/.aws directory if it doesn’t already exits under your home directory with the following two files:

$ ls -1 ~/.aws
config
credentials

$ cat ~/.aws/config
[default]
region = us-east-1
output = text

$ cat ~/.aws/credentials
[default]
aws_access_key_id = AAABBBCCCDDDEEEFFFGG
aws_secret_access_key = aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn

In the above:

• ~/.aws/credentials – This will contain your access_key_id and secret_access_key
• ~/.aws/config – This will contain the non-credential configuration information such as region and output
• [default] – This section indicates that these value belong to the default profile. Keep in mind that you can have more than one profile configured, which will allow you to execute AWS cli commands against different AWS accounts as shown in examples below.

3. Edit Default Profile Credentials – Connect to Different AWS Account

If you want to connect to a different AWS acount from your CLI, then you can change your existing default profile credentials by executing the “aws configure” command again.

$ aws configure
AWS Access Key ID [****************FFGG]: ZZZZZZCCCDDDEEEFFFZZ
AWS Secret Access Key [****************mmmn]: zzzzzzcccdddeeefffggghhhiiijjjkkklllmmzz
Default region name [us-east-1]: us-west-2
Default output format [text]: json

$ cat ~/.aws/config
[default]
region = us-west-2
output = json

Note:

• When it prompts for access_key_id and secret_access_key, it’ll show you the last 4 character of the existing values within [ ]
• If you press enter without giving any new value, it will just keep the existing values and not change anything.

4. Create Multiple AWS Profiles – Dev and Prod

When you are connecting to multiple AWS account just using the default profile, you’ve to keep changing the values of access_key_id and secret_access_key, which is not practical.

In that case, you can create multiple profiles.

Let us say you need to use AWS CLI commands to access your AWS-dev account and AWS-prod account. In this case, create a dev profile and a prod profile as explained below.

First, create dev profile as shown below. Use access_key_id and secret_access_key values of your AWS-dev account:

$ aws configure --profile dev
AWS Access Key ID [None]: DEVBBBCCCDDDEEEFFDEV
AWS Secret Access Key [None]: devbbbcccdddeeefffggghhhiiijjjkkklllmdev
Default region name [None]: us-east-1
Default output format [None]:

Next, create prod profile as shown below. Use access_key_id and secret_access_key values of your AWS-prod account:

$ aws configure --profile prod
AWS Access Key ID [None]: PRODBBCCCDDDEEEFPROD
AWS Secret Access Key [None]: prodbbcccdddeeefffggghhhiiijjjkkklllprod
Default region name [None]: us-west-2
Default output format [None]:

5. ~/.aws Directory – Config and credentials File for Multiple Profiles (Dev and Prod)

After adding new additional profiles (dev and prod), now we have total of 3 profiles including default profile as shown below in the configuration files.

$ cat ~/.aws/config
[default]
region = us-east-1
output = text
[profile dev]
region = us-east-1
[profile prod]
region = us-west-2

$ cat ~/.aws/credentials
[default]
aws_access_key_id = AAABBBCCCDDDEEEFFFGG
aws_secret_access_key = aaabbbcccdddeeefffggghhhiiijjjkkklllmmmn
[dev]
aws_access_key_id = DEVBBBCCCDDDEEEFFDEV
aws_secret_access_key = devbbbcccdddeeefffggghhhiiijjjkkklllmdev
[prod]
aws_access_key_id = PRODBBCCCDDDEEEFPROD
aws_secret_access_key = prodbbcccdddeeefffggghhhiiijjjkkklllprod

In the above:

• [default] – This contains the credentials information when we just used ‘aws configure’ command without any parameter. This is our default profile. We don’t have a name for this profile.
• [dev] – This section contains dev profile credentials.
• [prod] – This section contains prod profile credentials.

6. Switching Between Different AWS Profile using –profile Option

By default, AWS CLI will use credentials from default profile. For example, the following command will list all the EBS volumes using your default profile credentials.

aws ec2 describe-volumes

If you want to connect to a different AWS account. For example to connect to AWS-dev account, use the dev profile as shown below:

aws ec2 describe-volumes --profile dev

The following will connect to prod profile:

aws ec2 describe-volumes --profile prod

Please note that the following commands are exactly the same. Both will use the default profile:

aws ec2 describe-volumes

aws ec2 describe-volumes --profile default

Note: The –profile option can be used with all AWS CLI commands.

On a related note, to launch an EC2 instance from CLI, refer to this: How to Launch an Amazon AWS EC2 Instance with UserData from CLI

7. Switching Between Different AWS Profiles using AWS_PROFILE Env Variable

Specifying profile option in all your CLI can be bit cumbersome. To avoid this, you can set your profile using AWS_PROFILE environment variable.

First, set your AWS_PROFILE to connect to AWS-dev account.

export AWS_PROFILE=dev

From now on, any AWS CLI commands that you execute will connect to the AWS-dev account. You don’t need to specify –profile option anymore.

The following commands will use dev profile credentials (not the default credentials), as we’ve set the AWS_PROFILE to dev.

aws ec2 describe-volumes
aws ec2 describe-instances
aws s3 ls
..

If you want to connect to AWS-prod account, just set the AWS_PROFILE to prod as shown below.

export AWS_PROFILE=prod

After the above, the following commands will use prod profile credentials to connect to your AWS-prod account.

aws ec2 describe-volumes
aws ec2 describe-instances
aws s3 ls
..

Once you’ve set to either dev or prod, and if you want to connect to the AWS account that points to the default profile, you have two options.

You can set AWS_PROFILE to default as shown below.

export AWS_PROFILE=default

Or, you can simply unset the AWS_PROFILE environment variable, which will then automatically start using the default profile.

unset AWS_PROFILE

After the above, the following commands will use default profile credentials to connect to your AWS-prod account.

aws ec2 describe-volumes
aws ec2 describe-instances
aws s3 ls
..

8. View Profile Information using list Option

The easy way to view all the profiles that you’ve configured on your system is to view the content of config and credentials files.

cat ~/.aws/config

cat ~/.aws/credentials

The list option in the aws configure command will display the information about the current profile as shown below.

$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                             None    None
access_key     ****************FFGG shared-credentials-file
secret_key     ****************mmmn shared-credentials-file
    region                us-east-1      config-file    ~/.aws/config

In the above, profile – The 1st line displays which profile you are using. In the “Value” column of the 1st line (i.e for profile), it says “”, this indicates that currently you are connected to “default” profile.

If you change the profile to “prod”, you’ll see the “Value” column of the 1st line will say “prod” as shown below.

$ export AWS_PROFILE=prod

$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                     prod           manual    --profile

You can also pass the profile name to view profile information without changing your current profile as shown below.

$ aws configure list --profile dev

9. Change Default Config and Credentials FileName and Location

Instead of the default ~/.aws/config and ~/.aws/credentials, you can also use a different location and file name using the following environment variables:

AWS_SHARED_CREDENTIALS_FILE – Set this value to the filename that contains your AWS credentials
AWS_CONFIG_FILE – Set this value to the filename that contains your AWS profile config information

For example:

export AWS_SHARED_CREDENTIALS_FILE=/var/tmp/mycredentials

export AWS_CONFIG_FILE=/var/tmp/myconfig

Once you set the above values, all AWS CLI commands will start using profiles and corresponding credentials from the files in the above location:

aws ec2 describe-volumes
aws ec2 describe-instances
aws s3 ls
..

In the following output, the “Location” column of the last line (region) indicates which config file it is using.

$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                             None    None
access_key     ****************FFGG shared-credentials-file
secret_key     ****************mmmn shared-credentials-file
    region                us-east-1      config-file    /var/tmp/myconfig

10. View a Specific Profile Parameter Value using get Option

If you want to just view one value from your config or credentials file, use the get option in the aws configure commands using the following syntax.

The get command is helpful if you are scripting something and want to get profile information inside your shell script.

aws configure get varname [--profile profile-name]

The following will only display the access_key_id of the current profile.

$ aws configure get aws_access_key_id
AAABBBCCCDDDEEEFFFGG

You can also use any one of the following:

aws configure get aws_access_key_id
aws configure get aws_secret_access_key
aws configure get region
aws configure get output

You can also specify the name of the profile as shown below:

aws configure get dev.aws_secret_access_key
aws configure get prod.aws_secret_access_key

11. Set a Specific Profile Parameter Value using set Option

Configure get and set commands can be helpful, if you are writing a shell script to manipulate the values of your config/credentials files.

Syntax:

aws configure set varname value [--profile profile-name]

You can just set a value of one specific parameter as shown below.

$ aws configure set region us-east-2

You can set the values of any of the following parameters:

aws configure set aws_access_key_id NEWABBCCCDDDEEEFPNEW
aws configure set aws_secret_access_key newdbbcccdddeeefffggghhhiiijjjkkklllpnew
aws configure set region us-east-2
aws configure set output json

You can also specify the name of the profile as shown below:

aws configure set dev.region us-east-2
aws configure set prod.output json

12. Add New Model using add-model Option

You can add models based on the information from a json file.

For example, if you have a AWS CLI version that doesn’t have Amazon Polly, then you can reinstall the AWS CLI to get the polly.

Or, you can download polly’s model file, and use the add-model option in aws configure as shown below.

aws configure add-model --service-model file:///var/tmp/polly.json

The above command will create ~/.aws/models directory and create the following sub-directory based on the information from the given json file.

ls -l ~/.aws/models/polly/2016-06-10/service-2.json

The following is the first few lines of the json file that was used in the above example.

$ head -10 ~/.aws/models/polly/2016-06-10/service-2.json
{
  "version":"2.0",
  "metadata":{
    "apiVersion":"2016-06-10",
    "endpointPrefix":"polly",
    "protocol":"rest-json",
    "serviceFullName":"Amazon Polly",
    "serviceId":"Polly",
    "signatureVersion":"v4",
    "uid":"polly-2016-06-10"

The above file is the same as the one that we used during our add-model.

diff -w ~/.aws/models/polly/2016-06-10/service-2.json /var/tmp/polly.json

You can also specify a different service-name by passing the –service-name parameter as shown below.

aws configure add-model --service-model file:///var/tmp/custom.json --service-name mycustom

The above will create a sub-directory under ~/.aws/models with the service-name that you’ve specified as shown below.

ls -l ~/.aws/models/mycustom/2016-06-10/service-2.json