Using AWS CLI profiles
The AWS CLI is deceptively powerful and ubiquitous but can be tough to configure in a multi-account organization and the most obvious way to configure it — using an access key ID and secret access key — is far and away the most risky.
Fortunately, there are two less-well-known configurations that can help you address both: Profiles and the
When you use the AWS CLI or an SDK without any additional configuration, it'll read
~/.aws/configand use the default profile it finds there. You can configure the default profile (or any other name by changing default to something else) to use Substrate to get credentials as follows:
credential_process = substrate credentials -format json -quiet
This will save you having to run
eval $(substrate credentials)yourself but will open a browser window each and every time you use the AWS CLI or SDK. Most users should prefer to use
eval $(substrate credentials)to put AWS credentials that last 12 hours into environment variables.
Once you have AWS credentials in your environment, you can choose to use profiles to save yourself some typing. Define profiles in
~/.aws/config, naming them whatever you like, that defer credential management to Substrate via
credential_process = substrate assume-role -format json -quiet -domain <domain> -environment <environmene> -quality <quality>
Note well that, in order for this to succeed, you'll need to have already run
eval $(substrate credentials)to prime the environment to have any access to AWS at all.
Use your profile thus:
eval $(substrate credentials)
aws sts get-caller-identity --profile whatever-you-want-to-call-it
This is considerably shorter than
substrate assume-role -format json -quiet -domain <domain> -environment <environment> -quality <quality> aws sts get-caller-identitybut the profile is local to your machine and not shared amongst your teammates the way domains, environments, and qualities are which makes collaboration harder. Nonetheless, profiles are a part of the AWS CLI and SDK that Substrate supports so use whichever tool suits you in every situation — there's no need to commit to one exclusively. You can even check out Granted to navigate the profiles you configure in