Bird
Raised Fist0
AWScloud~5 mins

Using profiles for multiple accounts in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you work with more than one AWS account, you need a way to switch between them easily. AWS profiles let you save different login details so you can use multiple accounts without typing credentials every time.
When you manage separate AWS accounts for development and production environments.
When you work on projects for different clients, each with their own AWS account.
When you want to test features in a sandbox account without affecting your main account.
When you share a computer with teammates who use different AWS accounts.
When automating scripts that need to access different AWS accounts.
Config File - config
config
[default]
region = us-east-1
output = json

[profile dev-account]
region = us-west-2
output = json

[profile prod-account]
region = us-east-1
output = json

This file defines AWS CLI profiles.

[default] is the main profile used if no other is specified.

[profile dev-account] and [profile prod-account] are named profiles for different AWS accounts with their own regions and output formats.

Commands
This command sets the access key ID for the 'dev-account' profile so AWS CLI knows which credentials to use for that account.
Terminal
aws configure set aws_access_key_id AKIADEVEXAMPLE --profile dev-account
Expected OutputExpected
No output (command runs silently)
--profile - Specifies which profile to configure
This command sets the secret access key for the 'dev-account' profile to authenticate requests.
Terminal
aws configure set aws_secret_access_key devsecretkeyexample1234567890 --profile dev-account
Expected OutputExpected
No output (command runs silently)
--profile - Specifies which profile to configure
This command sets the access key ID for the 'prod-account' profile.
Terminal
aws configure set aws_access_key_id AKIAPRODEXAMPLE --profile prod-account
Expected OutputExpected
No output (command runs silently)
--profile - Specifies which profile to configure
This command sets the secret access key for the 'prod-account' profile.
Terminal
aws configure set aws_secret_access_key prodsecretkeyexample0987654321 --profile prod-account
Expected OutputExpected
No output (command runs silently)
--profile - Specifies which profile to configure
This command lists all S3 buckets in the AWS account linked to the 'dev-account' profile. It shows that the CLI is using the correct account.
Terminal
aws s3 ls --profile dev-account
Expected OutputExpected
2023-05-01 10:00:00 dev-bucket-example 2023-05-02 11:30:00 dev-logs
--profile - Selects which AWS account profile to use for the command
This command lists all S3 buckets in the AWS account linked to the 'prod-account' profile to verify access.
Terminal
aws s3 ls --profile prod-account
Expected OutputExpected
2023-04-15 09:00:00 prod-bucket-main 2023-04-20 14:45:00 prod-backups
--profile - Selects which AWS account profile to use for the command
Key Concept

If you remember nothing else from this pattern, remember: AWS profiles let you switch between multiple accounts easily by saving their credentials separately.

Common Mistakes
Not specifying the --profile flag when running AWS CLI commands.
The CLI uses the default profile, which may connect to the wrong AWS account.
Always add --profile profile-name to target the correct account.
Mixing up profile names or using inconsistent names in config and commands.
Commands fail or connect to unintended accounts because the profile does not exist or is misspelled.
Use consistent, clear profile names in both config files and CLI commands.
Storing AWS credentials in the config file instead of the credentials file.
AWS CLI expects sensitive keys in the credentials file; putting them in config can cause errors or security risks.
Use 'aws configure' commands or edit the credentials file for keys, and config file for region/output.
Summary
Create named profiles in the AWS config file to separate account settings.
Use 'aws configure set' with --profile to add credentials for each account.
Run AWS CLI commands with --profile to specify which account to use.

Practice

(1/5)
1. What is the main purpose of using AWS profiles when working with multiple accounts?
easy
A. To store different account credentials separately on the same computer
B. To speed up AWS CLI commands by caching results
C. To automatically switch regions without user input
D. To encrypt data stored in AWS S3 buckets

Solution

  1. Step 1: Understand AWS profiles

    AWS profiles allow you to save different sets of credentials and settings for multiple accounts on one computer.

  2. Step 2: Identify the purpose

    This separation helps you choose which account to use without mixing credentials.

  3. Final Answer:

    To store different account credentials separately on the same computer -> Option A

  4. Quick Check:

    Profiles separate credentials = B [OK]
Hint: Profiles separate accounts by credentials [OK]
Common Mistakes:
  • Thinking profiles speed up commands
  • Confusing profiles with region switching
  • Assuming profiles encrypt data
2. Which AWS CLI command syntax correctly uses a profile named dev-account to list S3 buckets?
easy
A. aws s3 ls dev-account --profile
B. aws --profile s3 ls dev-account
C. aws --profile dev-account s3 ls
D. aws s3 ls dev-account

Solution

  1. Step 1: Recall AWS CLI profile usage

    The correct syntax places --profile dev-account as a global option right after aws, before the service s3 ls.

  2. Step 2: Match syntax to options

    aws --profile dev-account s3 ls correctly uses the profile flag.

  3. Final Answer:

    aws --profile dev-account s3 ls -> Option C

  4. Quick Check:

    Correct flag placement = A [OK]
Hint: --profile after aws, before service [OK]
Common Mistakes:
  • Placing --profile after profile name
  • Swapping command and profile flag order
  • Omitting --profile flag
3. Given these AWS CLI commands run on the same machine: 
aws --profile prod s3 ls
aws --profile dev s3 ls
What will happen if the prod profile has access to 5 buckets and dev profile has access to 2 buckets?
medium
A. Both commands fail due to profile conflict
B. The first command lists 5 buckets; the second lists 2 buckets
C. Both commands list 5 buckets only
D. Both commands list 7 buckets combined

Solution

  1. Step 1: Understand profile isolation

    Each profile uses its own credentials and permissions, so commands run under different profiles see different resources.

  2. Step 2: Apply to bucket listing

    The prod profile lists 5 buckets it can access; the dev profile lists 2 buckets it can access.

  3. Final Answer:

    The first command lists 5 buckets; the second lists 2 buckets -> Option B

  4. Quick Check:

    Profiles isolate access = D [OK]
Hint: Profiles show only their own account's buckets [OK]
Common Mistakes:
  • Assuming buckets combine across profiles
  • Expecting profile conflicts cause failure
  • Thinking both profiles show same buckets
4. You run the command aws --profile test ec2 describe-instances but get an error: Could not find credentials for profile: test. What is the most likely cause?
medium
A. The EC2 service is down in your region
B. The AWS CLI version is outdated
C. You forgot to specify the region with --region
D. The profile test is not configured in your AWS credentials file

Solution

  1. Step 1: Analyze error message

    The error says credentials for profile test are missing, meaning AWS CLI cannot find that profile in config files.

  2. Step 2: Identify cause

    This usually happens if the profile was never added or misspelled in ~/.aws/credentials or ~/.aws/config.

  3. Final Answer:

    The profile test is not configured in your AWS credentials file -> Option D

  4. Quick Check:

    Missing profile config = A [OK]
Hint: Check profile exists in credentials file [OK]
Common Mistakes:
  • Blaming AWS CLI version
  • Assuming region missing causes credential error
  • Thinking service outage causes credential error
5. You want to run an AWS CLI command that uses the prod profile but also specify the region us-west-2 without changing your default region. Which command correctly does this?
hard
A. aws --profile prod --region us-west-2 s3 ls
B. aws s3 ls --region us-west-2 --profile prod
C. aws s3 ls --profile prod region us-west-2
D. aws s3 ls prod --region us-west-2

Solution

  1. Step 1: Understand flag order and usage

    Global options like --profile and --region must be placed after aws but before the service name. Their relative order does not matter.

  2. Step 2: Check options for correctness

    Only aws --profile prod --region us-west-2 s3 ls correctly places both flags before the service.

  3. Final Answer:

    aws --profile prod --region us-west-2 s3 ls -> Option A

  4. Quick Check:

    Global flags before service = C [OK]
Hint: Global flags (--profile, --region) after aws before service [OK]
Common Mistakes:
  • Omitting --profile or --region flags
  • Placing profile name without --profile flag
  • Using incorrect flag syntax