Bird
Raised Fist0
AWScloud~10 mins

Using profiles for multiple accounts in AWS - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Using profiles for multiple accounts
Create profile1 with account1 creds
Create profile2 with account2 creds
Use AWS CLI with --profile profile1
Commands run on account1
Use AWS CLI with --profile profile2
Commands run on account2
Switch profiles anytime to access different accounts
Set up separate profiles for each AWS account, then specify the profile when running commands to work with that account.
Execution Sample
AWS
[default]
aws_access_key_id=AKIA...
aws_secret_access_key=...

[profile1]
aws_access_key_id=AKIA1...
aws_secret_access_key=...

[profile2]
aws_access_key_id=AKIA2...
aws_secret_access_key=...
This config file defines credentials for default, profile1, and profile2 to access multiple AWS accounts.
Process Table
StepCommandProfile UsedAccount AccessedResult
1aws s3 ls --profile profile1profile1Account1Lists S3 buckets in Account1
2aws ec2 describe-instances --profile profile1profile1Account1Shows EC2 instances in Account1
3aws s3 ls --profile profile2profile2Account2Lists S3 buckets in Account2
4aws ec2 describe-instances --profile profile2profile2Account2Shows EC2 instances in Account2
5aws s3 lsdefaultDefault AccountLists S3 buckets in default account
6aws s3 ls --profile unknownunknownNoneError: Profile not found
💡 Execution stops when an invalid or unknown profile is used, causing an error.
Status Tracker
VariableStartAfter Step 1After Step 3After Step 5Final
profile_usednoneprofile1profile2defaultunknown
account_accessednoneAccount1Account2Default AccountNone (error)
Key Moments - 3 Insights
Why do commands fail when using a profile name not defined in the config?
Because the AWS CLI looks for credentials under the given profile name and cannot find them, causing an error as shown in step 6 of the execution table.
How does specifying --profile change which AWS account the command talks to?
The --profile option tells AWS CLI which set of credentials to use, so commands run under that profile access the corresponding AWS account, as seen in steps 1 and 3.
What happens if you run AWS CLI commands without specifying a profile?
The CLI uses the default profile credentials, accessing the default account, as shown in step 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, which profile is used to list S3 buckets in Account2?
Adefault
Bprofile1
Cprofile2
Dunknown
💡 Hint
Check step 3 in the execution table where 'aws s3 ls --profile profile2' lists buckets in Account2.
At which step does the AWS CLI return an error due to an unknown profile?
AStep 4
BStep 6
CStep 5
DStep 2
💡 Hint
Look at the last row in the execution table where the profile 'unknown' causes an error.
If you remove the default profile from the config, what happens when you run 'aws s3 ls' without --profile?
AReturns an error for missing default profile
BLists buckets in profile2 account
CLists buckets in profile1 account
DLists buckets in the last used profile
💡 Hint
Refer to variable_tracker and key moment about default profile usage when no --profile is specified.
Concept Snapshot
AWS CLI profiles let you store credentials for multiple accounts.
Use the config file to define profiles with keys.
Run commands with --profile to choose account.
Without --profile, default profile is used.
Invalid profile names cause errors.
Full Transcript
Using AWS CLI profiles allows you to manage multiple AWS accounts by storing their credentials under different profile names in the config file. When you run AWS CLI commands, you specify which profile to use with the --profile option. This tells the CLI which account to access. If you omit --profile, the CLI uses the default profile. If you use a profile name not defined, the CLI returns an error. This way, you can switch between accounts easily by changing the profile used in your commands.

Practice

(1/5)
1. What is the main purpose of using AWS profiles when working with multiple accounts?
easy
A. To store different account credentials separately on the same computer
B. To speed up AWS CLI commands by caching results
C. To automatically switch regions without user input
D. To encrypt data stored in AWS S3 buckets

Solution

  1. Step 1: Understand AWS profiles

    AWS profiles allow you to save different sets of credentials and settings for multiple accounts on one computer.

  2. Step 2: Identify the purpose

    This separation helps you choose which account to use without mixing credentials.

  3. Final Answer:

    To store different account credentials separately on the same computer -> Option A

  4. Quick Check:

    Profiles separate credentials = B [OK]
Hint: Profiles separate accounts by credentials [OK]
Common Mistakes:
  • Thinking profiles speed up commands
  • Confusing profiles with region switching
  • Assuming profiles encrypt data
2. Which AWS CLI command syntax correctly uses a profile named dev-account to list S3 buckets?
easy
A. aws s3 ls dev-account --profile
B. aws --profile s3 ls dev-account
C. aws --profile dev-account s3 ls
D. aws s3 ls dev-account

Solution

  1. Step 1: Recall AWS CLI profile usage

    The correct syntax places --profile dev-account as a global option right after aws, before the service s3 ls.

  2. Step 2: Match syntax to options

    aws --profile dev-account s3 ls correctly uses the profile flag.

  3. Final Answer:

    aws --profile dev-account s3 ls -> Option C

  4. Quick Check:

    Correct flag placement = A [OK]
Hint: --profile after aws, before service [OK]
Common Mistakes:
  • Placing --profile after profile name
  • Swapping command and profile flag order
  • Omitting --profile flag
3. Given these AWS CLI commands run on the same machine: 
aws --profile prod s3 ls
aws --profile dev s3 ls
What will happen if the prod profile has access to 5 buckets and dev profile has access to 2 buckets?
medium
A. Both commands fail due to profile conflict
B. The first command lists 5 buckets; the second lists 2 buckets
C. Both commands list 5 buckets only
D. Both commands list 7 buckets combined

Solution

  1. Step 1: Understand profile isolation

    Each profile uses its own credentials and permissions, so commands run under different profiles see different resources.

  2. Step 2: Apply to bucket listing

    The prod profile lists 5 buckets it can access; the dev profile lists 2 buckets it can access.

  3. Final Answer:

    The first command lists 5 buckets; the second lists 2 buckets -> Option B

  4. Quick Check:

    Profiles isolate access = D [OK]
Hint: Profiles show only their own account's buckets [OK]
Common Mistakes:
  • Assuming buckets combine across profiles
  • Expecting profile conflicts cause failure
  • Thinking both profiles show same buckets
4. You run the command aws --profile test ec2 describe-instances but get an error: Could not find credentials for profile: test. What is the most likely cause?
medium
A. The EC2 service is down in your region
B. The AWS CLI version is outdated
C. You forgot to specify the region with --region
D. The profile test is not configured in your AWS credentials file

Solution

  1. Step 1: Analyze error message

    The error says credentials for profile test are missing, meaning AWS CLI cannot find that profile in config files.

  2. Step 2: Identify cause

    This usually happens if the profile was never added or misspelled in ~/.aws/credentials or ~/.aws/config.

  3. Final Answer:

    The profile test is not configured in your AWS credentials file -> Option D

  4. Quick Check:

    Missing profile config = A [OK]
Hint: Check profile exists in credentials file [OK]
Common Mistakes:
  • Blaming AWS CLI version
  • Assuming region missing causes credential error
  • Thinking service outage causes credential error
5. You want to run an AWS CLI command that uses the prod profile but also specify the region us-west-2 without changing your default region. Which command correctly does this?
hard
A. aws --profile prod --region us-west-2 s3 ls
B. aws s3 ls --region us-west-2 --profile prod
C. aws s3 ls --profile prod region us-west-2
D. aws s3 ls prod --region us-west-2

Solution

  1. Step 1: Understand flag order and usage

    Global options like --profile and --region must be placed after aws but before the service name. Their relative order does not matter.

  2. Step 2: Check options for correctness

    Only aws --profile prod --region us-west-2 s3 ls correctly places both flags before the service.

  3. Final Answer:

    aws --profile prod --region us-west-2 s3 ls -> Option A

  4. Quick Check:

    Global flags before service = C [OK]
Hint: Global flags (--profile, --region) after aws before service [OK]
Common Mistakes:
  • Omitting --profile or --region flags
  • Placing profile name without --profile flag
  • Using incorrect flag syntax