Configuring AWS Named Profiles
Source: Dev.to
Introduction
When working with multiple AWS accounts you need a way to tell the AWS CLI and Terraform which account to use for each operation. Named profiles provide a convenient solution.
What Is an AWS Named Profile?
A named profile is a collection of credentials and configuration settings that represents a specific identity in a specific AWS account. By defining profiles once in your local AWS configuration files, you can reference them by name instead of constantly switching credentials or passing them as command‑line arguments.
Typical profile names
management-admin– Administrator access to the management accountbackend-dev-admin– Administrator access to the development accountbackend-prod-developer– Limited developer access to production
Using Named Profiles with Terraform
provider "aws" {
region = "us-east-1"
profile = "backend-dev-admin"
}When Terraform runs, it looks for the specified profile in your local AWS configuration files and authenticates accordingly.
AWS Configuration Files
Profiles are defined in two files located in your home directory:
~/.aws/credentials– Stores authentication credentials (access keys or SSO configuration)~/.aws/config– Stores regional and output preferences
Authentication Methods
1. AWS SSO (Recommended)
SSO provides temporary credentials that automatically expire, aligning with AWS best practices.
~/.aws/credentials
[profile management-admin]
sso_start_url = https://mycorp.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = AdministratorAccess~/.aws/config
[profile management-admin]
region = us-east-1
output = jsonUsing an SSO Profile
# Log in to the SSO profile (opens a browser)
aws sso login --profile management-admin
# Verify the credentials
aws sts get-caller-identity --profile management-admin2. Long‑Lived Access Keys (Discouraged)
Storing static access keys is possible but not recommended because they do not expire automatically and pose a higher security risk.
# ~/.aws/credentials (avoid if possible)
[management-admin]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYImportant: The default profile (without a profile prefix) is used when no specific profile is specified. For safety, leave it unconfigured.
Verifying Profile Configuration
SSO Profiles
aws sso login --profile management-admin # Opens browser for authentication
aws sts get-caller-identity --profile management-adminAccess‑Key Profiles
aws sts get-caller-identity --profile management-adminA successful call returns JSON similar to:
{
"UserId": "AROA...:user@example.com",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AdministratorAccess/user@example.com"
}Additional Checks
# List S3 buckets
aws s3 ls --profile management-admin
# List EC2 instances in a specific region
aws ec2 describe-instances --region us-east-1 --profile management-adminIf you encounter UnauthorizedOperation or AccessDenied errors, verify that the IAM user or role attached to the profile has the necessary permissions.
Working Without SSO
If SSO is not yet enabled, you can create a dedicated IAM user with a minimal set of permissions required for your Terraform/Terragrunt workflows. Store its access keys in a named profile (e.g., acme-root) and use the same verification steps above.
Summary
- Define named profiles in
~/.aws/credentialsand~/.aws/config. - Prefer AWS SSO for secure, temporary credentials.
- Use
aws sso login --profile <profile>before running Terraform or other CLI commands. - Verify each profile with
aws sts get-caller-identityand basic resource listings.
With properly configured named profiles, you can safely manage multiple AWS accounts and deploy infrastructure using Terraform and Terragrunt.