Frail and faltering follower of Jesus

Test driving aws-profile

By Gavin Davies

aws-profile is “a wrapper script to generate and pass AWS AssumeRole keys to other scripts”. I tried it out.

When you’re working with a single AWS account, life is easy. One set of credentials, one login, no worries. However, most orgs have multiple AWS accounts. What to do?!

In the past, I’ve used a tool called aws-vault to manage multiple AWS accounts and that works extremely well. However, in a recent engagement, the team are using aws-profile.

Unlike aws-vault, aws-profile works with your basic .aws/credentials file, using the source_profile to figure out which accounts are gateways to other accounts (a common pattern is to have a security account that handles authentication, from where access is delegated to other AWS accounts).

Beyond that, there’s not a lot to it. It’s simply a 110-line Python script (at the time of writing!), so that’s appealing.

So, here’s an example usage:

aws-profile -p my-deployment-account poetry run python tools/ -e test-44

Any gotchas?

Not in my usage so far. The only thing I’d say is I get mixed up with Python environments - see this XKCD. I’ll cover PyEnv and PipEnv on a later post, but suffice to say, I’m not someone who has done a MASSIVE amount of python, so I just have this slight feeling that I’m not confident in it because in the past I’ve had issues with my system Python conflicting with user-installed versions. That’s in no way a fault of the tool or the Python ecosystem really, just my relative unfamiliarity.

It’s not got a huge amount of stars or watchers on Github, but in the week or so I’ve been using the tool, it’s been good :-)

Worth a bash?

I reckon so, particularly if you’re already Python-comfortable.

I’d say aws-vault is more powerful and flexible, but if all you need is a simple switcher, aws-profile is the boy :-)