AWS Management console allows to easily interact with services using web interface. However, we can instead access the services via AWS Command Line Interface (CLI). In order to interact with AWS via AWS CLI, we need to authenticate with the web services using IAM user credentials. However, it is possible (and common) to have different AWS profiles on local machine when you have multiple IAM roles in your AWS Accounts. Instead of create each IAM user for each set of permissions in either one AWS Account or other AWS Account, it is better to assume the IAM role using only one IAM user.
In this tutorial, we will guide you on making AWS Config file so that you can easily switching between different IAM roles using a single IAM user.
In your local machine, you can interact with AWS services remotely via using tool AWS CLI (AWS Command Line Interface). To install AWS CLI, you can find the detailed instruction here.
When you create an account in your organization, in addition to the root user, AWS Organizations automatically creates an IAM role that is by default named OrganizationAccountAccessRole. However, you can specify a different name for the IAM role if you want to. In this guide, we refer the role name as allow-full-access-from-other-accounts. This role allows you to access the member account by assuming the role.
To utilize the IAM role, in your local machine, you need to create/update the AWS Configuration file. It is located in the location ~/.aws/config
You need to add or edit the file with the following contents:
[<your account name>]
aws_account_id = <AWS Root Account ID>
output = json
[profile <your account name>-<environment name 1>]
source_profile=<your account name>
role_arn=arn:aws:iam::<AWS Member Account ID #1>:role/OrganizationAccountAccessRole
region=<AWS Region>
mfa_serial=arn:aws:iam::<AWS Member Account ID #1>:mfa/<IAM User Name> # Optionally, if you activate MFA device
[profile <your account name>-<environment name 2>]
source_profile=<your account name>
role_arn=arn:aws:iam::6150`<AWS Member Account ID #2>:role/OrganizationAccountAccessRole
region=<AWS Region>
mfa_serial=arn:aws:iam::<AWS Member Account ID #1>:mfa/<IAM User Name> # Optionally, if you activate MFA device
# ...
[profile <your account name>-<environment name N>]
source_profile=<your account name>
role_arn=arn:aws:iam::<AWS Member Account ID #N>:role/OrganizationAccountAccessRole
region=<AWS Region>
mfa_serial=arn:aws:iam::<AWS Member Account ID #1>:mfa/<IAM User Name> # Optionally, if you activate MFA device
You have learnt to edit the AWS Config file. With this file, you can now use AWS CLI to run different IAM roles. For example, to list all S3 bucket, you can run this command:
aws s3 ls --profile <Your AWS profile>
Tips: