Imagine you have the following setup to access your AWS Accounts:

  • one AWS account (called user) contains all the users (i.e. Jon, Jane, Marc etc.)
  • every other AWS account only contains roles that the users from the user account can assume


Set-Up your credentials

  1. generate Acces Key Id and Secret Key inside the user account → see create, modify, or delete your own IAM user access keys

  2. configure credentials for user-account in AWS CLI: aws configure --profile user-account → see Konfigurieren der AWS CLI

  3. (optional) add mfa_serial to the profile user-account in ~/.aws/config (needed if MFA is forced to work with user account) → see

  4. add all the roles you want to assume from the other AWS accounts to ~/.aws/config as new profiles e.g.

    [profile user-account]
    region = eu-central-1
    output = json
    mfa_serial = arn:aws:iam::414202132317:mfa/...
    [profile dev]
    role_arn = arn:aws:iam::856650302511:role/RoleName
    source_profile = user-account
    [profile prod]
    role_arn = arn:aws:iam::835788498700:role/RoleName
    source_profile = user-account
  5. install awsume to make profile(role)-switching a breeze

use awsume

  • awsume -l to list available profiles
  • awsume dev to work with dev account (this happens via the user account, as configured in 4.)

How awsume works

awsume profile-name exports session credentials into your current terminal session and thus can be used with any AWS compatible tool.

$ env
> ...
> AWS_REGION=eu-central-1
> AWS_DEFAULT_REGION=eu-central-1
> AWSUME_PROFILE=profile-name