Switch between different aws accounts using zsh


It is pretty common for a company to have multiple aws accounts. A cloud administrator may find him/her self needing to switch accounts regularly. When doing so, s/he also needs to be aware which account’s profile s/he is under. Fortunately, zsh running on MacOS, Linux, or Windows WSL can assist!

Assumptions:

  • zsh with oh-my-zsh framework installed
  • aws plugin is enabled in ~/.zshrc file. By default, git plugin is enabled. You need to add aws into the line that starts with plugins=. Example:
    plugins=(git aws)
  • aws CLI tool installed. Create ~/.aws if you don’t already have it.

Create config file for aws CLI

You will need to have your .aws/config file setup. For each aws account that you’d like to manage, you will need to have a corresponding profile. Typically, an organization has only one sso_start_url, so you just need one section of sso-session. Here is an example config:

[default]
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 111111111111
sso_role_name = aws-111111111111-dev
[profile selab]
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 222222222222
sso_role_name = aws-222222222222-prod
[profile haidong]
region = us-east-2
cli_pager=
aws_access_key_id=key_id
aws_secret_access_key=secret
[sso-session coffee]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/#
sso_region = us-west-2
sso_registration_scopes = sso:account:access

Use oh-my-zsh plugin to switch between accounts

With the plugin and config file in place, now you are ready to switch and manage easily.

If a profile uses aws_access_key_id and aws_secret_access_key, but not SSO, you can simply run something like this:

asp haidong

If a profile uses SSO, for example the default profile, run:

asp default login

Your default browser will then open with the authorization page. Click “Confirm and Continue”, then “Allow Access”. On your terminal, you will see something like this:

➜ ~ asp default login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

AAAA-BBBB
Successfully logged into Start URL: https://d-xxxxxxxxxx.awsapps.com/start/#
➜ ~

Afterwards, you will have the aws account credential downloaded automatically. On your terminal, you will see the RPROMPT value, displayed on the right, with the aws profile you are currently under, along with region. Knowing this can save you from making costly fat finger mistakes.

To make sure the credential works, you can run a quick command to confirm, such as aws s3 ls.

To switch to a different profile, just run asp profile_name login again.

Within the same account, switching between different regions is also a common task. To do so, run asr new-region. If you don’t remember the region name, use tab completion for prompts.

Sometimes the RPROMPT can be annoying, you can turn it off by adding:
SHOW_AWS_PROMPT=false
into your .zshrc file.

Happy coding!


One response to “Switch between different aws accounts using zsh”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.