It is pretty common for a company to have multiple aws accounts. A cloud administrator may find him/her self needing to switch accounts regularly. When doing so, s/he also needs to be aware which account’s profile s/he is under. Fortunately, zsh running on MacOS, Linux, or Windows WSL can assist!
Assumptions:
- zsh with oh-my-zsh framework installed
aws
plugin is enabled in~/.zshrc
file. By default,git
plugin is enabled. You need to addaws
into the line that starts withplugins=
. Example:plugins=(git aws)
aws
CLI tool installed. Create~/.aws
if you don’t already have it.
Create config
file for aws
CLI
You will need to have your .aws/config
file setup. For each aws account that you’d like to manage, you will need to have a corresponding profile
. Typically, an organization has only one sso_start_url
, so you just need one section of sso-session
. Here is an example config:
[default]
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 111111111111
sso_role_name = aws-111111111111-dev
[profile selab]
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 222222222222
sso_role_name = aws-222222222222-prod
[profile haidong]
region = us-east-2
cli_pager=
aws_access_key_id=key_id
aws_secret_access_key=secret
[sso-session coffee]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/#
sso_region = us-west-2
sso_registration_scopes = sso:account:access
Use oh-my-zsh
plugin to switch between accounts
With the plugin and config
file in place, now you are ready to switch and manage easily.
If a profile uses aws_access_key_id
and aws_secret_access_key
, but not SSO, you can simply run something like this:
asp
haidong
If a profile uses SSO, for example the default profile, run:
asp default login
Your default browser will then open with the authorization page. Click “Confirm and Continue”, then “Allow Access”. On your terminal, you will see something like this:
➜ ~ asp default login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
AAAA-BBBB
Successfully logged into Start URL: https://d-xxxxxxxxxx.awsapps.com/start/#
➜ ~
Afterwards, you will have the aws account credential downloaded automatically. On your terminal, you will see the RPROMPT
value, displayed on the right, with the aws profile you are currently under, along with region. Knowing this can save you from making costly fat finger mistakes.
To make sure the credential works, you can run a quick command to confirm, such as aws s3 ls
.
To switch to a different profile, just run asp profile_name login
again.
Within the same account, switching between different regions is also a common task. To do so, run asr new-region
. If you don’t remember the region name, use tab completion for prompts.
Sometimes the RPROMPT
can be annoying, you can turn it off by adding:SHOW_AWS_PROMPT=false
into your .zshrc
file.
Happy coding!
One response to “Switch between different aws accounts using zsh”
[…] In my last post, I shared my method of switching between different aws account using oh-my-zsh. […]