如何在使用 AWS Organizations 从 aws-cli 创建的账户之间切换

Question

I am using AWS Organizations from my master account to create sub-accounts like prod, dev, playground etc.

Inside the AWS Console it is easy to switch between the accounts by clicking the "Switch Role" button.

How do I achieve the same from the aws-cli using profiles? Can somebody list the least amount of steps necessary to achieve that?

When I search the internet (and I have) I find very different solutions and many of them involving creating new roles from scratch. However, I figure that I should be able to use the AWSServiceRoleForOrganizations role already created by AWS Organizations.

Thank you

Answer 1

I figured it out. In the credentials file add:

[master] aws_access_key_id = xxxxxxxxxxxxxxxxxxxxx aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxx

[sub-account] role_arn = arn:aws:iam::XXXXXXXXXXXX:role/OrganizationAccountAccessRole source_profile = master

Where XXXXXXXXXXXX is the account number of the sub-account.

Answer 2

In your ~/.aws/config and ~/.aws/credentials file you need to add different profiles and credentials .

Place your keys in your ~/.aws/credentials file.

[default]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX

[dev]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX

[playground]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX

[prod]
aws_access_key_id=XXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXX/XXXXXX/XXXXXXXXX

Modify your ~/.aws/config file. Remember to Add the prefix 'profile'

[default]
region=us-west-2

[profile dev]
region=us-east-1

[profile playground]
region=us-east-1

[profile prod]
region=us-east-1

Now you can switch between profile by using the --profile flag

aws s3 ls --profile dev # will use keys and config from dev profile

aws s3 ls # will use keys and config from default profile

aws s3 ls --profile production # will use and config keys from prod profile