Overview
Guides
AWS Credentials

AWS Credentials

The Problem

The simplest way to use AWS Security Credentials (opens in a new tab) (AWS_ACCESS_KEY_ID, ...) is to copy and paste them from your provider (like IAM Identity Center) into your shell. However, what happens when you need to start a new shell process (new terminal tab) and still need your AWS credentials? You'll need to copy and paste them from your provider again 🙄.

AWS CLI

In order to persist credentials between shell processes, you can use the ~/.aws/credentials and ~/.aws/config files which are automatically recognized by the AWS CLI, SDKs, and CDK.

AWS recommends using temporary credentials using IAM Roles. Try to avoid using long-lived IAM User credentials.

You can persist credentials exported into your terminal with the following commands:

aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID"
aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
aws configure set aws_session_token "$AWS_SESSION_TOKEN"

Checkout your ~/.aws/credentials and ~/.aws/config to confirm the credentials have been saved:

cat ~/.aws/credentials

This works, but what if you're switching between multiple AWS accounts and want to save different sets of credentials? We need a way to separate and identify sets of credentials. This is what the AWS_PROFILE environment variable is for. You can append --profile "$AWS_PROFILE" to each of the previous aws configure set... commands with an exported AWS_PROFILE environment variable to identify sets of credentials.

Alias

To make the previous commands easier to run, you can create an alias, uac (update aws credentials), in your shell configuration file (.zschrc, ...) like below:

.zshrc
alias uac='(
  aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" --profile "$AWS_PROFILE"
  aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" --profile "$AWS_PROFILE"
  aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile "$AWS_PROFILE"
  echo "AWS Credentials Updated ✅"
)'

Now, with your AWS credentials and AWS_PROFILE in your shell process, you can simply run uac and your AWS credentials will be persisted but you'll need to ensure the AWS_PROFILE environment variable is set so that AWS tools know which persisted credentials to use. This is where direnv (opens in a new tab) can help.

direnv

direnv is an extension for your shell that loads and unloads environment variables in your current shell based on your current working directory. This means you can add a .envrc file at the root of your monorepo that looks like:

.envrc
export AWS_PROFILE=my-profile

Then run direnv allow and now AWS_PROFILE will be set in any new shell process created within your monorepo. Prove this by running printenv | grep AWS. You'll notice in gboost create templates, there are .envrc files already setup for you with commonly needed environment variables like AWS_PROFILE. We also include DB related environment variables so you easily connect to your DB locally. You're welcome to set other environment variables you commonly need within your .envrc file.