DEV Community

Alex Yaroslavsky
Alex Yaroslavsky

Posted on

Multiple AWS accounts and CLI

#aws #cli #okta #productivity

After following this guide you will able to easily and seamlessly switch between multiple AWS accounts and roles (with or without Okta) using the CLI.

Prerequisites:

Check out the first article in the series for requirements and initial configuration.

trexinc image

AWS CLI with Okta

Alex Yaroslavsky ・ Jul 13 ・ 2 min read

#aws #cli #okta #productivity

How To:

The following instructions are meant to be used in Linux or WSL, tested with Ubuntu.

Configure non Okta accounts 

aws configure --profile profile aws configure --profile multi-role-profile

Configure Okta accounts

Create a file ~/.okta-aws with the following contents:

[okta-profile] username = <username> factor = OKTA app-link = https://<your-company>.okta.com/<app-link> base-url = <your-company>.okta.com duration = 3600 [okta-multi-role-profile] username = <username> factor = OKTA app-link = https://<your-company>.okta.com/<app-link> base-url = <your-company>.okta.com duration = 3600

Initialize the profiles:

okta-awscli --okta-profile okta-profile --profile okta-profile okta-awscli --okta-profile okta-multi-role-profile --profile okta-multi-role-profile

Configure accounts with multiple roles

Some accounts might use role switching, add similar sections to ~/.aws/credentials per role (notice that source_profile points to a previously defined profile):

[multi-role-profile-role1] role_arn = <role-arn> source_profile = multi-role-profile [okta-multi-role-profile-role1] role_arn = <role-arn> source_profile = okta-multi-role-profile

Associate EKS clusters with profiles

Run the following per EKS cluster that you want to have kubectl access to, <profile-name> is a name of the AWS profile defined above that has permissions for this EKS cluster:

aws --profile <profile-name> eks update-kubeconfig --name <eks-cluster-name>

Create scripts for fast account switching

The scripts switch to the relevant AWS account, point kubectl to the relevant cluster, and set a default kubectl namespace.
Create one script file per profile, and place it in your home directory.

File okta-multi-role-profile-role1:

export AWS_DEFAULT_PROFILE=okta-multi-role-profile-role1 kubectl config use-context <eks-cluster-arn> kubectl config set-context --current --namespace=<namespace> aws sts get-caller-identity if [[ $PS1 != *"AWS_DEFAULT_PROFILE"* ]]; then PS1=\(\$AWS_DEFAULT_PROFILE\)$PS1 fi echo "Switched to okta-multi-role-profile-role1"

Switch between accounts

To quickly switch between accounts just do the following:
source <profile-file>

For example:
source okta-multi-role-profile-role1

Top comments (0)