Menu
When working with certain third-party tools like Terraform, it's not easily possible to specify an AWS CLI profile, and I like working with the environment variables better than the profiles.
Is there a way for me to have the AWS CLI simply export the current profile as AWS_ACCESS_KEY_ID and AWS_SECRET_KEY environment variables to my session?
369
The AWS CLI stores sensitive credential information that you specify with aws configure in a local file named credentials , in a folder named . aws in your home directory. The less sensitive configuration options that you specify with aws configure are stored in a local file named config , also stored in the .
In order to see which your default AWS CLI profile is, run the aws configure list command. The command shows the name of the default profile, the profile's security credentials and region.
you could use the following command to set your environment variable
aws configure get default.aws_access_key_id
aws configure get default.aws_secret_access_key
if you have another profile you can change, another way to write is
aws configure get aws_access_key_id --profile <new_profile>
aws configure get aws_secret_access_key --profile <new_profile>
so for example it would be
export TF_VAR_access_key=`aws configure get default.aws_access_key_id`
Terraform actually directly supports AWS CLI profiles: just set an appropriate profile attribute in the aws provider block.
Something like this should do the trick:
provider "aws" {
profile = "my_profile"
}
If you are instead in a situation in which you have to use environment variables Frederic's suggestion can be used this way:
export AWS_ACCESS_KEY_ID=$(aws configure get my_profile.aws_access_key_id)
export AWS_SECRET_ACCESS_KEY=$(aws configure get my_profile.aws_secret_access_key)
If you want to pass environment vars to a script use:
AWS_ACCESS_KEY_ID=$(aws configure get my_profile.aws_access_key_id) \
AWS_SECRET_ACCESS_KEY=$(aws configure get my_profile.aws_secret_access_key) \
./script.sh
If you use profiles to assume a role specified in config field role_arn, then things get a little trickier as the credentials are generated on the fly (and expire after a while).
But it's still feasible:
read AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< \
$(aws sts assume-role \
--role-arn $(aws configure get my_profile.role_arn) \
--role-session-name my_profile_session --output text | \
awk '/^CREDENTIALS/ { print $2, $4, $5 }')
There was no way previously, but there is now.
I wrote a script to do exactly this, aws-env:
usage: aws-env [-h] [-n] profile
Extract AWS credentials for a given profile as environment variables.
positional arguments:
profile The profile in ~/.aws/credentials to extract credentials
for.
optional arguments:
-h, --help show this help message and exit
-n, --no-export Do not use export on the variables.
If you trust the output of this program, you can use it within your shell session to export the variables of a given profile:
$ aws-env profile-name
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
$ aws-env -n profile-name
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
To export the variables into the current environment variables, execute the output as a command (again, once you have reviewed the source code ;]):
$ echo $AWS_ACCESS_KEY_ID
$ $(aws-env profile-name)
$ echo $AWS_ACCESS_KEY_ID
AKJHC...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With