Account switching methods that every cloud engineer needs to know
Using multi-account strategy is the best practice in AWS, which has been adopted by many organisations. In my observation, a lot of cloud engineers still use Incognito mode to switch between accounts. When there are more than two accounts, they have to constantly sign out and sign in to a different account, which can become a big time waster. I will introduce methods to switch accounts in console and CLI, in personal and corporate environment.
Account switching in Management Console
Let’s look at account switching in personal environment first. Here, personal environment refers to the setup where you have administrative access.
IAM Identity Center (Successor to Single Sign-On)
In my opinion, this is the best approach so far because we can keep multiple accounts’ windows open. Here’s the guide to set it up in the console.
Log into the management account, enable IAM Identity Center, click “AWS accounts“ under Multi-account permissions. Select all accounts that you want to enable SSO, click “Assign users or groups“.
The email address we put in this form will be the one to receive the invitation to access AWS portal. We will also get AWS access portal URL.
Here, since there’s no permission sets listed yet, we need to create it first.
Now let’s find out the email and follow the instruction to create new password, then log in.
TA-DA! Your setup is done! You will see your screen like this!
This is a feature provided by AWS. You can either be in account A or B.
Say, if you’re logged in account A, and want to switch to account B, you need to create a role in account B to allow this. You can set up permissions as you like, but make sure the trust policy is set up like the below.
Now we log in as account A, clicking “Switch role“ will take us to the popup window.
The value of Account would be the account B id while the value of Role would be the role you created in account B.
If you switch successfully, you will see this.
AWS Extend Switch Roles addon
There are some limitations to using Switch Role. Most importantly, the history can only show a maximum of five records. Every time you want to switch to the account not shown in the history, you have to enter the account and role again. If you use Firefox, I would suggest using AWS Extend Switch Roles extension.
Click “AWS Extend Switch Roles“ in the Extensions list.
You will see an error message at the first time you open this extension. Ignore that and click “Configuration“.
Follow the example shown at right hand side to fill in accounts that you want to switch to.
When it’s all configured, when next time you open this extension, you can see the role list.
If your organisation uses IAM Identity Center, you’re quite lucky! You don’t need to set up anything to SSO.
The container setup is quite simple.
Cool! Now you can see “Open in New Container Tab“ option when you right-click a tab page.
Account switching in CLI
The prerequisite to use CLI to interact with AWS is that you have programmatic access. Switching account in CLI is very simple. It is through
--profile. For example,
aws s3 ls --profile PROFILE_NAME
You can also setting profile name for all without setting it again in each call.
Configure profile in CLI
% aws configure --profile PROFILE_NAME
It would prompt you to fill in the following 4 variables.
AWS Access Key ID [None]: AWS Secret Access Key [None]: Default region name [None]: Default output format [None]:
It’s not mandatory to provide all values now. You can leave some blank.
Configure profile in file
As you may have noticed already, a profile setup contains 2 parts, credentials and config. AWS has files to store the data. So we can directly edit
config files under
~/.aws folder. They look like these:
[default] aws_access_key_id = xxxxxxxxxx aws_secret_access_key = xxxxxxxxxx [dev] aws_access_key_id = xxxxxxxxxx aws_secret_access_key = xxxxxxxxxx [prod] aws_access_key_id = xxxxxxxxxx aws_secret_access_key = xxxxxxxxxx
[default] region = us-east-1 output = txt [profile dev] region = ap-southeast-2 output = json [profile prod]
If you name your profile default, that profile would become the DEFAULT one when no
--profile parameter is provided.
Without you realising, account switching is one of the things that we do a lot in day-to-day work. However, I have seen too many people wasting time in this. If you have admin permission and want to log into console, you have many options. Personally, I would choose IAM Identity Center over Extend Switch Roles addon. Plain Switch Role feature would be my last choice. If the above three methods don’t work or you’re in a corporate environment, you can utilise browser container extension. Switching account in CLI is fairly simple. All you need is programmatic access and saved files of credentials. Well in the end, I hope that you enjoyed this article or have learnt something new.