# AWS cli named profiles The [[AWS cli]] stores configuration in `~/.aws/config`. Each section, called a profile, stores a separate config. The `[default]` section stores defaults and is the profile used when no other [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) is active. ```ad-note Named profiles in `~/.aws/config` start with the heading `[profile PROFILE_NAME]`. Per-profile credentials in the `~/.aws/credentials` file have heading `PROFILE_NAME` ``` ## Use a profile Per-command, use the `--profile NAME` flag (overriding `AWS_PROFILE`) ```bash aws ec2 describe-instances --profile user1 ``` Activate a profile for all command invocations by setting the `AWS_PROFILE` env var. ```bash export AWS_PROFILE=user1 ``` ## SSO with `aws-sso-util` Simplify [[SSO Federated Authentication|SSO]] by using [benkehoe/aws-sso-util](https://github.com/benkehoe/aws-sso-util) Set `AWS_DEFAULT_SSO_START_URL` and `AWS_DEFAULT_SSO_REGION` ^[or pass them as parameters to `asw-sso-util` every time] ### Configure profiles Configure `~.aws/config` with the profiles for the relevant SSO accounts and roles you have access to. - `asw-sso-util configure profile PROFILE_NAME` configures a single profile - `asw-sso-util configure populate` configures all the profiles the SSO session has access to. ### Login / Logout (Re-)authenticate to establish fresh credentials or expire a session. ^[this is the crux of `aws-sso-util` since `aws sso login` requires an explicit account and role, which defeats the purpose of **single** sign on.] ### Debugging issues `aws-sso-util check` ### SSO support with AWS SDKs `aws-sso-util credential-process` acts as a valid credential lookup helper process. If you used `aws-sso-util profile` for configuration, the profile is automatically configured to use the credential-process ## Resources - [Named profiles - AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) --- - Links: - Created at: [[2021-07-15]]