How to Use Multiple AWS Accounts on the Command Line

John John (304)

If you're using AWS for more than one project, you'll need to learn how to switch easily between accounts. This guide will show you a few ways to manage multiple AWS accounts on the command line, including a few tips to make your life easier.

Posted in these interests:
h/devops7 guides
h/aws1 guide

You should consult the AWS docs for official instructions. I'm not going to post them here, because they will likely change and the instructions are heavily dependent on your operating system and a few other factors. Open the link to their docs, and choose the installation type that's suitable for you.

Once you've got the aws tool installed locally, you'll want to log in to your AWS accounts. To do so, you'll need an AWS user with Programmatic access enabled as well as your access key id and secret access key.

If you're logging in to a single account, you can simply use:

aws configure

You'll need to enter your access key id and secret access key here as well as your default region. This will create a default profile using these credentials.

I wanted to note the existence of the default profile, since this is the default behavior. But since this guide is about managing multiple AWS accounts, we're going to create custom profiles for each account.

If you would consider one of your AWS accounts to be your default account, you can begin using the method described above. But for any other accounts, you'll want to use the same command with the --profile option specified.

aws configure --profile=howchoo

This would create another profile named howchoo that uses credentials associated with another AWS user (or account). Of course, you'll want to name the profile something memorable and relevant to the user/account that it belongs to.

You can create as many profiles as you need, and all profiles are stored in ~/.aws/credentials.

With multiple profiles in place, if you run the aws command, it will automatically use the default profile. Specifying a different profile is as easy as adding the --profile option to the command, like this:

aws --profile=howchoo ...

Tip: Use an alias to simplify this process

If you find yourself using profiles frequently, you can create an alias to simplify the process. Add the following to your ~/.bashrc or ~/.zshrc (or whatever shell config is appropriate):

alias awsh="aws --profile=howchoo"

Then you can simply use awsh to run aws commands with the howchoo profile.

If you're going to be working with a specific profile exclusively, you can set the AWS_PROFILE environment variable, like this:


Now, when you use the aws command (in the same shell), it will automatically use the howchoo profile.

If you're switching back and forth a lot between profiles, you may want some indicator of which profile you're currently on. This can avoid unnecessary permissions errors or worse!

There are many ways to solve this problem, but one common solution is to add the current aws profile to your shell prompt. And again, there are a few ways to do this.

zsh (using oh-my-zsh)

Since zsh is the default shell on macOS now, we'll start here. Oh My Zsh is a popular framework for managing zsh configs.

If you're using zsh (or would like to), you can simply add the following in your .zshrc:

plugins=(... aws)

This will automatically install the aws plugin when you open a new shell. It gives you access to a few new commands and adds current aws profile to your prompt by default. Check out the docs for more configuration options.

bash or zshrc

If you search google, there are plenty of scripts people have written to simplify this process. But I'll add a super simple method here. In your ~/.bashrc or ~/.zshrc file, add the following function:

function aws_profile {
  _profile=$(aws configure list | egrep profile | awk '{print "("$2")"}')
  if [[ "${_profile}" == "(<not)" ]]; then
    echo "(none)"
    echo "${_profile}"

Then modify your prompt using the PROMPT variable in zsh or the PS1 variable in bash. The following is an example using zsh.

PROMPT='$(aws_profile)'$PROMPT$'\n$ '
John John (304)

For most of your accounts, your password is the single line of defense against hackers. Some applications utilize two-factor authentication, but most rely on the password alone.