It is pretty common for a company to have multiple aws accounts. A cloud administrator may find him/her self needing to switch accounts regularly. When doing so, s/he also needs to be aware which account’s profile s/he is under. Fortunately, zsh running on MacOS, Linux, or Windows WSL can assist!
Assumptions:
aws plugin is enabled in ~/.zshrc file. By default, git plugin is enabled. You need to add aws into the line that starts with plugins=. Example:plugins=(git aws)aws CLI tool installed. Create ~/.aws if you don’t already have it.Create config file for aws CLI
You will need to have your .aws/config file setup. For each aws account that you’d like to manage, you will need to have a corresponding profile. Typically, an organization has only one sso_start_url, so you just need one section of sso-session. Here is an example config:
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 111111111111
sso_role_name = aws-111111111111-dev
[profile selab]
region = us-west-2
cli_pager=
sso_session = coffee
sso_account_id = 222222222222
sso_role_name = aws-222222222222-prod
[sso-session coffee]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/#
sso_region = us-west-2
sso_registration_scopes = sso:account:access
Use oh-my-zsh plugin to switch between accounts
With the plugin and config file in place, now you are ready to switch and manage easily. To use the default profile, run:
asp default login
Your default browser will then open with the authorization page. Click “Confirm and Continue”, then “Allow Access”. On your terminal, you will see something like this:
➜ ~ asp default login
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
AAAA-BBBB
Successfully logged into Start URL: https://d-xxxxxxxxxx.awsapps.com/start/#
➜ ~
Afterwards, you will have the aws account credential downloaded automatically. On your terminal, you will see the RPROMPT value, displayed on the right, with the aws profile you are currently under, along with region. Knowing this can save you from making costly fat finger mistakes.
To make sure the credential works, you can run a quick command to confirm, such as aws s3 ls.
To switch to a different profile, just run asp profile_name login again.
Within the same account, switching between different regions is also a common task. To do so, run asr new-region. If you don’t remember the region name, use tab completion for prompts.
Sometimes the RPROMPT can be annoying, you can turn it off by adding:SHOW_AWS_PROMPT=false
into your .zshrc file.
Happy coding!