Posted inTechnology

How to Create and Manage Profiles with the AWS CLI

How to Create and Manage Profiles with the AWS CLI

Profiles are a practical way to manage multiple AWS accounts, roles, and configurations using the AWS Command Line Interface (CLI). In this guide, we’ll cover how to perform an aws cli create profile, what files are involved, how to use named profiles in commands, and best practices for security and maintenance. The goal is to help you work more efficiently with multiple environments without mixing credentials or settings.

Understanding AWS CLI profiles

An AWS CLI profile is a named collection of credentials and configuration settings. By using profiles, you can switch between different AWS accounts, regions, and output formats without changing your environment variables or default configurations. The AWS CLI stores profiles in two files located in your home directory: the credentials file and the config file. On Unix-like systems, these are typically at ~/.aws/credentials and ~/.aws/config. On Windows, they reside in %USERPROFILE%\.aws\credentials and %USERPROFILE%\.aws\config.

The default profile, named default, is used when you do not specify a profile. Named profiles allow you to work against different accounts or roles by selecting the appropriate profile at the command line. For the AWS CLI, credentials for a named profile are stored in the credentials file under a section named simply [profile-name] in the config file, while the credentials file uses the profile name directly as a section header [profile-name] (without the profile prefix).

How to create a profile with aws configure

The most common way to perform an aws cli create profile is by using the interactive command:

aws configure --profile myprofile

Running this prompts you to enter:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Default region name
  • Default output format

After you complete the prompts, the corresponding sections are written to your credentials and config files. This approach is simple and user-friendly, and it effectively creates a new profile named myprofile.

If you prefer a non-interactive approach, you can set each value directly using the aws configure set command. This is convenient for automation scripts or when you want to seed multiple profiles in one run:

aws configure set aws_access_key_id YOUR_ACCESS_KEY_ID --profile myprofile
aws configure set aws_secret_access_key YOUR_SECRET_ACCESS_KEY --profile myprofile
aws configure set region us-west-2 --profile myprofile
aws configure set output json --profile myprofile

In both cases, you’ve effectively completed an aws cli create profile and prepared it for use in subsequent commands.

Manual creation by editing the files

Some teams prefer to configure profiles by editing the two AWS CLI files directly. This method gives you precise control over the layout and can be useful for version control or templating. Here are example snippets that define a profile named dev:

# credentials file
[dev]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

# config file
[profile dev]
region = us-east-1
output = json

Notes:

  • The credentials file uses the profile name as the section header without the profile prefix.
  • The config file uses [profile <name>] for named profiles, starting from the profile name defined in credentials.
  • When editing manually, keep the values secure and avoid committing them to public repositories.

Using profiles in practice

Once a profile exists, you can use it on a per-command basis or set it as the default for a session:

  • Per-command: aws s3 ls --profile dev
  • Set a session-wide default with an environment variable: export AWS_PROFILE=dev (Linux/macOS) or set AWS_PROFILE=dev (Windows).
  • For Windows PowerShell, you can set the variable with $Env:AWS_PROFILE = "dev".

Common AWS CLI operations, such as listing buckets, starting instances, or querying resources, can then be scoped to the chosen profile. This makes it easy to manage multiple environments (development, staging, production) without re-authenticating or re-typing credentials.

Advanced topics and tips

Listing and switching between profiles

You can quickly list the profiles configured on your machine and verify their presence with:

aws configure list-profiles

To switch between profiles, simply specify the desired profile in your command or set AWS_PROFILE as shown above.

Using AWS Single Sign-On (SSO) and roles

For organizations leveraging AWS SSO, the AWS CLI supports SSO-based profiles. You can configure an SSO profile that references a previously configured SSO start URL and account, then run aws sso login --profile my-sso-profile before using the profile. This workflow helps avoid long-lived access keys and aligns with centralized access management.

Security considerations

Security is a core reason to use profiles. Treat AWS credentials as highly sensitive data. Rotate keys regularly, apply least privilege, enable MFA where applicable, and avoid embedding keys in code or public repositories. Using named profiles with separate credentials files helps you compartmentalize access and reduces the blast radius if a key is compromised.

Rotating credentials and automation

For automated environments, you might rotate credentials periodically. You can write a script that updates the credentials file and the config file, or you can rely on IAM roles (for EC2, ECS, or Lambda) to grant temporary credentials via STS. The aws cli create profile approach remains compatible with these practices, since the profile abstraction is about how you supply credentials and region data to the CLI.

Common use cases

  • Managing separate accounts for development, testing, and production with distinct profiles
  • Working against multiple regions without changing the global configuration
  • Using a standard set of commands across environments by swapping profiles
  • Integrating with CI/CD pipelines that require non-interactive profile creation

Troubleshooting and best practices

If you encounter issues with a profile, check these common areas:

  • Ensure the correct file permissions for credentials (especially on shared systems).
  • Verify that the profile name is consistent in both credentials and config files where required.
  • Confirm that the region and output format match your needs for each profile.
  • Use aws configure list --profile <name> to inspect which keys, region, and output the CLI sees for a given profile.

FAQ: common questions about aws cli create profile

  • What is the difference between the credentials and config files? The credentials file stores access keys; the config file stores region and output settings. A single profile’s credentials are defined in the credentials file, while its region and output details live in the config file.
  • Can I have multiple profiles for the same account? Yes. You can create different profiles for different roles or environments, each with its own credentials and region settings.
  • Is it safe to store credentials locally? Yes, if you enforce proper file permissions and avoid sharing keys. For added security, prefer IAM roles or SSO-based access where possible.

Conclusion

Using the AWS CLI to create and manage profiles is a fundamental skill for anyone working with multiple AWS environments. The aws cli create profile workflow—whether via interactive aws configure, non-interactive aws configure set commands, or manual edits to the credentials and config files—helps keep credentials isolated, reduce human error, and simplify automation. With careful organization of profiles, you can switch contexts quickly, maintain security best practices, and streamline daily operations across teams and projects. If you implement named profiles thoughtfully, you will find AWS CLI workflows more scalable and predictable, especially when combined with environment-specific automation and access management strategies.