AWS_PROFILE env var management

aws-profile-for-bashrc.sh

# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

# There are lots of well-built tools that completely manage your
# AWS profiles and login and credentials, like aws-vault and AWSume.
# This isn't that.
# I tend to prefer to go as lightweight as possible around AWS-produced tools.
# So all this does is set and unset your AWS_PROFILE environment variable.

# This code requires the AWS CLI v2 to function correctly, because it uses the
# aws configure list-profiles command for validation and auto-completion,
# and this command does not exist in the AWS CLI v1.
# AWS CLI v2 install instructions:
# https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

# You might also be interested in aws-whoami
# which improves upon `aws sts get-caller-identity`
# https://github.com/benkehoe/aws-whoami

aws-profile () {
  if [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
    echo "USAGE:"
    echo "aws-profile              <- print out current value"
    echo "aws-profile PROFILE_NAME <- set PROFILE_NAME active"
    echo "aws-profile --unset      <- unset the env vars"
  elif [ -z "$1" ]; then
    if [ -z "$AWS_PROFILE$AWS_DEFAULT_PROFILE" ]; then
      echo "No profile is set"
      return 1
    else
      echo "$AWS_PROFILE$AWS_DEFAULT_PROFILE"
    fi
  elif [ "$1" = "--unset" ]; then
    AWS_PROFILE=
    AWS_DEFAULT_PROFILE=
    # removing the vars is needed because of https://github.com/aws/aws-cli/issues/5016
    export -n AWS_PROFILE AWS_DEFAULT_PROFILE
  else
    # this check needed because of https://github.com/aws/aws-cli/issues/5546
    # requires AWS CLI v2
    if ! aws configure list-profiles | grep --color=never -Fxq -- "$1"; then
      echo "$1 is not a valid profile"
      return 2
    else
      AWS_DEFAULT_PROFILE=
      export AWS_PROFILE=$1
      export -n AWS_DEFAULT_PROFILE
    fi;
  fi;
}
# completion is kinda slow, operating on the files directly would be faster but more work
# aws configure list-profiles is only available with the AWS CLI v2.
_aws-profile-completer () {
  COMPREPLY=(`aws configure list-profiles | grep --color=never ^${COMP_WORDS[COMP_CWORD]}`)
}
complete -F _aws-profile-completer aws-profile

export -n is needed because of this AWS CLI issue aws/aws-cli#5016

I like it! I've been doing something similar to make it super easy to switch between projects / profiles by never having a default one set and using named profiles only. That seems to have avoided a few footgun instances.

Not having a default profile in ~/.aws/config is a good idea.

Additionally, you can use direnv to set your environment vars for a specific directory.

I use

cat ~/.aws/config | grep "\[profile" | sed 's/\[profile \([a-zA-Z0-9_-]*\)\]/\1/'

to get the profiles for auto-completion. Might be faster than the CLI command.

I like it, but aws configure list-profiles handles profiles that are set only in ~/.aws/credentials (I know people who have this), plus when either file is missing, plus if AWS_CONFIG_FILE or AWS_SHARED_CREDENTIALS_FILE point to different locations.

Sure it is the more general approach. I think you should use your version if you want to be compatible to different users. If you have full control of your own setup my approach might be faster but has some assumptions.

have you considered: https://awsu.me/

Lots of people like AWSume and other tools like it, but I tend to prefer to go as lightweight as possible around AWS-produced tools, because I want to know how those tools can be improved. For all the good AWSume does, it also means people don't ask AWS to make the underlying product better. I don't want AWSume to be necessary!