- Published on
Using multiple AWS accounts through the AWS CLI
- Authors
- Name
- Dharang Sharma
- @dharang1
Introduction
You should use named profiles in your AWS CLI configuration (~/.aws/config and ~/.aws/credentials). Here's how to set this up step by step:
Configure the Main Account
This account will contain your access keys.
Run:
bash
aws configure --profile main-account
Then enter:
- Access Key ID
- Secret Access Key
- Region (e.g., us-east-1)
- Output format (e.g., json)
This will populate ~/.aws/credentials and ~/.aws/config like:
~/.aws/credentials
[main-account]
aws_access_key_id = YOUR_MAIN_ACCESS_KEY
aws_secret_access_key = YOUR_MAIN_SECRET_KEY
~/.aws/config
[profile main-account]
region = us-east-1
output = json
Add Role-Based Accounts
Assuming the main account lets you assume a role in the two other accounts.
Example:
- Role name in other account: OrganizationAccountAccessRole
- Account IDs: 111111111111, 222222222222
Add the following to your ~/.aws/config file
~/.aws/config
[profile account-one]
role_arn = arn:aws:iam::111111111111:role/OrganizationAccountAccessRole
source_profile = main-account
region = us-east-1
[profile account-two]
role_arn = arn:aws:iam::222222222222:role/OrganizationAccountAccessRole
source_profile = main-account
region = us-east-1
✅ source_profile tells the CLI to use the credentials from main-account to assume the role.
Using the Profiles
Now you can use any of the accounts like this:
bash
aws s3 ls --profile main-account
aws s3 ls --profile account-one
aws s3 ls --profile account-two
Or you can set the profile temporarily for your session:
bash
export AWS_PROFILE=account-one
aws s3 ls