Presenting: aws-identity for Amazon Web Services
2012-07-23 16:07We rely on Amazon Web Services at work. I spend a lot of time with the AWS command line tools but find myself juggling AWS accounts for various clients. This necessitates re-setting the EC2_CERT
, EC2_PRIVATE_KEY
, and AWS_CREDENTIAL_FILE
environment variables each time I need to work on a different client. I put together a small shell script, aws-identity, to automate away that tedium.
To start, gather your certificates and credentials. Some AWS tools require an X.509 pair that can be created by Amazon via the “security credentials” web interface or created locally using the IAM tools. Other tools rely on a textual credential file specifying an access key and secret key, again available via “security credentials”.
- AWSAccessKeyId=accesskeyhere
- AWSSecretKey=isureamtellingyoumysecretkeyrightnow
Create a directory layout to store certificates, keys, and credential files. I use ~/aws-identities/
with a subdirectory for each client. In this example, client1
has both an X.509 pair and a credential file, and client2
has only an X.509 pair.
- aws-identities
- ├── client1
- │ ├── aws-credentials
- │ ├── cert-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem
- │ └── pk-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem
- └── client2
- ├── cert-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem
- └── pk-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem
-
- 2 directories, 5 files
A child process can’t modify the parent shell’s environment directly, so the aws-identity
script will generate the proper commands for your shell. Its output can be eval
ed to alter the environment. It supports Bourne-style shells such as sh, zsh, bash, and ksh, as well as CSH-style shells like csh and tcsh.
- export EC2_CERT=/Users/nreid/aws-identities/client1/cert-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem &&
- export EC2_PRIVATE_KEY=/Users/nreid/aws-identities/client1/pk-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem &&
- export AWS_CREDENTIAL_FILE=/Users/nreid/aws-identities/client1/aws-credentials
- setenv EC2_CERT /Users/nreid/aws-identities/client2/cert-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem &&
- setenv EC2_PRIVATE_KEY /Users/nreid/aws-identities/client2/pk-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem &&
- unsetenv AWS_CREDENTIAL_FILE
Omitting the shell type argument will produce human-readable descriptive text about the variables it will set or unset.
- Switched EC2 and AWS identity to client1
- Switched EC2 identity to client2
I combine the two modes in a function in my .zshrc
:
- aws() {eval `bin/aws-identity $1 sh` && bin/aws-identity $1}
The aws
command now allows me to painlessly switch accounts! To client1:
- Switched EC2 and AWS identity to client1
- AWS_CREDENTIAL_FILE=/Users/nreid/aws-identities/client1/aws-credentials
- EC2_CERT=/Users/nreid/aws-identities/client1/cert-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem
- EC2_PRIVATE_KEY=/Users/nreid/aws-identities/client1/pk-ARFCVP24OJED4KQP2WXYPDX7XYV62UYJ.pem
- INSTANCE i-effb1d573 client1-promo us-east-1a InService HEALTHY client1-promo
- INSTANCE i-afd343ce3 client1-promo us-east-1d InService HEALTHY client1-promo
Or to client2:
- Switched EC2 identity to client2
- EC2_CERT=/Users/nreid/aws-identities/client2/cert-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem
- EC2_PRIVATE_KEY=/Users/nreid/aws-identities/client2/pk-YHGL5M3BBXFTMRYP3R42VNT32B634ESH.pem
- INSTANCE i-8c5733f5 Client2FB us-east-1d InService HEALTHY Client2FB
- INSTANCE i-c45ed870 Client2FB us-east-1b InService HEALTHY Client2FB