Managing unique AWS credentials on a per project basis

calendar Nov 3, 2016 · 2 min read · Python credentials security boto aws cli virtualenv  ·
Share on: linkedin copy

Normally, the AWS CLI (or boto3 library if using python), will look for a file called .aws/credentials or .aws/config in your user's home directory. However, I'm often working on several different clients and therefore need to work with different sets of credentials.

One option is to use the --profile argument with the CLI but boto, requires coding logic to check for that. However, while this is the best solution, it's not always practical, especially when working with someone else's code.

The AWS CLI and BOTO use the environment variable AWS_SHARED_CREDENTIALS_FILE to define the file path containing the credentials, so modifying that will let you create a local set of credentials without needing to specify the --profile argument.

I most often use this alongside SAM projects which use Infrastructure as Code. These will deploy infrastructure and code, usually via lambdas. These projects will typically use a specific repository to hold the components, and so I will create a .aws/credentials file, along with the following bash script awsset in the root folder of the repository

1#! /bin/bash
2export AWS_SHARED_CREDENTIALS_FILE=./.aws/credentials
3
4awsunset() {
5  unset AWS_SHARED_CREDENTIALS_FILE
6}

With the script in place, I can run source awsset to enable the local credentialsß or use awsunset will revert to the standard credentials.

Using with virtualenv

Virtualenv lets you create isolated "projects" where you manage the libraries independently of other projects, even letting different projects use different versions of the same libraries. The libraries in a virtualenv project are installed in the ./lib/python2.7/site-packages directory, making it much simpler to identify the ones you need to package with your code.

Once you have installed virtualenv, you run the command virtualenv _project_ to create a new environment in the directory project. This creates an isolated environment where libraries etc., can be installed and code developed.

To integrate virtualenv and the AWS credential setup described above, I've created a script called virtualaws which combines creating the virtualenv environment with isolated AWS credentials.

1#! /bin/bash
2virtualenv $1
3mkdir $1/.aws
4cat << EOF >> $1/bin/activate
5export AWS_SHARED_CREDENTIALS_FILE=${VIRTUAL_ENV}/.aws/credentials'
6awsunset() {
7  unset AWS_SHARED_CREDENTIALS_FILE
8}
9EOF

Running virtualaws _project_ instead of virtualenv will create the environment including reference to the unique credentials file in _project_/.aws/credentials while running awsunset will revert to the default credentials.

comments powered by Disqus