Skip to main content
Donate to the Python Software Foundation or Purchase a PyCharm License to Benefit the PSF! Donate Now

Yet another set of scripts and shell functions for managing AWS profiles and cross account access.

Project description

Yet another set of scripts and shell functions for managing AWS profiles and cross account access.


Install into python virual environment:

source ~/path-to-venv/bin/activate
pip install aws-shelltools

Install from editable local repository:

git clone
cd aws-shelltools
pip install -r requirements.txt
pip install -e .


pip uninstall aws-shelltools


. ~/.bashrc

The shelltools:

Set or display value of shell environment var AWS_PROFILE
Set or display value of shell environment var AWS_DEFAULT_PROFILE
Print current values of all AWS environment vars
Request temporary session credentials from AWS STS. Export these credentials to environment vars in the current shell.
Generate aws client config file by listing group assume role policies. You must set your MFA token before you run this command.
Print list of available AWS assume role profiles.
Run ‘aws sts assume-role’ operation to obtain temporary assumed role credentials for the specified profile. Export these credentials to environment vars in the current shell.
Reset mfa token. If environment var AWS_ASSUMED_ROLE_PROFILE is already set from a previous session, then rerun ‘aws sts assume-role’ operation for that profile.
Print current values of AWS assumed role environment vars
Print output of ‘aws sts get-caller-identity
Cache AWS environment vars to local file for use by other shells
Evaluate cached AWS evironment vars into current shell
Reset AWS session environment vars to values prior to assuming role
Unset all AWS session token environemt vars


# Run each command with -h option for full usage info.

aws-profile [<profile>]
aws-region [<region>]
aws-assume-role <profile>



Configure Assume Role Profiles

If you have not yet set up your AWS CLI access, skip to section Awscli/Python Setup before proceeding.

Set your MFA token and assume role to one of your configured assume role profiles:

(python3.6) ashleygould$ aws-set-mfa-token
please enter 6 digit token code for your MFA device: 351918
(python3.6) ashleygould$ aws-assume-role ashley-training-OrgAdmin
(python3.6) ashleygould$ aws-whoami
    "UserId": "AROAIMADVT2W7CODNCP7W:agould@ashley-training-OrgAdmin",
    "Account": "111111111111",
    "Arn": "arn:aws:sts::111111111111:assumed-role/OrgAdmin/agould@ashley-training-OrgAdmin"

Now you can run aws-make-config to generate your assume role profiles based on your group membership in a central auth account. These are written to ~/.aws/config.d/config.aws_shelltools:

(python3.6) ashleygould$ aws-make-config
(python3.6) ashleygould$ head ~/.aws/config.d/config.aws_shelltools
[profile ashley-training-OrgAdmin]
role_arn = arn:aws:iam::111111111111:role/awsauth/OrgAdmin
role_session_name = agould@ashley-training-OrgAdmin
source_profile = default

[profile Auth-OrgAdmin]
role_arn = arn:aws:iam::222222222222:role/awsauth/OrgAdmin
role_session_name = agould@Auth-OrgAdmin
source_profile = default

See a listing or all your available AWS profiles:

(python3.6) ashleygould$ aws-list-roles
profile Auth-OrgAdmin
profile OrgMaster-OrgAdmin
profile ashley-training-OrgAdmin
profile eas-dev-OrgAdmin
profile eas-prod-OrgAdmin

You can shorten the profile name at the command line to a unique prefix:

(python3.6) ashleygould$ aws-assume-role eas
Your specified profile 'eas' matches multiple configured profiles. Select one from
the list below and try again:
  eas-dev-OrgAdmin eas-prod-OrgAdmin
(python3.6) ashleygould$ aws-assume-role eas-dev
(python3.6) ashleygould$ aws-whoami
    "UserId": "AROAJFPJVRDRDFUZJLZVG:agould@eas-dev-OrgAdmin",
    "Account": "111111111111",
    "Arn": "arn:aws:sts::111111111111:assumed-role/OrgAdmin/agould@eas-dev-OrgAdmin"

Awscli/Python Setup

The above install insturctions assume you have a working knowledge of python and awscli. If you are new at this, refer to the excellent AWS documentation:

This covers installation of python and python virtual environments for Linux, MacOS, and Windows. Once your python is happy, running the installation of aws-shelltools will ensure awscli`and `boto3 are also properly installed.

AWS Access Key Setup

Before you can use any of this stuff, you must create your AWS access key and secret access key and confiture your AWS shell profile. see:

Log into AWS console and create an AWS Access key as per AWS doc. From your shell run the aws configure command and cut-n-paste your access key/secret key from the console to the command line as prompted. This creates your default profile:

(python3.6) ashleygould$ aws configure
AWS Access Key ID [None]: AKI**********W5AFPSNQ
AWS Secret Access Key [None]: U/QotA**********************543vuYB
Default region name [None]: us-west-2
Default output format [None]:

(python3.6) ashleygould$ cat .aws/config
region = us-west-2

(python3.6) its-agould-9m:~ ashleygould$ aws-whoami
    "Account": "112233445566",
    "Arn": "arn:aws:iam::112233445566:user/awsauth/orgadmin/agould"

Working With Codecommit Repositories

To access codecommit repositories from the commandline after assuming a role, you must first configure git to use the AWS codecommit credential-helper:

git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
aws_shelltools-0.1.5-py3-none-any.whl (12.9 kB) Copy SHA256 hash SHA256 Wheel py3
aws-shelltools-0.1.5.tar.gz (11.5 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page