当前位置: 文江博客 话题详情

如何从命令行使用多个AWS账户?

发布于 2024-07-14 10:15:53 字数 237 浏览 6 评论 0 原文

我在 Amazon EC2 上托管了两个不同的应用程序(第二个即将上线)。

如何在命令行 (Mac OS X) 上使用两个帐户,但保留 EC2 密钥和密钥? 证书分开? 我需要在每个 ec2-* 命令之前更改环境变量吗?

使用别名并将其与环境设置串联工作吗? 类似于:alias ec2-describe-instances1 = export EC2_PRIVATE_KEY=/path; ec2-描述实例

原文

I've got two different apps that I am hosting (well the second one is about to go up) on Amazon EC2.

How can I work with both accounts at the command line (Mac OS X) but keep the EC2 keys & certificates separate? Do I need to change my environment variables before each ec2-* command?

Would using an alias and having it to the setting of the environment in-line work? Something like: alias ec2-describe-instances1 = export EC2_PRIVATE_KEY=/path; ec2-describe-instances

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(12

古镇旧梦 2024-07-21 10:15:53

您可以通过创建两个 配置文件
它将提示您输入 AWS 访问密钥 ID, AWS 秘密访问密钥和所需区域,因此请准备好。

示例:

$ aws configure --profile account1
$ aws configure --profile account2

然后,您可以通过在命令中传递配置文件来在帐户之间切换。

$ aws dynamodb list-tables --profile account1
$ aws s3 ls --profile account2

注意:

如果您将配置文件命名为default,它将成为默认配置文件,即当命令中没有--profile 参数时。

有关默认配置文件的更多信息

如果您花费更多时间使用 account1,您可以通过设置 AWS_DEFAULT_PROFILE 环境变量将其设为默认配置文件。 设置默认环境变量后,您无需在每个命令上指定配置文件。

Linux、OS X 示例:

$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables

Windows 示例:

$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls

You can work with two accounts by creating two profiles on the aws command line.
It will prompt you for your AWS Access Key ID, AWS Secret Access Key and desired region, so have them ready.

Examples:

$ aws configure --profile account1
$ aws configure --profile account2

You can then switch between the accounts by passing the profile on the command.

$ aws dynamodb list-tables --profile account1
$ aws s3 ls --profile account2

Note:

If you name the profile to be default it will become default profile i.e. when no --profile param in the command.

More on default profile

If you spend more time using account1, you can make it the default by setting the AWS_DEFAULT_PROFILE environment variable. When the default environment variable is set, you do not need to specify the profile on each command.

Linux, OS X Example:

$ export AWS_DEFAULT_PROFILE=account1
$ aws dynamodb list-tables

Windows Example:

$ set AWS_DEFAULT_PROFILE=account1
$ aws s3 ls
回复 原文
╭⌒浅淡时光〆 2024-07-21 10:15:53

如何“手动”设置多个AWS账户?

1) 获取访问权限 - 密钥

AWS 控制台 > 身份和访问管理(IAM)> 您的安全凭证 > 访问密钥

2) 设置访问权限 - 文件和内容

~/.aws/credentials

[default]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

[{{profile_name}}]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

3) 设置配置文件 - 文件和内容

< code>~/.aws/config

[default]
region={{region}}
output={{output:"json||text"}}

[profile {{profile_name}}]
region={{region}}
output={{output:"json||text"}}

4) 运行 - 带参数的文件

安装命令行应用程序 - 并使用 AWS命令行,例如产品AWS EC2

aws ec2描述实例 -- 默认

aws ec2 describe-instances --profile {{profile_name}} -- [{{profile_name}}]

参考

How to set "manually" multiple AWS accounts ?

1) Get access - key

AWS Console > Identity and Access Management (IAM) > Your Security Credentials > Access Keys

2) Set access - file and content

~/.aws/credentials

[default]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

[{{profile_name}}]
aws_access_key_id={{aws_access_key_id}}
aws_secret_access_key={{aws_secret_access_key}}

3) Set profile - file and content

~/.aws/config

[default]
region={{region}}
output={{output:"json||text"}}

[profile {{profile_name}}]
region={{region}}
output={{output:"json||text"}}

4) Run - file with params

Install command-line app - and use AWS Command Line it, for example for product AWS EC2

aws ec2 describe-instances -- default

aws ec2 describe-instances --profile {{profile_name}} -- [{{profile_name}}]

Ref

回复 原文
摘星┃星的人 2024-07-21 10:15:53

恕我直言,最简单的方法是手动编辑 .aws/credentials.aws/config 文件。

它很简单,并且适用于 Linux、Mac 和 Windows。 只需阅读本文了解更多详细信息 (阅读 1 分钟)

.aws/credentials 文件:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

.aws/config 文件:

[default]
region=us-west-2
output=json

[profile user1]    <-- 'profile' in front of 'profile_name' (not for default)!!
region=us-east-1
output=text

IMHO, the easiest way is to edit .aws/credentials and .aws/config files manually.

It's easy and it works for Linux, Mac and Windows. Just read this for more detail (1 minute read).

.aws/credentials file:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

.aws/config file:

[default]
region=us-west-2
output=json

[profile user1]    <-- 'profile' in front of 'profile_name' (not for default)!!
region=us-east-1
output=text
回复 原文
拥抱我好吗 2024-07-21 10:15:53

创建或编辑此文件:

vim ~/.aws/credentials

列出任意数量的密钥对:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

设置本地变量以选择要使用的密钥对:

export AWS_PROFILE=user1

执行您喜欢的操作:

aws s3api list-buckets  # any aws cli command now using user1 pair of keys

您也可以通过包含 -- 逐个命令执行此操作使用每个命令配置 user1

aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys

更多详细信息: AWS CLI 的命名配置文件

Create or edit this file:

vim ~/.aws/credentials

List as many key pairs as you like:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

Set a local variable to select the pair of keys you want to use:

export AWS_PROFILE=user1

Do what you like:

aws s3api list-buckets  # any aws cli command now using user1 pair of keys

You can also do it command by command by including --profile user1 with each command:

aws s3api list-buckets --profile user1
# any aws cli command now using user1 pair of keys

More details: Named profiles for the AWS CLI

回复 原文
栀子花开つ 2024-07-21 10:15:53

您应该能够使用以下命令选项代替 EC2_PRIVATE_KEY(甚至 EC2_CERT)环境变量:

  • -K
  • -C

您可以将它们放在别名中,例如

alias ec2-describe-instances1 ec2-describe-instances -K /path/to/key.pem

You should be able to use the following command-options in lieu of the EC2_PRIVATE_KEY (and even EC2_CERT) environment variables:

  • -K <private key>
  • -C <certificate>

You can put these inside aliases, e.g.

alias ec2-describe-instances1 ec2-describe-instances -K /path/to/key.pem
回复 原文
您的好友蓝忘机已上羡 2024-07-21 10:15:53

新的 aws 工具现在支持多个配置文件。

如果您使用工具配置访问权限,它会自动在 ~/.aws/config 中创建默认值。

然后,您可以添加其他配置文件 - 更多详细信息,请访问:AWS CLI 入门

The new aws tools now support multiple profiles.

If you configure access with the tools, it automatically creates a default in ~/.aws/config.

You can then add additional profiles - more details at: Getting started with the AWS CLI

回复 原文
∞觅青森が 2024-07-21 10:15:53

我创建了一个简单的工具 aaws,用于在 AWS 账户之间切换。

它通过在 shell 中设置 AWS_DEFAULT_PROFILE 来工作。 只需确保您的 ~/.aws/credentials 文件中有一些条目,它就可以轻松地在多个帐户之间切换。

/tmp
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

/tmp

$ aaws luk3


[luk3]

I created a simple tool, aaws, to switch between AWS accounts.

It works by setting the AWS_DEFAULT_PROFILE in your shell. Just make sure you have some entries in your ~/.aws/credentials file and it will easily switch between multiple accounts.

/tmp
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

/tmp
$ aaws luk3

[luk3] ???? /tmp
$ aws s3 ls
2013-11-05 21:40:04 luk3thomas.com
回复 原文
毁虫ゝ 2024-07-21 10:15:53

我编写了一个工具包来切换默认的 AWS 配置文件。

该机制将配置文件密钥物理移动到 configcredentials 文件中的 default 部分。

今天更好的解决方案应该是以下方法之一:

  • 使用 aws 命令选项 --profile
  • 使用环境变量AWS_PROFILE

我不记得为什么我没有使用 --profile 的解决方案,也许我没有意识到它的存在。

然而,该工具包仍然可以通过做其他事情来发挥作用。 以后我会用AWS_PROFILE的方式添加软开关标志。

$ xsh list aws/cfg
[functions] aws/cfg/move
[functions] aws/cfg/set
[functions] aws/cfg/activate
[functions] aws/cfg/get
[functions] aws/cfg/delete
[functions] aws/cfg/list
[functions] aws/cfg/copy

仓库:https://github.com/xsh-lib/aws

安装:

curl -s https://raw.githubusercontent.com/alexzhangs/xsh/master/boot | bash && . ~/.xshrc
xsh load xsh-lib/aws

用法:

xsh aws/cfg/list
xsh aws/cfg/activate <profilename>

I wrote a toolkit to switch default AWS profile.

The mechanism is physically moving the profile key to the default section in config and credentials files.

The better solution today should be one of the following ways:

  • Use aws command option --profile.
  • Use environment variable AWS_PROFILE.

I don't remember why I didn't use the solution of --profile, maybe I was not realized its existence.

However the toolkit can still be useful by doing other things. I'll add a soft switch flag by using the way of AWS_PROFILE in the future.

$ xsh list aws/cfg
[functions] aws/cfg/move
[functions] aws/cfg/set
[functions] aws/cfg/activate
[functions] aws/cfg/get
[functions] aws/cfg/delete
[functions] aws/cfg/list
[functions] aws/cfg/copy

Repo: https://github.com/xsh-lib/aws

Install:

curl -s https://raw.githubusercontent.com/alexzhangs/xsh/master/boot | bash && . ~/.xshrc
xsh load xsh-lib/aws

Usage:

xsh aws/cfg/list
xsh aws/cfg/activate <profilename>
回复 原文
恰似旧人归 2024-07-21 10:15:53

您可以编写shell脚本,根据用户输入为每个帐户设置相应的环境变量值。 这样做,您不需要创建任何别名,此外,ELB 工具、Auto Scaling 命令行工具等工具也可以在多个帐户下工作。

You can write shell script to set corresponding values of environment variables for each account based on user input. Doing so, you don't need to create any aliases and, furthermore, tools like ELB tools, Auto Scaling Command Line Tools will work under multiple accounts as well.

回复 原文
最美不过初阳 2024-07-21 10:15:53

要使用 IAM 角色,您必须对 STS:AssumeRole 进行 API 调用,这将返回临时访问密钥 ID、密钥和安全令牌,然后可用于对未来的 API 调用进行签名。 以前,要从 AWS 命令​​行界面 (CLI) 实现安全的跨账户、基于角色的访问,需要显式调用 STS:AssumeRole,并使用您的长期凭证。 生成的临时凭证被捕获并存储在您的配置文件中,并且该配置文件用于后续的 AWS API 调用。 当临时凭证过期时(默认情况下 1 小时后),必须重复此过程。

更多详细信息:如何通过 AWS CLI 使用单个 IAM 用户轻松访问您的所有账户

To use an IAM role, you have to make an API call to STS:AssumeRole, which will return a temporary access key ID, secret key, and security token that can then be used to sign future API calls. Formerly, to achieve secure cross-account, role-based access from the AWS Command Line Interface (CLI), an explicit call to STS:AssumeRole was required, and your long-term credentials were used. The resulting temporary credentials were captured and stored in your profile, and that profile was used for subsequent AWS API calls. This process had to be repeated when the temporary credentials expired (after 1 hour, by default).

More details: How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI

回复 原文
一指流沙 2024-07-21 10:15:53

查看 aws-vault ,它具有与纯 aws 中的多个配置文件类似的功能,但它还存储您的访问密钥在某些地方比纯文本文件更安全。

如果您查看他们的版本页面,就会发现预编译的二进制文件。

aws-vault 的工作方式基本上是创建一个设置了正确环境变量的子 shell。 就我而言,我创建了一个名为“chrisp”的配置文件,并运行以下命令来部署我的 CDK 堆栈:

aws-vault exec chrisp yarn cdk deploy MyStackName

其中“chrisp”是配置文件名称。 这对于任何命令都同样有效,事实上,测试它的一个好方法是执行以下操作:

aws-vault exec chrisp sts get-caller-identity

这会让您知道它正在工作并且它根据提供的密钥选择正确的身份。

Check out aws-vault that has something similar to mutliple profiles in just pure aws but it also stores your access key some place more secure than a plain text file.

If you look on their releases page there are pre-compiled binaries.

The way aws-vault works is to basically create a subshell with the right environment variables set. In my case, I created a profile named 'chrisp' and to deploy my CDK stack I run:

aws-vault exec chrisp yarn cdk deploy MyStackName

where 'chrisp' is the profile name. This works equally well with any command, in fact, a good way to test it is to do this:

aws-vault exec chrisp sts get-caller-identity

that will let you know that it's working and that it picks the right identity based on the provided keys.

回复 原文
时间海 2024-07-21 10:15:53

具有 MFA 的多个 AWS 帐户上的 CLI 帮助程序

启用 MFA 后,必须在多个帐户之间切换会更加有趣...其他现有的帮助程序要么是矫枉过正,要么无法满足我的需求,因此我创建了这个:
https://github.com/runwuf/awsumfa

安装

curl https://raw.githubusercontent.com/runwuf/awsumfa/main/awsumfa.bash > ~/awsumfa.bash
  • 更新您的 MFA awsumfa.bashAWS_MFAARN 中的 ARN
  • 编辑示例 credentials 添加您的所有账户的角色,然后将其放入 ~/.aws/

用法

awsmfa ${role_name} - 选择要承担的凭证中定义的角色。

awsec2ls - 以良好的格式列出 ec2 实例。

awsec2 ${instance_id} - ssm 到 ec2 实例。

installawstools - 安装 aws-ssm-ec2-proxy-command.sh 使 scp 可以轻松使用 ec2 实例。

CLI helper on multiple AWS accounts with MFA

Having to switch between multiple accounts is even more fun when MFA is enabled... other existing helpers out there is either an overkill or doesn't address my needs so I created this:
https://github.com/runwuf/awsumfa

Install

curl https://raw.githubusercontent.com/runwuf/awsumfa/main/awsumfa.bash > ~/awsumfa.bash
  • Update your MFA ARN in AWS_MFAARN of awsumfa.bash
  • Edit the sample credentials to add your roles of all accounts then place it in ~/.aws/

Usage

awsmfa ${role_name} - choose the role defined in credentials to assume to.

awsec2ls - list ec2 instances in a nice format.

awsec2 ${instance_id} - ssm into an ec2 instance.

installawstools - install aws-ssm-ec2-proxy-command.sh makes scp easy to work with ec2 instances.

回复 原文
~没有更多了~

关于作者

失与倦"

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

linfzu01

文章 0 评论 0

§对你不离不弃

文章 0 评论 0

可遇━不可求

文章 0 评论 0

枕梦

文章 0 评论 0

qq_3LFa8Q

文章 0 评论 0

JP

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文