AWS Profile Management
Overview
Credential mistakes are one of the most common causes of infrastructure accidents. This skill ensures the correct AWS profile is active before any operation.
Announce at start: "I'm using the aws-profile-management skill to verify credentials."
Pre-Operation Verification
Step 1: Check Current Identity
# Get current identity
aws sts get-caller-identity
Expected output includes:
- Account: AWS account ID
- Arn: IAM user/role ARN
- UserId: User or assumed role ID
Step 2: Match to Environment
| Environment | Expected Account | Expected Role Pattern |
|---|---|---|
| dev | 123456789012 | -dev-, -developer- |
| staging | 234567890123 | -staging-, -deploy- |
| prod | 345678901234 | -prod-, -admin- |
STOP if account doesn't match expected environment.
Step 3: Check Credential Expiry
For assumed roles:
# Check remaining session time
aws sts get-caller-identity 2>&1 | grep -i expir || echo "Credentials valid"
For SSO:
# Check SSO session
aws sso list-accounts 2>&1 || echo "Check SSO login status"
Profile Switching
Using Named Profiles
# List available profiles
aws configure list-profiles
# Set profile for session
export AWS_PROFILE=production
# Or use inline
AWS_PROFILE=production terraform plan
Using AWS SSO
# Login to SSO
aws sso login --profile production
# Verify login
aws sts get-caller-identity --profile production
Using Assume Role
# Assume role and export credentials
eval $(aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME \
--role-session-name terraform-session \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text | \
awk '{print "export AWS_ACCESS_KEY_ID="$1"\nexport AWS_SECRET_ACCESS_KEY="$2"\nexport AWS_SESSION_TOKEN="$3}')
# Verify
aws sts get-caller-identity
Environment Detection
From Directory Structure
environments/
├── dev/
├── staging/
└── prod/
# Detect environment from path
ENV=$(basename "$(pwd)")
echo "Detected environment: $ENV"
From Terraform Backend
# Check backend configuration
grep -A 10 'backend' *.tf | grep -E 'bucket|key|workspace'
From Workspace
# Check Terraform workspace
terraform workspace show
Safety Checks
Pre-Operation Checklist
Before any Terraform or AWS operation:
-
Identity Verified
- Account ID matches environment
- Role/user is appropriate
- Credentials not expired
-
Environment Confirmed
- Directory matches expected environment
- Backend configuration is correct
- No conflicting env vars set
-
Permission Verified
- Role has required permissions
- No unexpected permission errors expected
Red Flags - STOP Immediately
| Condition | Action |
|---|---|
| Account ID doesn't match environment | STOP - wrong account! |
| Role seems too permissive for task | Verify with user |
| Credentials expired | Re-authenticate |
| Multiple AWS_* env vars set | Clear and use profile |
| Unknown account ID | Verify before proceeding |
Common Issues
Wrong Account Active
Symptoms:
- Terraform can't find expected resources
- Plan shows creating resources that exist
- Permission denied for expected resources
Solution:
# Clear any env vars
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
# Set correct profile
export AWS_PROFILE=correct_profile
# Verify
aws sts get-caller-identity
Expired Credentials
Symptoms:
- "ExpiredToken" errors
- "credentials have expired" messages
Solution:
# For SSO
aws sso login --profile your_profile
# For assumed role
# Re-run assume-role command
Conflicting Configurations
Symptoms:
- Unexpected account appearing
- Operations in wrong region
Solution:
# Check all credential sources
echo "Profile: $AWS_PROFILE"
echo "Access Key set: ${AWS_ACCESS_KEY_ID:+yes}"
echo "Default region: $AWS_DEFAULT_REGION"
aws configure list
Integration with Other Skills
This skill should be invoked before:
- terraform-plan-review
- terraform-drift-detection
- terraform-state-operations
- Any AWS CLI operations
The profile verification output should be included in analysis reports to confirm correct environment.