XHD.io | Yet another devops blog
Posts Tags Categories About
XHD.io | Yet another devops blog

Contents

Switching between multiple AWS accounts and roles

TheProtos included in clouds
   398 words   2 minutes 
/site/aws-switch-accounts/featured-image.webp

Working with multiple AWS accounts is common in modern cloud environments, especially when following multi-account strategies for security, compliance, or environment separation (e.g., dev, staging, prod).

However, switching between these accounts in the AWS CLI can quickly become painful if you rely only on raw profiles. Fortunately, there are tools and tricks that make account switching much more convenient and efficient.

Setting up AWS CLI with SSO

Here’s an example of a typical ~/.aws/config file configured with AWS SSO:

[default]
region=us-west-2
sso_region=us-west-2
cli_pager=
AWS_PAGER=""
output=json

[sso-session my_sso]
sso_start_url=https://<sso_id>.awsapps.com/start
sso_region=us-west-2
sso_registration_scopes=sso:account:access

[profile my_profile]
sso_session=my_sso
sso_account_id=1234567890
sso_role_name=<my_role>

With this setup, you can authenticate to AWS accounts via SSO, but switching between them still requires extra steps. Let’s explore some tools that improve the experience.

Switching AWS Profiles with fzf

Install fzf, a general-purpose command-line fuzzy finder.

brew install fzf

Then, add the following function to your ~/.zshrc or ~/.profile and reload your shell (source ~/.zshrc):

# fuzzy completion
eval "$(fzf --zsh)"

function awscontext() {
    export AWS_PROFILE=$(aws configure list-profiles | fzf)
    echo "Switched to AWS_PROFILE=$AWS_PROFILE"
    AWS_PAGER="" aws sts get-caller-identity
}

Usage

awscontext # Select an AWS profile from the list interactively

Summary:

Pros:

  • Lightweight, flexible,
  • Integrates well with shell.

Cons:

  • Requires manual setup
  • Limited to profile switching only.

awsume

awsume is a command-line utility for retrieving and exporting AWS credentials to your shell’s environment.

Install it:

brew install awsume

Add this alias to ~/.profile or ~/.zshrc and reload your shell (source ~/.profile)

alias awsume=". awsume"

Usage

awsume -l              # List available profiles
awsume <aws_profile>   # Assume a profile

Summary:

Pros:

  • Simple, works well with non-SSO profiles.

Cons:

  • Limited SSO support
  • Lacks autocompletion (unless manually configured).

granted

Granted in an application which simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously.

Install it:

brew tap common-fate/granted
brew install granted

Usage

assume        # Start a CLI session
assume -c     # Start a browser-based session

Pros:

  • Full SSO support
  • Autocompletion
  • Works with AWS services like RDS and EKS
  • Smooth integration with browser sessions

Cons:

  • Slightly heavier setup compared to fzf or awsume.

Conclusion

If you work with multiple AWS accounts daily, profile switching tools are a must.

  • Use fzf if you prefer minimal shell functions and fuzzy search.
  • AWSume if you manage mostly non-SSO profiles.
  • Granted if you rely heavily on AWS SSO and want a modern, fully-featured experience.

Personally, I recommend Granted for most modern AWS environments, especially those leveraging SSO.

Updated on 2025-03-01
 AwsLinuxMacosSso
Back | Home