iainelder
commented
2 weeks ago I don't know about the old behavior, but I can confirm that today version 4.33 acts as you describe.
My basic workflow to switch between accounts:
- Use
aws-sso-util configure populateto write out the config for all the roles available from Identity Center - Set
AWS_PROFILEaccording to the account I want to switch to
The ~/.aws/config file may contain profiles like this:
Account1.AccountID1.ReadOnly
Account1.AccountID1.Admin
Account2.AccountID2.ReadOnly
Account2.AccountID2.AdminTo use the ReadOnly role in Account1 I set: AWS_PROFILE=Account1.AccountID1.ReadOnly.
To use the ReadOnly role in Account2 I set: AWS_PROFILE=Account2.AccountID2.ReadOnly.
The main difference between this workflow and yours is that the config, once written, doesn't change. What changes is the AWS_PROFILE value.
cgeisel
It's been over a year since I've used aws-sso-util but when I used it in the past, I would set AWS_PROFILE=my-sso-profile in my environment and use
aws-sso-util configure profile my-sso-profileto authenticate and select one of my AWS accounts. This allowed me to run terraform commands against the selected AWS account without needing to set additional environment variables and use the awscli without the --profile argument.Back then, if I wanted to change to another account, I would run
aws-sso-util configure profile my-sso-profileand it would go through the auth process and prompt me to select another account. Now when I re-run that command, it runs and exits. I have to delete~/.aws/configto get the configure command to allow me to select another account.Did something change with the behavior of the utility? Is there a way to force configure to re-auth?
If not, what is the "correct" workflow for switching between accounts?