Two profiles sharing same configuration

Question

I have the following profile in ~/.aws/config:

[profile foo]
role_arn = arn:aws:iam::##########:role/SomeRole
source_profile = other_profile
region = us-west-2

For unrelevant reasons, I want to create a new profile -with a differen name- but sharing the same configuration as foo.

Since I don't like duplicating stuff, I was wondering if there's a way for two profiles to use the same configuration?

I have tried the following:

[profile bar]
[profile foo]
role_arn = arn:aws:iam::##########:role/SomeRole
source_profile = other_profile
region = us-west-2

And it didn't work. The CLI thinks bar is an empty profile.

I've also tried:

[profile foo bar]
role_arn = arn:aws:iam::##########:role/SomeRole
source_profile = other_profile
region = us-west-2

And also didn't work. The CLI is unable to find bar profile.

---

Is there a way to achieve this?

Answer 1

It's insignificant and hence not achievable in the same profile file. There is no reason you would create two profiles with "exactly" same configuration. You would rather use same profile. If you have environment issues and you want to create different profiles, copy the configuration. Obviously, at least roles will be different even in that case.

Answer 2

I do not think it is possible to achieve this.

Let me explain why I think it is not possible:

• The syntax which you suggested must be supported by all official AWS SDKs since they all parse aws credential files among other credential providers. For an overview over existing credential providers see [1]. The credential provider which parses the ~/.aws/config file is called ini provider.

• Let's look at the ini provider implementation for node.js (since it is the one I typically used in the past):

  • It parses the information in a data structure called SharedIniFileCredentials. [2]
  • It uses the parseFile method to do so. [3]
  • The parsing is delegated to the utility "class" AWS.util.ini which looks like the following [4]:

parse: function string(ini) {
      var currentSection, map = {};
      util.arrayEach(ini.split(/\r?\n/), function(line) {
        line = line.split(/(^|\s)[;#]/)[0]; // remove comments
        var section = line.match(/^\s*\[([^\[\]]+)\]\s*$/);
        if (section) {
          currentSection = section[1];
        } else if (currentSection) {
          var item = line.match(/^\s*(.+?)\s*=\s*(.+?)\s*$/);
          if (item) {
            map[currentSection] = map[currentSection] || {};
            map[currentSection][item[1]] = item[2];
          }
        }
      });

      return map;
}

As you see, the parser scans the contents of the file line by line and starts a new section once a sequence of /^\s*\[([^\[\]]+)\]\s*$/ inside a line appears. There is no additional logic to map multiple lines to two (or more) different sections. If you want multiple sections with the same content, you must duplicate your configuration for each profile name.

I hope my analysis is convincing that this feature is really impossible by syntactical means. If you ask me, it is also impossible to propose it as as feature request, as AWS would have to adjust all existing SDKs which would require a massive effort.

References

[1] https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_provider.html
[2] https://github.com/aws/aws-sdk-js/blob/d78f62f9d86066e67d3cb7302fe2656210732f07/lib/credentials/shared_ini_file_credentials.js
[3] https://github.com/aws/aws-sdk-js/blob/cb1604ca89a077ffdb86127884292d3b18c8b4df/lib/shared-ini/ini-loader.js#L5
[4] https://github.com/aws/aws-sdk-js/blob/cb1604ca89a077ffdb86127884292d3b18c8b4df/lib/util.js#L192

Answer 3

I checked this with multiple permutations and it doesn't seem AWS CLI will be able to handle this use case. Also there is very vague mention of this in AWS documentation that each named profile uses different credentials.

Your best bet right now seems to be handling this programatically.