How It Works

• The get and set commands work primarily on AWS config and credentials files.
• set command sets default profile in either config or credentials file with values (e.g. aws_access_key_id and aws_secret_access_key or role_arn and source_profile) from selected profile.
• get command first checks whether AWS credentials environment variables (e.g. AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN) are set. If yes, it will do a call to STS to get caller identity and cache the result locally. If those environment variables are not set, it compares values of default profile with other profiles in config and credentials files and returns the matched profile
• export command prints out suitable command for your OS (export in Linux/MacOS or $env:VAR setting in Windows Powershell). These printed commands can be copied and executed directly in your terminal to set suitable AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION). The purpose of this command is to support some of the tools that don't work well with AWS config and credentials files, e.g.
  • Terraform aws provider with role that requires MFA https://github.com/terraform-providers/terraform-provider-aws/issues/2420
  • Or when you want to execute AWS CLI commands inside a container and it's not convenient to mount host machine ~/.aws folder