Using Stored AWS Keys and credential profiles in Boto3

The Amazon Command Line (AWSCLI) is the tool from AWS that lets you interact with the AWS API.   When using the AWSCLI you must pass it credentials like key/secret key or you can setup awscli config so that AWS can cache a single key/secret key to use with the commands.   Many people don’t know that the AWSCLI can be configured to hold multiple key/secret key combinations.    Even better, Boto3 can use these credentials within your scripts so that the credentials aren’t stored with code.   If multiple people use the same script, then the script would execute using the stored creds for that user.

Setup AWS profiles:

AWS credentials are stored in the following folders:

For Linux:   


For Windows


These directories will contain 2 files.


The config file will have a profile name in brackets and I add the default region. It would look like this:

[profile account1]
region = us-east-1

[profile account2]
region = us-west-1

The “profile” is a keyword, “account1 and account2” are only labels, they can be anything.
The credentials file hold the keys and secrets and match the profile label in the config file like this:

aws_access_key_id = ABCDABCDABCDABCD
aws_secret_access_key = 123456789012345678901234567890

aws_access_key_id = ABCDABCDABCDABCD
aws_secret_access_key = 123456789012345678901234567890

To use these profiles on the command line, you pass it in as a profile parameter:

aws s3 ls s3://mybucket/ --profile account1 

You can also use the credentials in the profile in boto3 by using a session method.

import boto3
mysession = boto3.session.Session(profile_name='account1')
s3client = mysession.client('s3')
response = s3client.list_buckets()

The boto3Session will use the profile called account1 that is defined in the config/credential files in the current user’s directory. The Credential keys are never included in the application, never checked into any code repo, and code is run as the user ensuring assigned security is honored.

You can run this in a loop:

import boto3
alist = ['account1','account2']
for oneaccount in alist:
    mysession = boto3.session.Session(profile_name=oneaccount)
    s3client = mysession.client('s3')
    response = s3client.list_buckets()

Session can also be used without any additional parameters:

mysession = boto3.session.Session()
s3client = mysession.client('s3')

Without parameters the boto3 session will try to use other methods for authentication. I use this for hosts running inside AWS utilizing host roles instead of keys. You can even make this conditional on the location of the machine.

So I hope that helps someone out. Good Luck!

Tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
4 + 20 =