[jffry]

For my dev machine's interactions with AWS, I use https://github.com/99designs/aws-vault

You add the long lived IAM user API key/secret to it and it stores it in a password protected storage (MacOS keychain or similar).

Then you invoke aws-vault with an IAM role and command, and it will handle obtaining short-lived credentials scoped to that role (including TOTP 2-factor code auth), and then run the command with those temporary credentials as env vars.

With the right AWS permissions on your user, it can also automatically rotate the IAM user API keys for you.

[rad_gruchalski]

I like your approach. So far I used profiles extensively. AWS_PROFILE is your friend. No idea why AWS doesn't heavily promote this everywhere they can.

[flyt]

AWS best practices is to use AWS SSO, which accomplishes this same effect but without any long-lived local credentials. It works really well.

[LilBytes]

Depending on your IdP there's a few tools in addition to AWS CLI v2 that works well in this space.

aws-vault is one of them, though out of support now, aws-okta [1] is another.

[1] https://github.com/segmentio/aws-okta

[nijave]

Used to use that a few years ago and it worked pretty well--you can also set it as a credential helper in your AWS config.

Just an FYI it's no longer supported and it looks like the fork has gone stagnant, too.

[arjvik]

> No idea why AWS doesn't heavily promote this everywhere they can.

Not Invented Here

[moduspol]

AWS SSO solves it better, and for any number of AWS accounts.

I still use aws-vault, though, when I'm not in a position to set up AWS SSO.