AWS CLI Named Profiles

The AWS tools use local AWS profiles to authenticate calls from a workstation to the AWS Cloud. An AWS profile contains an AccessKeyID and a SecretKey. By selected a named profile, you are instructing an AWS tool to use that AccessKey pair to authenticate with a specific AWS Cloud Account. Consider the named profiles in the previous section's diagram:

  • Management Workstation
    • OrgMgmt - account from which AWS Organization is managed. AdministratorAccess.
    • OrgDevJoeAccess - Allows OrgMgmt account to assume administrator role in OrgDevJoe Account
    • OrgSysTestAccess - Allows OrgMgmt account to assume administrator role in OrgSysTest Account
    • OrgSysProdAccess - Allows OrgMgmt account to assume administrator role in OrgSysProd Account
  • Joe's Development Workstation
    • OrgDevJoe - Provides PowerUser Access and select IAM permissions
  • OrgSysTest Workstation
    • OrgSysTest - AdministratorAccess
  • OrgSysProd Workstation
    • OrgSysProd - AdministratorAccess

AWS allows you to create a "default" profile that will be used if you don't supply a specific profile name when executing an AWS tool. We strongly recommend that you never use a default profile on the Management Workstation. We also recommend you only use a default profile on a Developer's Workstation when they will only ever be working against a single AWS Account.


Every AWS Account has a root user. That root user is associated with a email address that is unique among AWS Accounts - you can't use the same email address for more than one account. You sign into the root user account using at least that email address and a password. Signing into an account using the root user credentials should only be done for a limited number of account management reasons. All other access should be performed through a IAM User login.

We create a single IAM User for each AWS Account created in the AWS Organization. See the diagram below: