AWS CLI Multiple Accounts: Step-by-Step Setup Guide 2026

Last Updated: April 01, 2026

Developers and DevOps engineers frequently need to interact with multiple AWS accounts simultaneously. Whether you’re deploying infrastructure across environments or managing resources for different clients, the AWS CLI’s built-in profile system makes multi-account management efficient and secure. This guide covers everything from basic profile setup to advanced SSO integration.

Understanding AWS CLI Profiles

AWS CLI profiles are named configurations that store credentials and settings for different AWS accounts. Instead of repeatedly typing credentials or constantly changing environment variables, profiles let you switch contexts instantly with a simple command flag.

Your profiles are stored in two files:

• ~/.aws/credentials – Access keys and session tokens
• ~/.aws/config – Region, output format, and role assumptions

Step 1: Basic Profile Configuration

Start by creating named profiles for each account. Using the aws configure command with the --profile flag creates isolated credential sets:

# Configure production account
aws configure --profile production
AWS Access Key ID [None]: AKIA...
AWS Secret Access Key [None]: ...
Default region name [None]: us-east-1
Default output format [None]: json

# Configure development account
aws configure --profile development
AWS Access Key ID [None]: AKIA...
AWS Secret Access Key [None]: ...
Default region name [None]: us-west-2
Default output format [None]: json

Step 2: Using Profiles in Commands

Specify which profile to use with the --profile flag or the AWS_PROFILE environment variable:

# Using --profile flag
aws s3 ls --profile production
aws ec2 describe-instances --profile development

# Using environment variable (persists for session)
export AWS_PROFILE=production
aws s3 ls
aws lambda list-functions

Step 3: Setting Up SSO Profiles

For organizations using AWS SSO (IAM Identity Center), configure profiles to automatically handle authentication:

# Add SSO configuration to ~/.aws/config
[profile sso-production]
sso_start_url = https://my-org.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[profile sso-development]
sso_start_url = https://my-org.awsapps.com/start
sso_region = us-east-1
sso_account_id = 210987654321
sso_role_name = DeveloperAccess
region = us-west-2
output = json

With SSO profiles, the CLI automatically opens your browser for authentication and caches credentials until they expire.

Step 4: Cross-Account Role Assumption

For complex setups where you log into one account and assume roles in others, configure profile chaining:

# ~/.aws/config
[profile master]
region = us-east-1

[profile production]
role_arn = arn:aws:iam::123456789012:role/CrossAccountRole
source_profile = master
region = us-east-1

[profile development]
role_arn = arn:aws:iam::210987654321:role/DeveloperRole
source_profile = master
region = us-west-2

This approach maintains credentials in one master profile while securely accessing multiple accounts.

Best Practices for CLI Multi-Account Management

Practice	Why It Matters
Never use default profile for production	Prevents accidental production changes
Use SSO over access keys when possible	Eliminates long-lived credentials
Set AWS_PROFILE in shell prompt	Visual reminder of current context
Rotate access keys regularly	Security compliance and risk reduction
Use role assumption with MFA	Additional security layer for sensitive accounts

Advanced: Switching Accounts Efficiently

Create shell aliases or functions for rapid context switching:

# Add to ~/.bashrc or ~/.zshrc
aws-switch() {
    export AWS_PROFILE=$1
    echo "Switched to AWS profile: $AWS_PROFILE"
    aws sts get-caller-identity
}

# Usage
aws-switch production
aws-switch development

Browser Isolation for CLI Workflows

While the CLI handles programmatic access, browser isolation complements this for console access. When you need to use the AWS Management Console alongside CLI work:

• Each account’s console opens in a completely isolated browser session
• No risk of session cookie cross-contamination
• Visual confirmation of which account you’re viewing
• Additional security layer for production console access

How Send.win Helps You Master AWS CLI Multi-Account Management

Send.win makes AWS access simple and secure with powerful browser isolation technology:

• Browser Isolation – Every AWS console runs in a sandboxed environment
• Cloud Sync – Access your AWS sessions from any device alongside CLI
• Multi-Account Management – Switch between console accounts safely
• No Installation Required – Works instantly in your browser
• Affordable Pricing – Enterprise features without enterprise costs

Try Send.win Free – No Credit Card Required

Experience the power of browser isolation with our free demo:

• Instant Access – Start testing in seconds
• Full Features – Try all capabilities
• Secure – Bank-level encryption
• Cross-Platform – Works on desktop, mobile, tablet
• 14-Day Money-Back Guarantee

Try Send.win Free Demo Now

Ready to upgrade? View pricing plans starting at just $9/month.

Troubleshooting Common Issues

“Unable to locate credentials” – Verify your profile name matches exactly and the credentials file has proper permissions (600).

“Access denied” with SSO profiles – Run aws sso login --profile [profile-name] to refresh cached credentials.

Role assumption fails – Check trust relationships in the target account and ensure the source profile has sts:AssumeRole permission.

Frequently Asked Questions

Can I use multiple profiles simultaneously?

Yes, specify different profiles in separate terminal sessions. Each shell can have its own AWS_PROFILE environment variable.

How do I list all configured profiles?

Run aws configure list-profiles to see all available profiles in your configuration.

Is there a way to set a default profile?

Set the AWS_PROFILE environment variable in your shell configuration file to automatically use a specific profile in new sessions.

Can I share profiles across my team?

Never share credential files. Instead, use AWS SSO with role-based access so team members authenticate individually with appropriate permissions.

Conclusion

Mastering AWS CLI profiles transforms multi-account management from a painful credential juggling act into a streamlined workflow. By combining profile configurations with SSO integration and browser isolation tools like Send.win, you can safely and efficiently manage complex AWS environments.

Start by auditing your current credential setup, migrate to SSO where possible, and establish clear conventions for profile naming across your team. The productivity gains from proper CLI configuration are immediate and compound over time.

How Send.win Helps You Master Aws Cli Manage Multiple Accounts

Send.win makes Aws Cli Manage Multiple Accounts simple and secure with powerful browser isolation technology:

• Browser Isolation – Every tab runs in a sandboxed environment
• Cloud Sync – Access your sessions from any device
• Multi-Account Management – Manage unlimited accounts safely
• No Installation Required – Works instantly in your browser
• Affordable Pricing – Enterprise features without enterprise costs

Try Send.win Free – No Credit Card Required

Experience the power of browser isolation with our free demo:

• Instant Access – Start testing in seconds
• Full Features – Try all capabilities
• Secure – Bank-level encryption
• Cross-Platform – Works on desktop, mobile, tablet
• 14-Day Money-Back Guarantee

Try Send.win Free Demo Now

Ready to upgrade? View pricing plans starting at just $9/month.