===== AWS CloudShell =====
{{tag>AWS}}

==== Description ====
The AWS CLI in AWS CloudShell can be configured to use cross account IAM roles for a custom profile.  This could be helpful if you need to script running commands on multiple AWS accounts.  To configure this you need to add a custom profile with a credential source of ECS Container.

==== Run Down ====
You can see that AWS CloudShell is not an EC2 instance but a container by running the following.
<code>
[cloudshell-user@ip-10-0-161-58 ~]$ aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************AKAK   container-role    
secret_key     ****************SKSK   container-role    
    region                us-east-2              env    ['AWS_REGION', 'AWS_DEFAULT_REGION']
[cloudshell-user@ip-10-0-161-58 ~]$
</code>

Next we need to make a blank profile.  Just hit enter to leave the access key and secret key blank, but feel free to enter in your preferred region and output format.
<code>
aws --profile NEW_PROFILE_NAME configure
</code>

Now that we know AWS CloudShell is a container and we have created our blank profile we can add the cross account role arn and the credential source.
<code>
[cloudshell-user@ip-10-0-161-58 ~]$ cat .aws/config 
[profile NEW_PROFILE_NAME]
role_arn = arn:aws:iam::123456789012:role/IAM_CROSS_ACCOUNT_ROLE_NAME
credential_source = EcsContainer
region = us-east-1
output = json
[cloudshell-user@ip-10-0-161-58 ~]$ 
</code>

You can test this is working by running the following and comparing the difference between the two.
<code>
aws s3 ls

aws --profile NEW_PROFILE_NAME s3 ls
</code>