How to Use AWS CDK Profiles to Deploy to Multiple Environments
Deploying AWS CDK applications to multiple environments is a fundamental requirement for modern cloud infrastructure management. Whether you’re working with different stages (development, testing, production), managing multiple tenants, or handling various AWS accounts, understanding how to properly configure and use AWS profiles is essential for efficient CDK deployments.
Why Use AWS Profiles for Multi-Environment CDK Deployments?
When working with AWS CDK, you’ll typically need to deploy your infrastructure stacks to multiple environments. Organizations commonly segregate these environments using different strategies:
- Separate AWS accounts for enhanced security isolation
- Different AWS regions for geographic distribution
- IAM users with dedicated access keys for team member access
- IAM roles for cross-account or service-based access
For developers new to AWS CDK, the methods for managing access to multiple environments aren’t always immediately obvious. The good news is that AWS CDK seamlessly integrates with AWS CLI capabilities, making multi-environment management straightforward once you understand the fundamentals.
Let’s explore how to leverage AWS CLI profiles effectively with AWS CDK.
How to Reference AWS Profiles in CDK Commands
AWS CDK provides built-in support for AWS CLI profiles through the --profile flag. This flag works with all major CDK operations including deployment, destruction, and diffing your Infrastructure as Code (IaC) applications.
Basic Profile Usage with AWS CDK
To deploy a CDK stack using a specific AWS profile, use the following command:
cdk deploy --profile myAwsProfile
When you execute this command, the AWS CDK CLI will:
- Search for a profile named
myAwsProfilein your AWS CLI configuration - Load the associated credentials and settings
- Use those credentials for the deployment operation
Understanding AWS CLI Profile Configuration Files
The profile configuration is typically stored in your AWS CLI installation directory:
- Linux/macOS:
~/.aws/config - Windows:
C:\Users\YOUR_ACCOUNT\.aws\config
What Are Named Profiles?
Named profiles are a powerful native feature of the AWS CLI credentials system. They allow you to associate specific configuration settings with a profile name, including:
- AWS access keys for authentication
- Target AWS account IDs
- Default AWS regions
- IAM role assumptions
- Session configurations
This feature enables seamless switching between different environments without manually managing credentials for each deployment.
Step-by-Step: Configuring AWS Profiles for CDK
Setting Up Basic Credentials with Access Keys
If you’re using AWS Access Keys for authentication, you’ll need to associate your keys with a named profile by editing the AWS CLI credentials file.
Create or edit the credentials file at ~/.aws/credentials (Linux/macOS) or C:\Users\YOUR_ACCOUNT\.aws\credentials (Windows):
# ~/.aws/credentials
[myAwsProfile]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
Configuring Multiple Profiles for Different Environments
To manage multiple environments, simply add additional profile blocks. Here’s an example configuration for development and production environments:
# ~/.aws/credentials
[myAwsProfile]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[otherAwsProfile]
aws_access_key_id = OTHER_ACCESS_KEY_ID
aws_secret_access_key = OTHER_SECRET_ACCESS_KEY
Once configured, you can use the --profile flag not only with AWS CDK but also with the AWS CLI and AWS SDK, ensuring consistent credential management across all your AWS tools.
Example CDK deployment commands:
# Deploy to development environment
cdk deploy --profile devProfile
# Deploy to production environment
cdk deploy --profile prodProfile
# Compare stack differences in staging
cdk diff --profile stagingProfile
Advanced AWS Profile Configuration Options
Beyond basic credential management, AWS profiles support advanced configuration options that can significantly enhance your CDK workflow.
Setting Default Regions and Accounts
You can specify additional properties in the AWS config file (~/.aws/config) to set default values for each profile:
# ~/.aws/config
[profile myAwsProfile]
region = eu-central-1 # Sets default AWS region for this profile
account = 123456789012 # Sets default AWS account ID
output = json # Sets default output format
Reusing Credentials with Source Profiles
The source_profile setting allows you to share credentials across multiple profiles while maintaining different configurations. This is particularly useful when you have one set of credentials but need to deploy to multiple regions or accounts.
# ~/.aws/config
[profile myDevProfile]
source_profile = myAwsProfile
region = us-east-1
[profile myProdProfile]
source_profile = myAwsProfile
region = eu-central-1
With this configuration:
- Both
myDevProfileandmyProdProfileuse the credentials frommyAwsProfile - Each profile can have its own region and other settings
- You can reference either profile using the
--profileflag in CDK commands
Enterprise Features: IAM Roles and AWS SSO
For enterprise environments, AWS profiles support additional advanced features:
IAM Role Assumption:
# ~/.aws/config
[profile myAssumedRoleProfile]
role_arn = arn:aws:iam::123456789012:role/MyDeploymentRole
source_profile = myAwsProfile
region = eu-central-1
AWS Single Sign-On (SSO):
# ~/.aws/config
[profile mySSOProfile]
sso_start_url = https://my-company.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = DeploymentRole
region = eu-central-1
For comprehensive details on all available configuration options, refer to the AWS CLI configuration documentation.
Best Practices for Managing AWS CDK Profiles
To maximize the effectiveness of AWS profiles in your CDK workflow, consider these best practices:
- Use descriptive profile names that clearly indicate the environment (e.g.,
company-dev,company-prod) - Keep credentials secure by setting appropriate file permissions (
chmod 600 ~/.aws/credentials) - Document your profiles in your team’s documentation or README files
- Use separate AWS accounts for production environments to minimize security risks
- Leverage IAM roles instead of access keys when possible for enhanced security
- Implement AWS SSO for enterprise environments to centralize access management
Conclusion
AWS profiles are an essential tool for managing multi-environment CDK deployments efficiently and securely. By leveraging the native capabilities of AWS CLI profiles, you can:
- Seamlessly switch between environments using the
--profileflag - Maintain separate credentials for different AWS accounts, regions, or stages
- Share configurations across teams while keeping credentials secure
- Scale your infrastructure management as your organization grows
The integration between AWS CDK and AWS CLI profiles provides a robust, production-ready solution for credential management that works consistently across the entire AWS ecosystem. Whether you’re deploying a simple application or managing complex multi-account architectures, mastering AWS profiles will significantly improve your infrastructure deployment workflow.
Ready to implement AWS CDK in your projects? Start by configuring your first profile and experience the convenience of streamlined multi-environment deployments.