Deploy AWS CDK to Different Environments Using Profiles
When using AWS CDK it is very common to deploy your application (or better CDK stacks) to multiple environments. Those can either be stages (dev, test, prod), tenants or other. Depending on your environment you will find different strategies applied for segregation these environments for example (list is not exhaustive):
- AWS accounts,
- AWS regions,
- IAM user (& access key) or
- IAM roles.
When starting with AWS CDK, the available methods for managing access to multiple environments might not come to one naturally. Therefore it is very helpful to know how capabilities of AWS CLI can be leveraged for this task. So lets first check what CDK CLI has offer.
Referencing profiles with AWS CDK
With AWS CDK you can specify a profile when deploying, destroying or diffing IaC applications by using the --profile flag.
cdk deploy --profile myAwsProfile
The command above will look for a profile with the name myAwsProfile in configuration of your AWS CLI installation usually under ~/.aws/config on Linux/MacOS or C:\Users\YOUR_ACCOUNT\.aws\config.
So what is this profile exactly? Named profiles are a native feature to the AWS CLI credentials configuration. It allows to configure specific settings to a named profile as access keys, aws accounts, regions and more. So let’s check how this profile can be configured.
Configure Profile in AWS CLI
Assuming you use AWS Access Keys to access your environment you can associate keys with a profile by editing the AWS CLI credentials file:
# ~/.aws/credentials
[myAwsProfile]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
You need to add another profile and key? Just add another block.
# ~/.aws/credentials
[myAwsProfile]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
[otherAwsProfile]
aws_access_key_id = OTHER_ACCESS_KEY_ID
aws_secret_access_key = OTHER_SECRET_ACCESS_KEY
Now we can use the --profile flag when using cdk. They can be used with AWS CLI and AWS SDK as well.
More advanced configurations
If you need some more advanced properties set as AWS regions or accounts you can specify them in the separate configuration file as follows:
# ~/.aws/config
[profile myAwsProfile]
region = eu-central-1 # sets default region for profile
account = 12356546 # sets default account for profile
If you want to use a profile’s access credentials for multiple profiles you can use the source_profile setting to reference it.
# ~/.aws/config
[profile myDevProfile]
source_profile = myAwsProfile
[profile myProdProfile]
source_profile = myAwsProfile
The above configuration will provide two different profiles which can be referenced using the --profile flag. Still both will use the credentials set for myAwsProfile.
There are also some more advanced features available like setting IAM roles or SSO domains. Check the AWS documentation for further readings.
Conclusion
Using profiles is very helpful when developing and deploying AWS CDK applications. The built-in features of AWS CLI and CDK are very handy for this task and allow to associate profiles with credentials and additional settings.