AgentSkillsCN

aws-profile-management

在执行任何 Terraform 或 AWS 操作之前,务必先验证凭证是否正确、配置是否生效。此举可有效避免跨环境操作带来的意外风险。

SKILL.md
--- frontmatter
name: aws-profile-management
description: Use before any Terraform or AWS operation to verify correct credentials and profile are active. Prevents cross-environment accidents.

AWS Profile Management

Overview

Credential mistakes are one of the most common causes of infrastructure accidents. This skill ensures the correct AWS profile is active before any operation.

Announce at start: "I'm using the aws-profile-management skill to verify credentials."

Pre-Operation Verification

Step 1: Check Current Identity

bash
# Get current identity
aws sts get-caller-identity

Expected output includes:

  • Account: AWS account ID
  • Arn: IAM user/role ARN
  • UserId: User or assumed role ID

Step 2: Match to Environment

EnvironmentExpected AccountExpected Role Pattern
dev123456789012-dev-, -developer-
staging234567890123-staging-, -deploy-
prod345678901234-prod-, -admin-

STOP if account doesn't match expected environment.

Step 3: Check Credential Expiry

For assumed roles:

bash
# Check remaining session time
aws sts get-caller-identity 2>&1 | grep -i expir || echo "Credentials valid"

For SSO:

bash
# Check SSO session
aws sso list-accounts 2>&1 || echo "Check SSO login status"

Profile Switching

Using Named Profiles

bash
# List available profiles
aws configure list-profiles

# Set profile for session
export AWS_PROFILE=production

# Or use inline
AWS_PROFILE=production terraform plan

Using AWS SSO

bash
# Login to SSO
aws sso login --profile production

# Verify login
aws sts get-caller-identity --profile production

Using Assume Role

bash
# Assume role and export credentials
eval $(aws sts assume-role \
  --role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME \
  --role-session-name terraform-session \
  --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
  --output text | \
  awk '{print "export AWS_ACCESS_KEY_ID="$1"\nexport AWS_SECRET_ACCESS_KEY="$2"\nexport AWS_SESSION_TOKEN="$3}')

# Verify
aws sts get-caller-identity

Environment Detection

From Directory Structure

code
environments/
├── dev/
├── staging/
└── prod/
bash
# Detect environment from path
ENV=$(basename "$(pwd)")
echo "Detected environment: $ENV"

From Terraform Backend

bash
# Check backend configuration
grep -A 10 'backend' *.tf | grep -E 'bucket|key|workspace'

From Workspace

bash
# Check Terraform workspace
terraform workspace show

Safety Checks

Pre-Operation Checklist

Before any Terraform or AWS operation:

  1. Identity Verified

    • Account ID matches environment
    • Role/user is appropriate
    • Credentials not expired
  2. Environment Confirmed

    • Directory matches expected environment
    • Backend configuration is correct
    • No conflicting env vars set
  3. Permission Verified

    • Role has required permissions
    • No unexpected permission errors expected

Red Flags - STOP Immediately

ConditionAction
Account ID doesn't match environmentSTOP - wrong account!
Role seems too permissive for taskVerify with user
Credentials expiredRe-authenticate
Multiple AWS_* env vars setClear and use profile
Unknown account IDVerify before proceeding

Common Issues

Wrong Account Active

Symptoms:

  • Terraform can't find expected resources
  • Plan shows creating resources that exist
  • Permission denied for expected resources

Solution:

bash
# Clear any env vars
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

# Set correct profile
export AWS_PROFILE=correct_profile

# Verify
aws sts get-caller-identity

Expired Credentials

Symptoms:

  • "ExpiredToken" errors
  • "credentials have expired" messages

Solution:

bash
# For SSO
aws sso login --profile your_profile

# For assumed role
# Re-run assume-role command

Conflicting Configurations

Symptoms:

  • Unexpected account appearing
  • Operations in wrong region

Solution:

bash
# Check all credential sources
echo "Profile: $AWS_PROFILE"
echo "Access Key set: ${AWS_ACCESS_KEY_ID:+yes}"
echo "Default region: $AWS_DEFAULT_REGION"
aws configure list

Integration with Other Skills

This skill should be invoked before:

  • terraform-plan-review
  • terraform-drift-detection
  • terraform-state-operations
  • Any AWS CLI operations

The profile verification output should be included in analysis reports to confirm correct environment.