How To Suppress Shared Aws Credentials In Development-mode App

- 1 answer

In order to use the aws command-line tool, I have aws credentials stored in ~/.aws/credentials.

When I run my app locally, I want it to require the correct IAM permissions for the app; I want it to read these permissions from environment variables.

What has happened is that even without those environment variables defined - even without the permissions defined - my app allows calls to aws which should not be allowed, because it's running on a system with developer credentials.

How can I run my app on my system (not in a container), without blowing away the credentials I need for the aws command-line, but have the app ignore those credentials? I've tried setting the AWS_PROFILE environment variable to a non-existent value in my start script but that did not help.



I like to use named profiles, and run 2 sets of credentials eg DEV and PROD.

When you want to run production profile, run export AWS_PROFILE=PROD

Then return to the DEV credentials in the same way.

The trick here is to have no default credentials at all, and only use named profiles. Remove the credentials named default in the credentials file, and replace with only the named profiles.