aws-profile-management

# AWS Profile Management

## Overview

Credential mistakes are one of the most common causes of infrastructure accidents. This skill ensures the correct AWS profile is active before any operation.

**Announce at start:** "I'm using the aws-profile-management skill to verify credentials."

## Pre-Operation Verification

### Step 1: Check Current Identity

```bash
# Get current identity
aws sts get-caller-identity
```

Expected output includes:
- **Account**: AWS account ID
- **Arn**: IAM user/role ARN
- **UserId**: User or assumed role ID

### Step 2: Match to Environment

| Environment | Expected Account | Expected Role Pattern |
|-------------|------------------|----------------------|
| dev | 123456789012 | *-dev-*, *-developer-* |
| staging | 234567890123 | *-staging-*, *-deploy-* |
| prod | 345678901234 | *-prod-*, *-admin-* |

**STOP** if account doesn't match expected environment.

### Step 3: Check Credential Expiry

For assumed roles:
```bash
# Check remaining session time
aws sts get-caller-identity 2>&1 | grep -i expir || echo "Credentials valid"
```

For SSO:
```bash
# Check SSO session
aws sso list-accounts 2>&1 || echo "Check SSO login status"
```

## Profile Switching

### Using Named Profiles

```bash
# List available profiles
aws configure list-profiles

# Set profile for session
export AWS_PROFILE=production

# Or use inline
AWS_PROFILE=production terraform plan
```

### Using AWS SSO

```bash
# Login to SSO
aws sso login --profile production

# Verify login
aws sts get-caller-identity --profile production
```

### Using Assume Role

```bash
# Assume role and export credentials
eval $(aws sts assume-role \
  --role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME \
  --role-session-name terraform-session \
  --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
  --output text | \
  awk '{print "export AWS_ACCESS_KEY_ID="$1"\nexport AWS_SECRET_ACCESS_KEY="$2"\nexport AWS_SESSION_TOKEN="$3}')

# Verify
aws sts get-caller-identity
```

## Environm