From devops-skills
Verifies correct AWS credentials and profile before Terraform or AWS operations to prevent cross-environment accidents. Supports SSO login, assume role, and named profile switching.
How this skill is triggered — by the user, by Claude, or both
Slash command
/devops-skills:aws-profile-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Credential mistakes are one of the most common causes of infrastructure accidents. This skill ensures the correct AWS profile is active before any operation.
Credential mistakes are one of the most common causes of infrastructure accidents. This skill ensures the correct AWS profile is active before any operation.
Announce at start: "I'm using the aws-profile-management skill to verify credentials."
# Get current identity
aws sts get-caller-identity
Expected output includes:
| Environment | Expected Account | Expected Role Pattern |
|---|---|---|
| dev | 123456789012 | -dev-, -developer- |
| staging | 234567890123 | -staging-, -deploy- |
| prod | 345678901234 | -prod-, -admin- |
STOP if account doesn't match expected environment.
For assumed roles:
# Check remaining session time
aws sts get-caller-identity 2>&1 | grep -i expir || echo "Credentials valid"
For SSO:
# Check SSO session
aws sso list-accounts 2>&1 || echo "Check SSO login status"
# List available profiles
aws configure list-profiles
# Set profile for session
export AWS_PROFILE=production
# Or use inline
AWS_PROFILE=production terraform plan
# Login to SSO
aws sso login --profile production
# Verify login
aws sts get-caller-identity --profile production
# Assume role and export credentials
eval $(aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT:role/ROLE_NAME \
--role-session-name terraform-session \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text | \
awk '{print "export AWS_ACCESS_KEY_ID="$1"\nexport AWS_SECRET_ACCESS_KEY="$2"\nexport AWS_SESSION_TOKEN="$3}')
# Verify
aws sts get-caller-identity
environments/
├── dev/
├── staging/
└── prod/
# Detect environment from path
ENV=$(basename "$(pwd)")
echo "Detected environment: $ENV"
# Check backend configuration
grep -A 10 'backend' *.tf | grep -E 'bucket|key|workspace'
# Check Terraform workspace
terraform workspace show
Before any Terraform or AWS operation:
Identity Verified
Environment Confirmed
Permission Verified
| Condition | Action |
|---|---|
| Account ID doesn't match environment | STOP - wrong account! |
| Role seems too permissive for task | Verify with user |
| Credentials expired | Re-authenticate |
| Multiple AWS_* env vars set | Clear and use profile |
| Unknown account ID | Verify before proceeding |
Symptoms:
Solution:
# Clear any env vars
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
# Set correct profile
export AWS_PROFILE=correct_profile
# Verify
aws sts get-caller-identity
Symptoms:
Solution:
# For SSO
aws sso login --profile your_profile
# For assumed role
# Re-run assume-role command
Symptoms:
Solution:
# Check all credential sources
echo "Profile: $AWS_PROFILE"
echo "Access Key set: ${AWS_ACCESS_KEY_ID:+yes}"
echo "Default region: $AWS_DEFAULT_REGION"
aws configure list
This skill should be invoked before:
The profile verification output should be included in analysis reports to confirm correct environment.
npx claudepluginhub joshuarweaver/cascade-code-devops-misc-1 --plugin lgbarn-devops-skillsDiscovers active AWS profile, region, and caller identity from local config. Prevents guesswork and SSO-related deployment errors by surfacing context before any AWS operation.
Gets short-term auto-rotating AWS credentials for CLI/SDK access via `aws login`. Activates when AWS operations fail due to missing/expired credentials or on authentication requests.
Queries, audits, and monitors AWS resources via CLI with read-only defaults and safe change proposals requiring confirmation.