All posts
September 13, 20251 min read

Temporary Production Access with AWS CLI-Style Profiles

That’s why temporary production access with AWS CLI-style profiles isn’t a luxury. It’s a necessity. Permanent credentials are a liability. Static keys get leaked. Long-lived sessions get abused. The safe way is short-lived, scoped, auditable access — and to make it effortless for engineers to do the right thing. AWS CLI-style profiles make switching credentials quick and natural. You can define each set of keys in ~/.aws/config, then target them with --profile. But for high-stakes environments

Free White Paper

Customer Support Access to Production + Temporary Project-Based Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

That’s why temporary production access with AWS CLI-style profiles isn’t a luxury. It’s a necessity. Permanent credentials are a liability. Static keys get leaked. Long-lived sessions get abused. The safe way is short-lived, scoped, auditable access — and to make it effortless for engineers to do the right thing.

AWS CLI-style profiles make switching credentials quick and natural. You can define each set of keys in ~/.aws/config, then target them with --profile. But for high-stakes environments like production, use them with temporary security credentials from AWS STS. This gives you an expiring profile mapped to a trusted role. No leftover keys. No lingering attack surface.

A common pattern:

  • One profile per environment.
  • Dev and staging can use static credentials.
  • Production uses profiles generated dynamically by aws sts assume-role.
  • MFA enforced for every switch to production.

Example profile in ~/.aws/config:

[profile prod-temp]
role_arn = arn:aws:iam::123456789012:role/ProductionAccessRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/your-mfa-device

You run:

Continue reading? Get the full guide.

Customer Support Access to Production + Temporary Project-Based Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
aws sts assume-role --profile default --role-arn arn:aws:iam::123456789012:role/ProductionAccessRole --role-session-name temp-session

Or, use tooling that does it in one line, stores nothing permanent, and rotates automatically. The important part: your prod-temp profile only lives for the session’s duration. Once it expires, access is gone.

Layer in IAM policies to lock the role down to the minimum privileges needed. Add CloudTrail logging for visibility. Make MFA non-optional. Build friction for bad actors, not for your team.

Temporary production access via AWS CLI-style profiles closes the gap between fast workflows and safe practices. It simplifies compliance, reduces human error, and keeps your most valuable environment out of reach until the moment it’s actually needed.

You can see this pattern, live, in minutes with Hoop.dev — a platform that gives you instant, secure, temporary AWS production access without storing static credentials. Set it up once, trigger on demand, and forget about unsafe keys.

Keep production locked. Keep access fast. And never leave the door open again.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts