From 6586238a19a9683a98b4875a2c9a025bdc6e513f Mon Sep 17 00:00:00 2001
From: Anthony O'Brien <asobrien@jwplayer.com>
Date: Fri, 8 Jun 2018 09:45:55 -0400
Subject: [PATCH] Documentation for adding AWS_PROFILE

Fixes #94

Signed-off-by: Anthony O'Brien anthony@bearonis.com
---
 README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/README.md b/README.md
index 18bf7dace..2a207ca64 100644
--- a/README.md
+++ b/README.md
@@ -192,6 +192,53 @@ Some good choices are:
 
 The [Vault documentation](https://www.vaultproject.io/docs/auth/aws.html#iam-auth-method) also explains this attack (see `X-Vault-AWS-IAM-Server-ID`).
 
+## Specifying Credentials & Using AWS Profiles
+Credentials can be specified for use with `heptio-authenticator-aws` via any of the methods available to the
+[AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials).
+This includes specifying AWS credentials with enviroment variables or by utilizing a credentials file.
+
+AWS [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html) are supported by `heptio-authenticator-aws`
+via the `AWS_PROFILE` environment variable. For example, to authenticate with credentials specified in the _dev_ profile the `AWS_PROFILE` can
+be exported or specified explictly (e.g., `AWS_PROFILE=dev kubectl get all`). If no `AWS_PROFILE` is set, the _default_ profile is used.
+
+The `AWS_PROFILE` can also be specified directly in the kubeconfig file
+[as part of the `exec` flow](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration). For example, to specify
+that credentials from the _dev_ named profile should always be used by `heptio-authenticator-aws`, your kubeconfig would include an `env`
+key thats sets the profile:
+
+```yaml
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${server}
+    certificate-authority-data: ${cert}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: heptio-authenticator-aws
+      env:
+      - name: "AWS_PROFILE"
+        value: "dev"
+      args:
+        - "token"
+        - "-i"
+        - "mycluster"
+```
+
+This method allows the appropriate profile to be used implicitly. Note that any environment variables set as part of the `exec` flow will
+take precedence over what's already set in your environment.
+
 ## Troubleshooting
 
 If your client fails with an error like `could not get token: AccessDenied [...]`, you can try assuming the role with the AWS CLI directly: