Configuration

A profile in ck-prism is a named combination of a Prism tenant and a specific AWS role. You create one profile per role you want to use. All profiles are stored in ~/.ck-prism/config.json.

Create Your First Profile

ck-prism configure

You will be prompted for four things:

1. Prism Domain

The base domain of your Prism instance. For most users this is prism.cloudkeeper.com. If your organization uses a custom Prism URL like yourcompany.prism.cloudkeeper.com, enter that instead.

Press Enter to accept the default.

2. Prism Tenant

Your organization's tenant slug, found in your Prism SSO URL. For sso.prism.cloudkeeper.com, the tenant is sso. For yourcompany.prism.cloudkeeper.com, the tenant is yourcompany.

3. AWS Account and Role

ck-prism opens your browser for SSO login, then fetches the AWS roles you have access to. You will be presented with:

A fuzzy-search menu of AWS accounts (start typing to filter).
A second menu listing the roles available to you in the selected account.

Select the account, then the role. Account names are shown alongside IDs when available.

4. Profile Name and Region

ck-prism suggests a default profile name of the form <account_id>-<role_name>. Accept it or enter your own. The profile name is what you will pass to ck-prism login --profile <name> later, and it is also the name that appears in ~/.aws/credentials.

Finally, enter the AWS region you want the profile to default to. Press Enter for us-east-1.

5. Automatic Credential Refresh

ck-prism configure then asks whether to enable automatic credential refresh (credential_process) for the new profile. The default is Yes. When enabled, the AWS CLI and SDKs fetch fresh credentials from ck-prism on demand — you never need to run ck-prism login for this profile again.

You can change this decision later with ck-prism profiles enable-credential-process <name> or ck-prism profiles disable-credential-process <name>. See Usage → Automatic Credential Refresh.

info

The SSO token obtained during configure is cached, so you will not be prompted to open a browser again immediately when you run ck-prism login for the new profile.

On first run, ck-prism configure also installs shell tab-completion for bash or zsh automatically. Restart your terminal once to pick it up, or see Usage → Shell Tab-Completion.

Add More Profiles

Run ck-prism configure again for each additional AWS role you want. If you are creating a second profile on the same Prism tenant (same domain + tenant), you will not be prompted to open the browser again — the existing SSO session is reused.

ck-prism configure   # → profile "production"
ck-prism configure   # → profile "staging"
ck-prism configure   # → profile "rnd-tools"

List Configured Profiles

ck-prism profiles list

Prints each configured profile name, one per line.

Remove a Profile

ck-prism profiles remove             # interactive picker
ck-prism profiles remove production  # by name
ck-prism profiles remove production -y   # skip the confirmation

Removing a profile cleans up:

The entry in ~/.ck-prism/config.json
The cached SSO tokens (if no other profile on the same Prism tenant still needs them)
The matching sections in ~/.aws/credentials and ~/.aws/config

warning

Removal is destructive and not reversible. You will need to re-run ck-prism configure to recreate the profile.

Manual Configuration

If you need to edit profiles by hand — for example, to change the default region or rename a profile — open ~/.ck-prism/config.json. It is a plain JSON file keyed by profile name:

{
  "production": {
    "prism_domain": "prism.cloudkeeper.com",
    "realm": "sso",
    "client_id": "ckauth-cli",
    "region": "us-east-1",
    "output": "json",
    "role_arn": "arn:aws:iam::123456789012:role/CKPrism-Admin,arn:aws:iam::123456789012:saml-provider/CKPrismProvider",
    "account_id": "123456789012",
    "role_name": "CKPrism-Admin"
  }
}

Field	Description
`prism_domain`	Base Prism domain.
`realm`	Prism tenant slug.
`client_id`	OAuth client ID. Leave as `ckauth-cli`.
`region`	Default AWS region for this profile.
`output`	AWS CLI output format (`json`, `text`, `table`).
`role_arn`	Role ARN, optionally followed by `,` and the SAML provider ARN. Written by `configure`.
`account_id`	AWS account ID.
`role_name`	Friendly role name, used in prompts.

After editing, run ck-prism login --profile <name> to pick up the changes.

Next Steps

Usage — Log in and fetch AWS credentials.

Create Your First Profile​

1. Prism Domain​

2. Prism Tenant​

3. AWS Account and Role​

4. Profile Name and Region​

5. Automatic Credential Refresh​

Add More Profiles​

List Configured Profiles​

Remove a Profile​

Manual Configuration​

Next Steps​