Configure security credentials for the AWS CDK CLI - AWS Cloud Development Kit (AWS CDK) v2

This is the AWS CDK v2 Developer Guide. The older CDK v1 entered maintenance on June 1, 2022 and ended support on June 1, 2023.

Configure security credentials for the AWS CDK CLI

When you use the AWS Cloud Development Kit (AWS CDK) to develop applications in your local environment, you will primarily use the AWS CDK Command Line Interface (AWS CDK CLI) to interact with AWS. For example, you can use the CDK CLI to deploy your application or to delete your resources from your AWS environment.

To use the CDK CLI to interact with AWS, you must configure security credentials on your local machine. This lets AWS know who you are and what permissions you have.

To learn more about security credentials, see AWS security credentials in the IAM User Guide.

Prerequisites

Configuring security credentials is part of the getting started process. Complete all prerequisites and previous steps at Getting started with the AWS CDK.

How to configure security credentials

How you configure security credentials depends on how you or your organization manages users. Whether you use AWS Identity and Access Management (IAM) or AWS IAM Identity Center, we recommend that you use the AWS Command Line Interface (AWS CLI) to configure and manage security credentials for the CDK CLI. This includes using AWS CLI commands like aws configure to configure security credentials on your local machine. However, you can use alternative methods such as manually updating your config and credentials files, or setting environment variables.

For guidance on configuring security credentials using the AWS CLI, along with information on configuration and credential precedence when using different methods, see Authentication and access credentials in the AWS Command Line Interface User Guide. The CDK CLI adheres to the same configuration and credential precedence of the AWS CLI. The --profile command line option takes precedence over environment variables. If you have both the AWS_PROFILE and CDK_DEFAULT_PROFILE environment variables configured, the AWS_PROFILE environment variable takes precedence.

If you configure multiple profiles, you can use the CDK CLI --profile option with any command to specify the profile from your credentials and config files to use for authentication. If you don't provide --profile, the default profile will be used.

If you prefer to quickly configure basic settings, including security credentials, see Set up the AWS CLI in the AWS Command Line Interface User Guide.

Once you’ve configured security credentials on your local machine, you can use the CDK CLI to interact with AWS.

Configure and manage security credentials for IAM Identity Center users

IAM Identity Center users can authenticate with IAM Identity Center or manually by using short-term credentials.

Authenticate with IAM Identity Center to generate short-term credentials

You can configure the AWS CLI to authenticate with IAM Identity Center. This is the recommended approach of configuring security credentials for IAM Identity Center users. IAM Identity Center users can use the AWS CLI aws configure sso wizard to configure an IAM Identity Center profile and sso-session, which gets stored in the config file on your local machine. For instructions, see Configure the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide.

Next, you can use the AWS CLI aws sso login command to request refreshed credentials. You can also use this command to switch profiles. For instructions, see Use an IAM Identity Center named profile in the AWS Command Line Interface User Guide.

Once authenticated, you can use the CDK CLI to interact with AWS for the duration of your session. For an example, see Example: Authenticate with IAM Identity Center automatic token refresh for use with the AWS CDK CLI.

Manually configure short-term credentials

As an alternative to using the AWS CLI and authenticating with IAM Identity Center, IAM Identity Center users can obtain short-term credentials from the AWS Management Console and manually configure the credentials and config files on their local machine. Once configured, you can use the CDK CLI to interact with AWS until your credentials expire. For instructions, see Authenticate with short-term credentials in the AWS Command Line Interface User Guide.

Configure and manage security credentials for IAM users

IAM users can use an IAM role or IAM user credentials with the CDK CLI.

Use an IAM role to configure short-term credentials

IAM users can assume IAM roles to gain additional (or different) permissions. For IAM users, this is the recommended approach since it provides short-term credentials.

First, the IAM role and user’s permission to assume the role must be configured. This is typically performed by an administrator using the AWS Management Console or AWS CLI. Then, the IAM user can use the AWS CLI to assume the role and configure short-term credentials on their local machine. For instructions, see Use an IAM role in the AWS CLI in the AWS Command Line Interface User Guide.

Use IAM user credentials

Warning

To avoid security risks, we don’t recommend using IAM user credentials since they provide long-term access. If you must use long-term credentials, we recommend that you update access keys as an IAM security best practice.

IAM users can obtain access keys from the AWS Management Console. You can then use the AWS CLI to configure long-term credentials on your local machine. For instructions, see Authenticate with IAM user credentials in the AWS Command Line Interface User Guide.

Additional information

To learn about the different ways that you can sign in to AWS, depending on the type of user you are, see What is AWS Sign-In? in the AWS Sign-In User Guide.

For reference information when using AWS SDKs and tools, including the AWS CLI, see the AWS SDKs and Tools Reference Guide.