Authentication and access credentials for the AWS CLI
You must establish how the AWS CLI authenticates with AWS when you develop with AWS services. To configure credentials for programmatic access for the AWS CLI, choose one of the following options. The options are in order of recommendation.
Which user needs programmatic access? | Purpose | Instructions |
---|---|---|
Workforce identity (AWS IAM Identity Center users) |
(Recommended)Use short-term credentials. | Configuring IAM Identity Center authentication with the AWS CLI |
IAM | Use short-term credentials. | Authenticating with short-term credentials for the AWS CLI |
IAM
or Workforce identity (AWS IAM Identity Center users) |
Use Amazon EC2 instance metadata for credentials. | Using Amazon EC2 instance metadata as credentials in the AWS CLI |
IAM
or Workforce identity (AWS IAM Identity Center users) |
Pair another credential method and assume a role for permissions. | Using an IAM role in the AWS CLI |
IAM | (Not recommended) Use long-term credentials. | Authenticating using IAM user credentials for the AWS CLI |
IAM
or Workforce identity (AWS IAM Identity Center users) |
(Not recommended) Pair another credential method but use credential values stored in a location outside of the AWS CLI. | Sourcing credentials with an external process in the AWS CLI |
Configuration and credential precedence
Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain authentication take precedence over others. The AWS CLI authentication settings take precedence in the following order:
-
Command line options – Overrides settings in any other location, such as the
--region
,--output
, and--profile
parameters. -
Environment variables – You can store values in your system's environment variables.
-
Assume role – Assume the permissions of an IAM role through configuration or the
aws sts assume-role
command. -
Assume role with web identity – Assume the permissions of an IAM role using web identity through configuration or the
aws sts assume-role
command. -
AWS IAM Identity Center – The IAM Identity Center configuration settings stored in the
config
file are updated when you run theaws configure sso
command. Credentials are then authenticated when you run theaws sso login
command. Theconfig
file is located at~/.aws/config
on Linux or macOS, or atC:\Users\
on Windows.USERNAME
\.aws\config -
Credentials file – The
credentials
andconfig
file are updated when you run the commandaws configure
. Thecredentials
file is located at~/.aws/credentials
on Linux or macOS, or atC:\Users\
on Windows.USERNAME
\.aws\credentials -
Custom process – Get your credentials from an external source.
-
Configuration file – The
credentials
andconfig
file are updated when you run the commandaws configure
. Theconfig
file is located at~/.aws/config
on Linux or macOS, or atC:\Users\
on Windows.USERNAME
\.aws\config -
Container credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.
-
Amazon EC2 instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide and Using Instance Profiles in the IAM User Guide.