Configure tool authentication with AWS

You must establish how your code authenticates with AWS when developing with AWS services. There are different ways in which you can configure programmatic access to AWS resources, depending on the environment and the AWS access available to you.

To see various methods of authentication for the Tools for PowerShell, see Authentication and access in the AWS SDKs and Tools Reference Guide.

This topic assumes that a new user is developing locally, has not been given a method of authentication by their employer, and will be using AWS IAM Identity Center to obtain temporary credentials. If your environment doesn't fall under these assumptions, some of the information in this topic might not apply to you, or some of the information might have already been given to you.

Configuring this environment requires several steps, which are summarized as follows:

1. Enable and configure IAM Identity Center

2. Configure the Tools for PowerShell to use IAM Identity Center.

3. Start an AWS access portal session

Enable and configure IAM Identity Center

To use AWS IAM Identity Center, it must first be enabled and configured. To see details about how to do this for PowerShell, look at Step 1 in the topic for IAM Identity Center authentication in the AWS SDKs and Tools Reference Guide. Specifically, follow any necessary instructions under I do not have established access through IAM Identity Center.

Configure the Tools for PowerShell to use IAM Identity Center.

Information about how to configure the Tools for PowerShell to use IAM Identity Center is in Step 2 in the topic for IAM Identity Center authentication in the AWS SDKs and Tools Reference Guide. After you complete this configuration, your system should contain the following elements:

• The AWS CLI, which you use to start an AWS access portal session before you run your application.

• The shared AWS config file that contains a [default] profile with a set of configuration values that can be referenced from the Tools for PowerShell. To find the location of this file, see Location of the shared files in the AWS SDKs and Tools Reference Guide. The Tools for PowerShell uses the profile's SSO token provider to acquire credentials before sending requests to AWS. The sso_role_name value, which is an IAM role connected to an IAM Identity Center permission set, should allow access to the AWS services used in your application.

  The following sample config file shows a default profile set up with SSO token provider. The profile's sso_session setting refers to the named sso-session section. The sso-session section contains settings to initiate an AWS access portal session.

  [default]
  sso_session = my-sso
  sso_account_id = 111122223333
  sso_role_name = SampleRole
  region = us-east-1
  output = json
  
  [sso-session my-sso]
  sso_region = us-east-1
  sso_start_url = https://provided-domain.awsapps.com/start
  sso_registration_scopes = sso:account:access

Important

Your PowerShell session must have the following modules installed and imported so that SSO resolution can work:

• AWS.Tools.SSO

• AWS.Tools.SSOOIDC

If you don't have these modules, you will get an error similar to the following: "Assembly AWSSDK.SSOOIDC could not be found...".

Start an AWS access portal session

Before running commands that accesses AWS services, you need an active AWS access portal session for the Tools for Windows PowerShell to use IAM Identity Center authentication to resolve credentials. Depending on your configured session lengths, your access will eventually expire and the Tools for Windows PowerShell will encounter an authentication error. To sign in to the AWS access portal, run the following command in the AWS CLI.

aws sso login

Since you have a default profile setup, you do not need to call the command with a --profile option. If your SSO token provider configuration is using a named profile, the command is aws sso login --profile named-profile.

To test if you already have an active session, run the following AWS CLI command.

aws sts get-caller-identity

The response to this command should report the IAM Identity Center account and permission set configured in the shared config file.

Note

If you already have an active AWS access portal session and run aws sso login, you will not be required to provide credentials.

The sign-in process might prompt you to allow the AWS CLI access to your data. Because the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of the botocore name.

Example

The following is an example of how to use IAM Identity Center with the Tools for PowerShell. It assumes the following:

• You have enabled IAM Identity Center and configured it as described previously in this topic. The SSO properties are in the [default] profile.

• When you log in through the AWS CLI by using aws sso login, that user has at least read-only permissions for Amazon S3.

• Some S3 buckets are available for that user to view.

Use the following PowerShell commands to display a list of the S3 buckets:

Install-Module AWS.Tools.Installer
Install-AWSToolsModule S3, SSO, SSOOIDC

# Since we're not invoking a cmdlet from these modules directly, 
# we must import them explicitly
Import-Module AWS.Tools.SSO
Import-Module AWS.Tools.SSOOIDC

# AWS Tools for PowerShell doesn't support the SSO login flow yet, so login with the CLI
aws sso login

# Now we can invoke cmdlets using the SSO profile
Get-S3Bucket

Additional information

• For more options on authentication for the Tools for PowerShell, such as the use of profiles and environment variables, see the configuration chapter in the AWS SDKs and Tools Reference Guide.

• To learn more about best practices, see Security best practices in IAM in the IAM User Guide.

• To create short-term AWS credentials, see Temporary Security Credentials in the IAM User Guide.

• To learn about other credential providers, see Standardized credential providers in the AWS SDKs and Tools Reference Guide.