IAM Identity Center authentication for your SDK or tool
AWS IAM Identity Center is the recommended method of providing AWS credentials when developing on a non-AWS compute service. For example, this would be something like your local development environment. If you are developing on an AWS resource, such as Amazon Elastic Compute Cloud (Amazon EC2) or AWS Cloud9, we recommend getting credentials from that service instead.
In this tutorial, you establish IAM Identity Center access and will configure it for your SDK or tool by using the AWS access portal and the AWS CLI.
-
The AWS access portal is the web location where you manually sign in to the IAM Identity Center. The format of the URL is
d-xxxxxxxxxx.awsapps.com/start
or
. When signed in to the AWS access portal, you can view AWS accounts and roles that have been configured for that user. This procedure uses the AWS access portal to get configuration values you need for the SDK/tool authentication process.your_subdomain
.awsapps.com/start -
The AWS CLI is used to configure your SDK or tool to use IAM Identity Center authentication for API calls made by your code. This one-time process updates your shared AWS
config
file, that is then used by your SDK or tool when you run your code.
Configure programmatic access using IAM Identity Center
Step 1: Establish access and select appropriate permission set
If you haven't enabled IAM Identity Center yet, see Enabling IAM Identity Center in the AWS IAM Identity Center User Guide.
Choose one of the following methods to access your AWS credentials.
-
Add a user and add administrative permissions by following the Configure user access with the default IAM Identity Center directory procedure in the AWS IAM Identity Center User Guide.
-
The
AdministratorAccess
permission set should not be used for regular development. Instead, we recommend using the predefinedPowerUserAccess
permission set, unless your employer has created a custom permission set for this purpose.Follow the same Configure user access with the default IAM Identity Center directory procedure again, but this time:
-
Instead of creating the
group, create aAdmin team
group, and substitute this thereafter in the instructions.Dev team
-
You can use the existing user, but the user must be added to the new
group.Dev team
-
Instead of creating the
permission set, create aAdministratorAccess
permission set, and substitute this thereafter in the instructions.PowerUserAccess
When you are done, you should have the following:
-
A
Dev team
group. -
An attached
PowerUserAccess
permission set to theDev team
group. -
Your user added to the
Dev team
group.
-
-
Exit the portal and sign in again to see your AWS accounts and options for
Administrator
orPowerUserAccess
. SelectPowerUserAccess
when working with your tool/SDK.
Sign in to AWS through your identity provider’s portal. If your Cloud
Administrator has granted you PowerUserAccess
(developer) permissions, you
see the AWS accounts that you have access to and your permission set. Next to the name
of your permission set, you see options to access the accounts manually or
programmatically using that permission set.
Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help.
Sign in to AWS through the AWS access portal. If your Cloud Administrator has
granted you PowerUserAccess
(developer) permissions, you see the
AWS accounts that you have access to and your permission set. Next to the name of your
permission set, you see options to access the accounts manually or programmatically
using that permission set.
Contact your IT team for help.
Step 2: Configure SDKs and tools to use IAM Identity Center
-
On your development machine, install the latest AWS CLI.
-
See Installing or updating the latest version of the AWS CLI in the AWS Command Line Interface User Guide.
-
(Optional) To verify that the AWS CLI is working, open a command prompt and run the
aws --version
command.
-
-
Sign in to the AWS access portal. Your employer may provide this URL or you may get it in an email following Step 1: Establish access. If not, find your AWS access portal URL on the Dashboard of https://console.aws.amazon.com/singlesignon/
. -
In the AWS access portal, in the Accounts tab, select the individual account to manage. The roles for your user are displayed. Choose Access keys to get credentials for command line or programmatic access for the appropriate permission set. Use the predefined
PowerUserAccess
permission set, or whichever permission set you or your employer has created to apply least-privilege permissions for development. -
In the Get credentials dialog box, choose either MacOS and Linux or Windows, depending on your operating system.
-
Choose the IAM Identity Center credentials method to get the
Issuer URL
andSSO Region
values that you need for the next step. Note:SSO Start URL
can be used interchangeably withIssuer URL
.
-
-
In the AWS CLI command prompt, run the
aws configure sso
command. When prompted, enter the configuration values that you collected in the previous step. For details on this AWS CLI command, see Configure your profile with theaws configure sso
wizard.-
For the prompt
SSO Start URL
, enter the value you obtained forIssuer URL
. -
For CLI profile name, we recommend entering
default
when you are getting started. For information about how to set non-default (named) profiles and their associated environment variable, see Profiles.
-
-
(Optional) In the AWS CLI command prompt, confirm the active session identity by running the
aws sts get-caller-identity
command. The response should show the IAM Identity Center permission set that you configured. -
If you are using an AWS SDK, create an application for your SDK in your development environment.
-
For some SDKs, additional packages such as
SSO
andSSOOIDC
must be added to your application before you can use IAM Identity Center authentication. For details, see your specific SDK. -
If you previously configured access to AWS, review your shared AWS
credentials
file for any AWS access keys. You must remove any static credentials before the SDK or tool will use the IAM Identity Center credentials because of the Understand the credential provider chain precedence.
-
For a deep dive into how the SDKs and tools use and refresh credentials using this configuration, see Understand IAM Identity Center authentication.
Depending on your configured session lengths, your access will eventually expire and the
SDK or tool will encounter an authentication error. To refresh the access portal session
again when needed, use the AWS CLI to run the aws sso login
command.
You can extend both the IAM Identity Center access portal session duration and the permission set session duration. This lengthens the amount of time that you can run code before you need to manually sign in again with the AWS CLI. For more information, see the following topics in the AWS IAM Identity Center User Guide:
-
IAM Identity Center session duration – Configure the duration of your users' AWS access portal sessions
-
Permission set session duration – Set session duration
For details on all IAM Identity Center provider settings for SDKs and tools, see IAM Identity Center credential provider in this guide.