Authenticate using short-term credentials

We recommend configuring your SDK or tool to use IAM Identity Center authentication for your SDK or tool with extended session duration options. However, you can copy and use temporary credentials that are available in the AWS access portal. New credentials will need to be copied when these expire. You can use the temporary credentials in a profile or use them as values for system properties and environment variables.

Best practice: Instead of manually managing access keys and a token in the credentials file, we recommend your application uses temporary credentials delivered from:

An AWS compute service, such as running your application on Amazon Elastic Compute Cloud or in AWS Lambda.
Another option in the credential provider chain, such as IAM Identity Center authentication for your SDK or tool.
Or use the Process credential provider to retrieve temporary credentials.

Set up a credentials file using short-term credentials retrieved from AWS access portal

Create a shared credentials file.

In the credentials file, paste the following placeholder text until you paste in working temporary credentials.


[default]
aws_access_key_id=<value from AWS access portal>
aws_secret_access_key=<value from AWS access portal>
aws_session_token=<value from AWS access portal>

Save the file. The file ~/.aws/credentials should now exist on your local development system. This file contains the [default] profile that the SDK or tool uses if a specific named profile is not specified.
Sign in to the AWS access portal.
Follow these instructions for Manual credential refresh to copy IAM role credentials from the AWS access portal.
1. For step 4 in the linked instructions, choose the IAM role name that grants access for your development needs. This role typically has a name like PowerUserAccess or Developer.
2. For step 7 in the linked instructions, select the Manually add a profile to your AWS credentials file option and copy the contents.

Paste the copied credentials into your local credentials file. The generated profile name is not needed if you are using the default profile. Your file should resemble the following.


[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE

Save the credentials file.

When the SDK creates a service client, it will access these temporary credentials and use them for each request. The settings for the IAM role chosen in step 5a determine how long the temporary credentials are valid. The maximum duration is twelve hours.

After the temporary credentials expire, repeat steps 4 through 7.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS access keys

Long-term credentials