The right way to authenticate in AWS in 2026. Goodbye access keys, hello temporary credentials.
The problem with access keys
For years, the "normal" way to use the AWS CLI was:
aws configure
# Access Key: AKIAIOSFODNN7EXAMPLE
# Secret Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCY...
Problems:
- Credentials never expire (until you delete them manually)
- If you push them to Git by mistake → serious security breach
- Each dev has different credentials → hard to manage
- When someone leaves the company, you have to delete their keys manually
AWS no longer recommends this method for humans.
The solution: IAM Identity Center (SSO)
Previously called "AWS SSO". It's the recommended method since 2022 and the standard in 2026.
Advantages:
- Temporary credentials (expire automatically every 8-12 hours)
- Single login for multiple AWS accounts
- Integration with identity providers (Google Workspace, Okta, Azure AD)
- Built-in MFA
- When someone leaves, they lose access automatically
Prerequisites
- AWS CLI v2 (v1 doesn't support SSO)
- An AWS account with admin permissions (for initial setup)
- Browser for login
Setup: Step by step
1. Enable IAM Identity Center
In AWS Console:
- Go to: IAM Identity Center
- Click "Enable" (it's free, no cost)
- Confirm the region (recommended:
us-east-1or your primary region)
AWS will automatically create the necessary infrastructure.
2. Choose identity source
You have 3 options:
Option A: IAM Identity Center directory (for general purposes)
- AWS creates its own directory
- You manage users directly in AWS
Option B: Active Directory (for companies with on-premise AD)
- Connects with an existing AD
- Users and groups sync automatically
Option C: External Identity Provider (most common in companies)
- Google Workspace, Okta, Azure AD, etc.
- True Single Sign-On
- Ideal for: teams already using an IdP
For this guide, we'll use Option A (simplest).
3. Create first user
Using IAM Identity Center directory:
- IAM Identity Center → Users → Add user
- Fill in:
Username: ed.developer
Email: ed@example.com
First name: Ed
Last name: Dev
Display name: Ed Developer
- Click Add user
- An activation link will be sent by email
Activate user:
- Open the email
- Click the link
- Create a password
- Set up MFA (recommended: authenticator app like Google Authenticator)
4. Create a group
Best practice: assign permissions to groups, not individual users.
- IAM Identity Center → Groups → Create group
- Name:
Developers - Description:
Development team with PowerUser access - Click Create group
- Add users to group → select the user → Add users
5. Assign permissions
- IAM Identity Center → AWS accounts
- Select your AWS account
- Click Assign users or groups
- Tab Groups → select
Developers - Click Next
-
Permission sets → select PowerUserAccess (allows almost everything except IAM)
- For full admin:
AdministratorAccess - For readonly:
ViewOnlyAccess
- For full admin:
- Click Next → Submit
The process takes 1-2 minutes to apply.
6. Get SSO Start URL
The "SSO Start URL" is the gateway to AWS.
- IAM Identity Center → Dashboard
- Copy the AWS access portal URL
- It looks like:
https://d-9067xxxxxx.awsapps.com/start
- It looks like:
Configure AWS CLI with SSO
Install AWS CLI v2
Configure SSO profile
aws configure sso
It will ask:
SSO session name (Recommended): my-sso
- A name for the session
- Example:
work,personal,company-name
SSO start URL: https://d-9067xxxxxx.awsapps.com/start
- The one generated from the Dashboard
SSO region: us-east-1
- The region where IAM Identity Center was enabled
SSO registration scopes: (Enter for default)
- Leave the default:
sso:account:access
The browser will open → authorize access → available AWS accounts will be shown.
Select:
- AWS account: account (12-digit number)
-
IAM role:
PowerUserAccess
Back in the terminal:
CLI default client Region: us-east-1
- Region for resources
CLI default output format: json
- Options:
json,yaml,text,table
CLI profile name: dev
- Profile name
- Examples:
dev,work,personal,default
Done! The profile is configured.
Using SSO day to day
Login
# First time or when credentials expire
aws sso login --profile dev
The browser opens, you log in (with MFA if applicable), and you're done.
Credentials valid for ~8 hours. When they expire, run aws sso login again.
Running commands
Option 1: Specify profile in each command
aws s3 ls --profile dev
aws lambda list-functions --profile dev
Option 2: Set default profile for the session
export AWS_PROFILE=dev
aws s3 ls
aws lambda list-functions
Verify credentials
aws sts get-caller-identity --profile dev
# Output:
# {
# "UserId": "AROAXXXXX:ed.developer",
# "Account": "123456789012",
# "Arn": "arn:aws:sts::123456789012:assumed-role/..."
# }
Logout
aws sso logout --profile dev
Multiple profiles (work + personal)
You can have several profiles configured:
# Configure work profile
aws configure sso
# ... follow wizard, name profile: work
# Configure personal profile
aws configure sso
# ... follow wizard, name profile: personal
# Use each one
aws s3 ls --profile work
aws s3 ls --profile personal
# Or switch between them
export AWS_PROFILE=work
aws s3 ls
export AWS_PROFILE=personal
aws s3 ls
View configuration
Profiles are stored in ~/.aws/config:
cat ~/.aws/config
It looks like this:
[profile dev]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = PowerUserAccess
region = us-east-1
output = json
[sso-session my-sso]
sso_start_url = https://d-9067xxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
Common troubleshooting
Error: "Token has expired"
# Solution: Login again
aws sso login --profile dev
Error: "No credentials"
# Check that the profile exists
cat ~/.aws/config
# Make sure to specify the profile
aws s3 ls --profile dev
# Or set it as default
export AWS_PROFILE=dev
Browser doesn't open
# Use device code flow (manual)
aws configure sso --use-device-code
It will generate a code to enter manually in the browser.
"Profile not found"
# List profiles
aws configure list-profiles
# Reconfigure the profile
aws configure sso
Credentials expire too fast
This is normal (security). AWS rotates credentials every 8-12 hours.
Tip: Create an alias:
# In .bashrc or .zshrc
alias awsl='aws sso login --profile dev'
# Now just:
awsl
When to use access keys
Only in these cases:
1. CI/CD pipelines
GitHub Actions, GitLab CI, Jenkins, etc.
# GitHub Actions example
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
2. Serverless applications
Lambdas, ECS containers → use IAM roles, not access keys.
Best Practices
- Always use SSO for humans
- MFA enabled in IAM Identity Center
- Least privilege: assign only the necessary permissions
- Groups, not users: permissions at the group level
- Audit access: review logs in CloudTrail
- Don't share access keys between people
- Don't use root account for daily tasks
Quick reference commands
# SSO Login
aws sso login --profile dev
# Verify identity
aws sts get-caller-identity --profile dev
# List profiles
aws configure list-profiles
# View profile configuration
aws configure list --profile dev
# Set default profile for current session
export AWS_PROFILE=dev
# Logout
aws sso logout --profile dev
# Reconfigure profile
aws configure sso
Advanced configuration
Profile with different roles
# In ~/.aws/config
[profile dev]
sso_session = my-sso
sso_account_id = 111111111111
sso_role_name = PowerUserAccess
region = us-east-1
[profile dev-readonly]
sso_session = my-sso
sso_account_id = 111111111111
sso_role_name = ViewOnlyAccess
region = us-east-1
[profile prod]
sso_session = my-sso
sso_account_id = 222222222222
sso_role_name = ReadOnlyAccess
region = us-east-1
Resources
- IAM Identity Center User Guide
- AWS CLI SSO Configuration
- IAM Security Best Practices
- AWS Organizations
TL;DR:
- Enable IAM Identity Center
- Create user/group
- Assign permissions (PowerUserAccess)
aws configure ssoaws sso login --profile dev- Profit
Access keys only for CI/CD. For everything else: SSO.
Top comments (0)