Before you can run a single aws s3 command, two things need to be in place: the CLI installed on your machine and credentials configured. So, AWS knows who you are.
This post covers both (CLI and credentials) in the following OS's: macOS, Linux, and Windows. And uses IAM Identity Center (formerly AWS SSO) for authentication. That means short-lived, automatically refreshed credentials instead of long-lived access keys stored in a plain-text file on your disk.
Why IAM Identity Center instead of aws configure?
The classic aws configure flow creates a ~/.aws/credentials file with a permanent AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Those keys never expire on their own. If they leak through a committed .env file, a misconfigured S3 bucket, or a compromised machine, the window of exposure is unlimited.
IAM Identity Center issues short-lived session tokens instead. When the session expires, the credentials stop working. You re-authenticate through your browser, and a fresh token is cached locally. It is a fundamentally safer model, and it is what AWS now recommends as the default for developer access.
Prerequisite: Your AWS account must have IAM Identity Center enabled. If you are working with a personal account, you can enable it in the IAM Identity Center console. If you are at a company, your AWS administrator will give you a start URL and the name of your permission set.
You can find the link for the IAM Identity Center in the bottom left corner of the IAM page:
Step 1 — Install AWS CLI v2
macOS
The recommended approach for macOS is Homebrew. It handles updates automatically and keeps the binary on your PATH without any manual symlinking.
brew install awscli
If you prefer the official .pkg installer instead:
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg AWSCLIV2.pkg -target /
Linux (x86_64)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
For ARM64 (e.g. AWS Graviton, Raspberry Pi):
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
If
unzipis not installed:sudo apt install unzip(Debian/Ubuntu) orsudo yum install unzip(Amazon Linux/CentOS/RHEL).
Windows
Open PowerShell as Administrator and run:
Invoke-WebRequest -Uri "https://awscli.amazonaws.com/AWSCLIV2.msi" -OutFile "AWSCLIV2.msi"
msiexec.exe /i AWSCLIV2.msi /quiet
Alternatively, download and run the .msi installer manually from https://awscli.amazonaws.com/AWSCLIV2.msi.
Verify the installation
On all three platforms:
aws --version
Expected output (version numbers will vary):
aws-cli/2.27.41 Python/3.11.6 Linux/6.1.0 botocore/2.0.0
If the command is not found, restart your terminal. On Windows, open a new PowerShell or Command Prompt window.
⚠️ WARNING:
aws configure ssoonly works with AWS CLI v2. Ifaws --versionshowsaws-cli/1.x.x, you are on v1 and need to upgrade before continuing.
Step 2 — Gather your IAM Identity Center details
You need two values before running the setup wizard:
| Value | Where to find it |
|---|---|
| SSO Start URL | IAM Identity Center console → Dashboard → Issuer URL (or ask your AWS admin) |
| SSO Region | The AWS region where IAM Identity Center is enabled (e.g. eu-west-1) |
You can also find both by signing in to your AWS access portal, selecting your permission set, clicking Access keys, and choosing the IAM Identity Center credentials tab.
Step 3 — Configure a profile with aws configure sso
Run the interactive wizard:
aws configure sso
You will be prompted for the following. Use the values you gathered above:
SSO session name (Recommended): my-dev-session
SSO start URL [None]: https://d-xxxxxxxxxx.awsapps.com/start
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]: sso:account:access
The CLI will open your browser to complete authentication. Once authorised, it returns to the terminal and asks for a few more values:
AWS account ID: 123456789012
Role name: PowerUserAccess
CLI default client Region [None]: eu-west-1
CLI default output format [None]: json
CLI profile name [PowerUserAccess-123456789012]: my-dev-profile
You can use the region you want. I am using the eu-west-1 as I am based in Ireland. The default region is us-east-1.
The profile name is what you will pass to every --profile flag. Pick something short and descriptive — dev, personal, or work are all fine.
What gets written to your config file
The wizard creates two entries in ~/.aws/config (macOS/Linux) or %USERPROFILE%\.aws\config (Windows):
[sso-session my-dev-session]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[profile my-dev-profile]
sso_session = my-dev-session
sso_account_id = 123456789012
sso_role_name = PowerUserAccess
region = eu-west-1
output = json
Notice there are no access keys anywhere in this file. Credentials are fetched and cached at login time under ~/.aws/sso/cache/.
Step 4 — Log in and verify
Log in to start a session:
aws sso login --profile my-dev-profile
Your browser opens, you approve the request, and the CLI caches a short-lived token locally. Then verify the profile is working:
aws sts get-caller-identity --profile my-dev-profile
Expected output:
{
"UserId": "AROA...:user@example.com",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/PowerUserAccess/user@example.com"
}
If you see your account ID and role name, you are fully configured.
Step 5 — Set a default profile (optional but useful)
Passing --profile my-dev-profile to every command gets repetitive. Export it as an environment variable for your current session:
# macOS / Linux
export AWS_PROFILE=my-dev-profile
# Windows PowerShell
$env:AWS_PROFILE = "my-dev-profile"
To make it permanent, add the export line to your ~/.zshrc, ~/.bashrc, or PowerShell profile.
Now you can run commands without the flag:
aws s3 ls
aws sts get-caller-identity
Day-to-day workflow
Once everything is set up, your daily routine is just two commands:
# Start your working session
aws sso login --profile my-dev-profile
# When you are done
aws sso logout
Sessions expire automatically (typically after 8–12 hours, depending on your IAM Identity Center configuration). When credentials expire mid-session, the CLI will prompt you to re-run aws sso login.
Troubleshooting
aws: command not found after install
Restart your terminal. On macOS, run brew doctor to check your PATH. On Linux, confirm /usr/local/bin is in your $PATH.
Browser does not open on login
Run with the device code fallback:
aws sso login --profile my-dev-profile --use-device-code
The CLI will print a URL and a code — open the URL manually and enter the code.
Error when retrieving token from sso
Your cached token has expired. Re-run aws sso login --profile my-dev-profile.
AccessDenied on a command
Your permission set may not include the IAM action you are calling. Check the permissions attached to your IAM Identity Center permission set, or ask your AWS admin. The previous post in this series covers exactly how to map CLI commands to the IAM actions they require.
Key takeaways
- AWS CLI v2 is required for
aws configure sso(v1 will not work). - IAM Identity Center issues short-lived tokens. There are no long-lived keys stored on disk.
- The
sso-sessionblock in~/.aws/confighandles token refresh automatically. -
AWS_PROFILEenvironment variable saves you from typing--profileon every command. -
aws sts get-caller-identityis your fastest way to confirm a profile is working.
Previous in this series: AWS IAM Demystified — Map Every S3 CLI Command to Its Exact Permission
Top comments (0)