DEV Community: Sindhur Teja Dasari

Secure your programmatic access to AWS Services using "aws login" - a new AWS CLI command

Sindhur Teja Dasari — Mon, 15 Dec 2025 17:43:14 +0000

To programmatically access AWS Services, we have all been using aws configure, which saves AWS root/IAM User/Federated user account access key ID and secret access key locally.

Knowingly, this has a risk in saving long-term access key ID and secret access key locally (if not rotated regularly)

aws login - a new AWS Command Line Interface (CLI) command, helps you get temporary credentials from your browser that use your AWS Management Console credentials.

Prerequisites:

Install AWS CLI, you need a minimum AWS CLI Version 2.32.0 or later. To install or update AWS CLI

To verify the AWS CLI version, run the command aws --version

SignInLocalDevelopmentAccess managed policy must be attached to the IAM User or Role (For Root Account, no additional permissions are required)

aws login:
Now, run the command aws login from your command line interface (CLI). It opens your default browser; follow along with the browser for the next steps.

Note: The CLI prompts you to specify the default AWS Region if you have not set it already.

Command:
aws login

In the browser, if you haven't signed in already with your account (AWS Management Console), click on "Continue with Root or IAM User" and login to your account

In the browser, if you have signed in already with your account (AWS Management Console), you can see "Continue with an active session", select your account and continue.

That's all, pretty simple! You can now proceed with running AWS CLI commands.
If you are using multiple accounts and other roles, the aws login command supports switching between these accounts using the --profile parameter to configure aws login --profile <profile name>

Example: aws login --profile my-admin-role OR aws login --profile my-dev-role

NOTE: The AWS IAM User Account must have the policy/permission SignInLocalDevelopmentAccess added (for the Root account, it is added by default)

"aws login" also supports other options like --remote. This option is helpful when the device using AWS CLI does not support a browser or does not have a browser (example: a Linux machine with only terminal access) aws login --remote

Once you have successfully authenticated, you can verify the identity by running the command

aws sts get-caller-identity
OR
aws sts get-caller-identity --profile <profile name>

After verifying everything, you can run AWS CLI commands.

Example:
aws s3 ls

and also with --profile parameter
aws s3 ls --profile my-dev-role

OAuth 2.0 authorization:
aws login command uses OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange), which prevents an authorization code from being intercepted.

SignInLocalDevelopmentAccess managed policy comes with two major actions
signin:AuthorizeOAuth2Access: Allows you to authorize a local development tool.
signin:CreateOAuth2Token: Allows generation of the short-term security tokens needed for command line interface (CLI) access.

Federated Sign-in:

If you are using federated sign-in to authenticate via your organization's Identity Provider:

Your browser allows you to choose your active IAM role session (if you have already signed in to the AWS Management Console), and it allows you to switch between 5 active AWS Sessions (if multi-session support is enabled)

No matter which console sign-in method you select, the short-term credentials issued by the aws login command are automatically rotated by the AWS CLI, AWS SDK's, AWS Tools for Powershell every 15 mins (you can set the maximum session duration to 12 hours)

aws login command can be used with AWS CLI, AWS Software Development Kits (AWS SDKs), AWS Tools

For more information about aws login, check: AWS Documentation and AWS Official Blog Post

That's all for this one! Thank you!

A Simple, Popular Game "2048": Deployed on AWS EKS with Fargate

Sindhur Teja Dasari — Sat, 29 Nov 2025 16:44:23 +0000

What is AWS EKS?

AWS Elastic Kubernetes Service (AWS EKS) is a managed Kubernetes service offered by AWS (Amazon Web Services)

AWS EKS manages the Kubernetes control plane, ensuring the availability, scalability, and security of the Kubernetes control plane.

The Kubernetes Control Plane components include the API Server, etcd, Scheduler, Controller Manager, etc.

To know more about AWS EKS, check AWS Documentation

What is AWS Fargate:

AWS Fargate is a serverless technology that provides on-demand and right-sized compute capacity that allows you to run containers without managing the underlying virtual machines.

To know more about AWS EKS with Fargate, check AWS Documentation

Quick overview on key highlights, benefits of this demo:

The Setup:
Deployed the 2048 game on AWS EKS with Fargate, using Helm to install the AWS Load Balancer Controller, and integrated OIDC Connect provider with EKS for secure service account authentication.

Result:
A production-grade, auto-scaling, highly available, secure application that demonstrates enterprise-level architecture patterns. 🚀

Key Highlights:

✅ Serverless Containers: EKS Fargate eliminated the overhead of managing worker nodes - no patching, no scaling headaches, just pure application focus
✅ Intelligent Load Balancing: Ingress - AWS LB Controller automatically provisions and configures Application Load Balancers, enabling path-based routing
✅ OIDC Integration: Configured IAM OIDC connect provider to enable secure, native AWS IAM authentication for Kubernetes service accounts
✅ Helm-Powered Deployment: Leveraged Helm charts to deploy the AWS Load Balancer
✅ Networking: VPC with private/public subnet isolation

Real Business Benefits:

💰 Cost Efficiency: Pay only for actual usage—no idle servers burning budget
📈 Handles Growth Automatically: Scale seamlessly without manual intervention or additional overhead
🛡️ Security Built-In: Compliance and security policies enforced automatically
🔄 Always Available: Multi-AZ deployment ensures your business stays online, even during failures (can also be implemented in Multi-Region, by deploying separate EKS clusters in different AWS Regions)
🚀 Team Productivity: Infrastructure management is automated — teams can focus on building applications, not maintaining servers
📊 Visibility & Control: Real-time monitoring catches issues before customers are affected

Total Cost for the demo setup: $0.73 (~2.5 Hrs)

Deploying this application reinforced critical lessons about EKS, Fargate, and building resilient, scalable cloud-native systems

Step-by-Step: Deploying “Game-2048” on AWS EKS with Fargate

Prerequisites:

Before proceeding, you will need an AWS Account, the AWS CLI, eksctl, kubectl, and Helm to install and configure.

AWS Account: You need AWS Account https://aws.amazon.com/

AWS CLI: The AWS Command Line Interface (AWS CLI) is an open-source tool by Amazon Web Services that lets users manage AWS services from their terminal. It offers a consistent interface for services like Amazon EC2, S3, IAM, and more others.

To setup and configure AWS CLI, please refer to AWS CLI

eksctl: eksctl is the official command-line interface (CLI) for Amazon EKS that automates and simplifies the creation and management of Amazon Elastic Kubernetes Service clusters

To install the eksctl tool, please refer to check AWS documentation install eksctl

Kubectl: kubectl is the command-line interface (CLI) tool for interacting with and managing Kubernetes clusters. It acts as a client for the Kubernetes API, allowing users to send commands to the cluster's control plane

To install kubectl, please refer to install kubectl
To know more about eksctl and kubectl check AWS documentation

Helm: Helm is a Kubernetes package manager that simplifies application deployment and management. It uses "charts," pre-configured packages with all necessary resources. Helm allows users to define, install, and upgrade applications with one command, ensuring consistency and reducing errors.

To install Helm, refer to install helm

Deployment:

1. Creating EKS Cluster “game-2048-demo” using eksctl

Run-command:

eksctl create cluster --name game-2048-demo --region us-east-1 --fargate

Note: “eksctl” takes care of the resource provisioning using cloudformation templates for AWS EKS. It creates a new VPC with both public and private subnets across multiple Availability Zones, along with a default Fargate profile.

⚠️ WARNING!
Please be informed that you will need to clean up all resources in the last step of this demo, once you have successfully implemented this demo project. You need to delete all the resources created.
Deletion of resources is provided as the last or final step

Review the screenshots below, eksctl creating/deploying the AWS EKS Cluster “game-2048-demo”

Review and confirm the cluster “game-2048-demo” created from AWS management Console as well

2. Update the kubeconfig for kubectl:

Run-command:

aws eks update-kubeconfig --name game-2048-demo --region us-east-1

3. Create a new fargate profile “fgp-game-2048” under a new namespace “game-2048”

Run-command:

eksctl create fargateprofile --cluster game-2048-demo --region us-east-1 --name fgp-game-2048 --namespace game-2048

Creating a new Fargate profile “fgp-game-2048” to deploy the application pods in a new namespace “game-2048.”

4. Deploy the game-2048 application:

Run-command:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/examples/2048/2048_full.yaml

The file 2048_full.yaml (from the link) has all the required resources (deployment, service, and ingress) configured.

https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/examples/2048/2048_full.yaml

The link is provided by official AWS EKS documentation as an example, to get started with AWS EKS click here

Review the screenshots below, confirming the required resources are created and deployed

To review and confirm the application pods, deployments, service, and ingress are up and running under namespace “game-2048”

Run commands below to verify resources (pods, deployments, service, ingress):

kubectl get pods –n game-2048.

kubectl get deployments –n game-2048.

kubectl get service –n game-2048.

kubectl get ingress –n game-2048.

Note: For ingress, there is no resource created yet at this point, we will create AmazonLoadBalancerController using helm in the upcoming steps

5. Configure IAM Open ID Connect provider (OIDC) for cluster “game-2048-demo”

What is the need for IAM OIDC Provider?

IAM OIDC (OpenID Connect) with AWS EKS refers to the method of granting AWS IAM permissions to Kubernetes service accounts within an Amazon EKS cluster. This allows applications running in EKS pods to securely access AWS resources without requiring the direct storage of long-lived AWS credentials in the pod.

Run-command:

eksctl utils associate-iam-oidc-provider --cluster game-2048-demo --approve

The above command creates and associates an OpenID Connect (OIDC) identity provider with your EKS cluster. This is a foundational step for enabling IAM Roles for Service Accounts (IRSA), which allows Kubernetes pods running in your cluster to securely access AWS services without hardcoded credentials.

6. We will create an IAM role with the necessary permissions for the ALBController to access and create an AWS Application Load Balancer for the “game-2048” application

Download the ALB Controller IAM-Policy

Run-command:

curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json

7. Create the IAM Policy for AWSLoadBalancerController using the IAM policy that we downloaded:

Run-command:

aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://iam_policy.json

8. We will create an IAM service account that binds an IAM role to a Kubernetes service account, enabling the AWS Load Balancer Controller pod to access AWS ALB resources with least-privilege permissions.

Run-command:

eksctl create iamserviceaccount \
  --cluster=game-2048-demo \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --role-name AmazonEKSLoadBalancerControllerRole \
  --attach-policy-arn=arn:aws:iam::<your-aws-account-id>:policy/AWSLoadBalancerControllerIAMPolicy \
  --approve

What It Does?

Creates a Kubernetes service account named aws-load-balancer-controller in the kube-system namespace
Creates an IAM role named AmazonEKSLoadBalancerControllerRole (if it doesn't exist)
Attaches the IAM policy specified by the ARN to the role, granting Load Balancer Controller permissions
Annotates the service account with the IAM role ARN, establishing the trust relationship
Executes without prompting due to the --approve

9. Deploy the ALB Controller using Helm Charts

You need to add the AWS EKS Helm chart repository with local Helm installation/configuration. It's a prerequisite step before you can search or install charts from AWS.

Run-command:

helm repo add eks https://aws.github.io/eks-charts
helm repo update eks

Install Ingress ALB-Controller using helm:

Run-command:

helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=game-2048-demo --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller --set region=us-east-1 --set vpcId=vpc-xxxxxxxxxxxxx

Now, you can verify the ALBController (aws-load-balancer-controller) Pods are up and running under the system namespace “kube-system”

The ALB Controller provisions and configures AWS Application Load Balancers (ALB) in response to Kubernetes resources.

From the below screenshot, you can review that the AWS ALB is provisioned, and the same is reflected under the ingress resource with the ALB DNS name

Now, to test the “game-2048” application. You can copy the AWS Application Load Balancers DNS name (from the AWS managed console or the CLI) as shown above.

Paste the DNS name in a browser (as shown below)

BOOOOOM! Game-2048 is ON!

What's your highest score?😉 Let me know in the comments!

Give a glance at what you have built!

Verify the resources created under the system namespace, i.e. kube-system

Run-commands below:

kubectl get pods –n kube-system

kubectl get deployments –n kube-system

kubectl get service –n kube-system

Verify the resources created under the namespace "game-2048"

Run-commands below:

kubectl get pods –n game-2048

kubectl get deployments –n game-2048

kubectl get service –n game-2048

kubectl get ingress –n game-2048

💡Insights!

Note the difference that the ALBController Pods are created under the system namespace "kube-system", but the Application Load Balancer is created under the namespace "game-2048".

The ALB Controller pods are created under the "kube-system" system namespace; this is by design and as developed by AWS.

Now, as the final step. You need to delete/clean up the AWS EKS Cluster and other resources created in this demo.

Delete the AWS EKS Cluster "game-2048-demo"

Run-command:

eksctl delete cluster --name game-2048-demo --region us-east-1

Review the screenshot below. EKS cluster resources are being deleted or cleaned up

Before you finish, review to ensure that no other resources are missed for cleanup.

That's all for this project demo! HAPPY LEARNING...!

Please share your thoughts and suggestions to improve further.

Grateful to @Abhishek Veeramalla for providing the detailed project demonstration on his YouTube Channel.

DEV Community: Sindhur Teja Dasari

Secure your programmatic access to AWS Services using "aws login" - a new AWS CLI command

A Simple, Popular Game "2048": Deployed on AWS EKS with Fargate

Step-by-Step: Deploying “Game-2048” on AWS EKS with Fargate

BOOOOOM! Game-2048 is ON!

Now, as the final step. You need to delete/clean up the AWS EKS Cluster and other resources created in this demo.

Thank You!