DEV Community

Cover image for AWS just changed how we log in to the CLI — By Saheed Ipaye
saheed
saheed

Posted on

AWS just changed how we log in to the CLI — By Saheed Ipaye

I just migrated away from long-term AWS access keys. Took me just 5 minutes.

The Old Way
For years, we've all been doing the same thing: generating IAM access keys, storing them in ~/.aws/credentials, and hoping nobody finds them. Every security audit flagged them. Every developer onboarding session involved that awkward "here's how to store secrets safely" talk.

Then AWS quietly released something that changes everything: aws login

My Migration Story

Step 1: Update AWS CLI
First, I checked my CLI version. Anything below v2.22 won't work:

aws --version
Enter fullscreen mode Exit fullscreen mode

Step 2: Delete Those Permanent Keys
Then came the scary part deleting my credentials file. I opened

~/.aws/credentials, saw the familiar aws_access_key_id and aws_secret_access_key staring back at me, and just... deleted them:

rm ~/.aws/credentials
Enter fullscreen mode Exit fullscreen mode

I kept my region and output format in the config you still need those.

Step 3: The Magic Moment
Now here's where it gets good. I typed:

aws login
Enter fullscreen mode Exit fullscreen mode

My browser opened automatically. I signed in with my regular AWS console credentials the same email and password I use every day. No copying and pasting 40-character strings. No "wait, which key was for which account?" Within seconds, I was authenticated:


You are now logged in as arn:aws:iam::<account-id>:user/your-user
Credentials stored for profile 'default'
Enter fullscreen mode Exit fullscreen mode

Step 4: Verify It Worked
Ran a quick test:

aws sts get-caller-identity
Enter fullscreen mode Exit fullscreen mode

It worked. No access keys in sight. Just clean, secure, temporary tokens doing their job.

What Makes This Better?
The credentials it generates are temporary:

They expire in hours, not years, They auto-rotate every 15 minutes
They live in a secure cache, not a plain text file waiting to be accidentally committed to GitHub

You can check the expiration yourself

cat ~/.aws/cli/cache/*.json
Enter fullscreen mode Exit fullscreen mode

You'll see something like:

{
  "Credentials": {
    "AccessKeyId": "...",
    "SecretAccessKey": "...",
    "SessionToken": "...",
    "Expiration": "2025-01-01T12:34:56Z"
  }
}
Enter fullscreen mode Exit fullscreen mode

The Bottom Line

The entire migration took me 5 minutes. five minutes to eliminate one of the biggest security headaches in cloud development. If you're still using long-term access keys in 2025, this is your sign:

  1. Update your CLI to v2.22+
  2. Delete those credentials
  3. Run aws login

Your security team will thank you. Your future self will thank you.
And honestly? It just feels better knowing those permanent keys aren't sitting there anymore.

Top comments (0)