To programmatically access AWS Services, we have all been using aws configure, which saves AWS root/IAM User/Federated user account access key ID and secret access key locally.
Knowingly, this has a risk in saving long-term access key ID and secret access key locally (if not rotated regularly)
aws login - a new AWS Command Line Interface (CLI) command, helps you get temporary credentials from your browser that use your AWS Management Console credentials.
Prerequisites:
- Install AWS CLI, you need a minimum AWS CLI Version 2.32.0 or later. To install or update AWS CLI
To verify the AWS CLI version, run the command aws --version
- SignInLocalDevelopmentAccess managed policy must be attached to the IAM User or Role (For Root Account, no additional permissions are required)
aws login:
Now, run the command aws login from your command line interface (CLI). It opens your default browser; follow along with the browser for the next steps.
Note: The CLI prompts you to specify the default AWS Region if you have not set it already.
Command:
aws login
- In the browser, if you haven't signed in already with your account (AWS Management Console), click on "Continue with Root or IAM User" and login to your account
- In the browser, if you have signed in already with your account (AWS Management Console), you can see "Continue with an active session", select your account and continue.
That's all, pretty simple! You can now proceed with running AWS CLI commands.
If you are using multiple accounts and other roles, the
aws logincommand supports switching between these accounts using the--profileparameter to configureaws login --profile <profile name>
Example: aws login --profile my-admin-role OR aws login --profile my-dev-role
NOTE: The AWS IAM User Account must have the policy/permission SignInLocalDevelopmentAccess added (for the Root account, it is added by default)
"aws login"also supports other options like--remote. This option is helpful when the device using AWS CLI does not support a browser or does not have a browser (example: a Linux machine with only terminal access)aws login --remote
Once you have successfully authenticated, you can verify the identity by running the command
aws sts get-caller-identity
OR
aws sts get-caller-identity --profile <profile name>
After verifying everything, you can run AWS CLI commands.
Example:
aws s3 ls
and also with --profile parameter
aws s3 ls --profile my-dev-role
OAuth 2.0 authorization:
aws login command uses OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange), which prevents an authorization code from being intercepted.
SignInLocalDevelopmentAccess managed policy comes with two major actions
signin:AuthorizeOAuth2Access: Allows you to authorize a local development tool.
signin:CreateOAuth2Token: Allows generation of the short-term security tokens needed for command line interface (CLI) access.
Federated Sign-in:
If you are using federated sign-in to authenticate via your organization's Identity Provider:
- Your browser allows you to choose your active IAM role session (if you have already signed in to the AWS Management Console), and it allows you to switch between 5 active AWS Sessions (if multi-session support is enabled)
No matter which console sign-in method you select, the short-term credentials issued by the aws login command are automatically rotated by the AWS CLI, AWS SDK's, AWS Tools for Powershell every 15 mins (you can set the maximum session duration to 12 hours)
- aws login command can be used with AWS CLI, AWS Software Development Kits (AWS SDKs), AWS Tools
For more information about aws login, check: AWS Documentation and AWS Official Blog Post
That's all for this one! Thank you!
Top comments (0)