DevOps help for Cloud Platform Engineers
  • Welcome!
  • Quick Start Guide
  • About Me
  • CV
  • 🧠DevOps & SRE Foundations
    • DevOps Overview
      • Engineering Fundamentals
      • Implementing DevOps Strategy
      • DevOps Readiness Assessment
      • Lifecycle Management
      • The 12 Factor App
      • Design for Self Healing
      • Incident Management Best Practices (2025)
    • SRE Fundamentals
      • Toil Reduction
      • System Simplicity
      • Real-world Scenarios
        • AWS VM Log Monitoring API
    • Agile Development
      • Team Agreements
        • Definition of Done
        • Definition of Ready
        • Team Manifesto
        • Working Agreement
    • Industry Scenarios
      • Finance and Banking
      • Public Sector (UK/EU)
      • Energy Sector Edge Computing
  • DevOps Practices
    • Platform Engineering
    • FinOps
    • Observability
      • Modern Practices
  • 🚀Modern DevOps Practices
    • Infrastructure Testing
    • Modern Development
    • Database DevOps
  • 🛠️Infrastructure as Code (IaC)
    • Terraform
      • Getting Started - Installation and initial setup [BEGINNER]
      • Cloud Integrations - Provider-specific implementations
        • Azure Scenarios
        • AWS Scenarios
        • GCP Scenarios
      • Testing and Validation - Ensuring infrastructure quality
        • Unit Testing
        • Integration Testing
        • End-to-End Testing
        • Terratest Guide
      • Best Practices - Production-ready implementation strategies
        • State Management
        • Security
        • Code Organization
        • Performance
      • Tools & Utilities - Enhancing the Terraform workflow
        • Terraform Docs
        • TFLint
        • Checkov
        • Terrascan
      • CI/CD Integration - Automating infrastructure deployment
        • GitHub Actions - GitHub-based automation workflows
        • Azure Pipelines - Azure DevOps integration
        • GitLab CI - GitLab-based deployment pipelines
    • Bicep
      • Getting Started - First steps with Bicep [BEGINNER]
      • Template Specs
      • Best Practices - Guidelines for effective Bicep implementations
      • Modules - Building reusable components [INTERMEDIATE]
      • Examples - Sample implementations for common scenarios
      • Advanced Features
      • CI/CD Integration - Automating Bicep deployments
        • GitHub Actions
        • Azure Pipelines
  • 💰Cost Management & FinOps
    • Cloud Cost Optimization
  • 🐳Containers & Orchestration
    • Containerization Overview
    • Docker
      • Dockerfile Best Practices
      • Docker Compose
    • Kubernetes
      • CLI Tools - Essential command-line utilities
        • Kubectl
        • Kubens
        • Kubectx
      • Core Concepts
      • Components
      • Best Practices
        • Pod Security
        • Security Monitoring
        • Resource Limits
      • Advanced Features - Beyond the basics [ADVANCED]
        • Service Mesh
        • Ingress Controllers
          • NGINX
          • Traefik
          • Kong
          • Gloo Edge
      • Troubleshooting - Diagnosing and resolving common issues
        • Pod Troubleshooting Commands
      • Enterprise Architecture
      • Health Management
      • Security & Compliance
      • Virtual Clusters
    • OpenShift
  • Service Mesh & Networking
    • Service Mesh Implementation
  • Architecture Patterns
    • Data Mesh
    • Multi-Cloud Networking
    • Disaster Recovery
    • Chaos Engineering
  • Edge Computing
    • Implementation Guide
    • Serverless Edge
    • IoT Edge Patterns
    • Real-Time Processing
    • Edge AI/ML
    • Security Hardening
    • Observability Patterns
    • Network Optimization
    • Storage Patterns
  • 🔄CI/CD & GitOps
    • CI/CD Overview
    • Continuous Integration
    • Continuous Delivery
      • Deployment Strategies
      • Secrets Management
      • Blue-Green Deployments
      • Deployment Metrics
      • Progressive Delivery
      • Release Management for DevOps/SRE (2025)
    • CI/CD Platforms - Tool selection and implementation
      • Azure DevOps
        • Pipelines
          • Stages
          • Jobs
          • Steps
          • Templates - Reusable pipeline components
          • Extends
          • Service Connections - External service authentication
          • Best Practices for 2025
          • Agents and Runners
          • Third-Party Integrations
          • Azure DevOps CLI
        • Boards & Work Items
      • GitHub Actions
      • GitLab
        • GitLab Runner
        • Real-life scenarios
        • Installation guides
        • Pros and Cons
        • Comparison with alternatives
    • GitOps
      • Modern GitOps Practices
      • GitOps Patterns for Multi-Cloud (2025)
      • Flux
        • Overview
        • Progressive Delivery
        • Use GitOps with Flux, GitHub and AKS
  • Source Control
    • Source Control Overview
    • Git Branching Strategies
    • Component Versioning
    • Kubernetes Manifest Versioning
    • GitLab
    • Creating a Fork
    • Naming Branches
    • Pull Requests
    • Integrating LLMs into Source Control Workflows
  • ☁️Cloud Platforms
    • Cloud Strategy
    • Azure
      • Best Practices
      • Landing Zones
      • Services
      • Monitoring
      • Administration Tools - Platform management interfaces
        • Azure PowerShell
        • Azure CLI
      • Tips & Tricks
    • AWS
      • Authentication
      • Best Practices
      • Tips & Tricks
    • Google Cloud
      • Services
    • Private Cloud
  • 🔐Security & Compliance
    • DevSecOps Overview
    • DevSecOps Pipeline Security
    • DevSecOps
      • Real-life Examples
      • Scanning & Protection - Automated security tooling
        • Dependency Scanning
        • Credential Scanning
        • Container Security Scanning
        • Static Code Analysis
          • Best Practices
          • Tool Integration Guide
          • Pipeline Configuration
      • CI/CD Security
      • Secrets Rotation
    • Supply Chain Security
      • SLSA Framework
      • Binary Authorization
      • Artifact Signing
    • Security Best Practices
      • Threat Modeling
      • Kubernetes Security
    • SecOps
    • Zero Trust Model
    • Cloud Compliance
      • ISO/IEC 27001:2022
      • ISO 22301:2019
      • PCI DSS
      • CSA STAR
    • Security Frameworks
    • SIEM and SOAR
  • Security Architecture
    • Zero Trust Implementation
      • Identity Management
      • Network Security
      • Access Control
  • 🔍Observability & Monitoring
    • Observability Fundamentals
    • Logging
    • Metrics
    • Tracing
    • Dashboards
    • SLOs and SLAs
    • Observability as Code
    • Pipeline Observability
  • 🧪Testing Strategies
    • Testing Overview
    • Modern Testing Approaches
    • End-to-End Testing
    • Unit Testing
    • Performance Testing
      • Load Testing
    • Fault Injection Testing
    • Integration Testing
    • Smoke Testing
  • 🤖AI Integration
    • AIops Overview
      • Workflow Automation
      • Predictive Analytics
      • Code Quality
  • 🧠AI & LLM Integration
    • Overview
    • Claude
      • Installation Guide
      • Project Guides
      • MCP Server Setup
      • LLM Comparison
    • Ollama
      • Installation Guide
      • Configuration
      • Models and Fine-tuning
      • DevOps Usage
      • Docker Setup
      • GPU Setup
      • Open WebUI
    • Copilot
      • Installation Guide
      • VS Code Integration
      • CLI Usage
    • Gemini
      • Installation Guides - Platform-specific setup
        • Linux Installation
        • WSL Installation
        • NixOS Installation
      • Gemini 2.5 Features
      • Roles and Agents
      • NotebookML Guide
      • Cloud Infrastructure Deployment
      • Summary
  • 💻Development Environment
    • Tools Overview
    • DevOps Tools
    • Operating Systems - Development platforms
      • NixOS
        • Installation
        • Nix Language Guide
        • DevEnv with Nix
        • Cloud Deployments
      • WSL2
        • Distributions
        • Terminal Setup
    • Editor Environments
    • CLI Tools
      • Azure CLI
      • PowerShell
      • Linux Commands
      • YAML Tools
  • 📚Programming Languages
    • Python
    • Go
    • JavaScript/TypeScript
    • Java
    • Rust
  • 📖Documentation Best Practices
    • Documentation Strategy
    • Project Documentation
    • Release Notes
    • Static Sites
    • Documentation Templates
    • Real-World Examples
  • 📋Reference Materials
    • Glossary
    • Tool Comparison
    • Recommended Reading
    • Troubleshooting Guide
  • Platform Engineering
    • Implementation Guide
  • FinOps
    • Implementation Guide
  • AIOps
    • LLMOps Guide
  • Development Setup
    • Development Setup
Powered by GitBook
On this page
  • Overview
  • Prerequisites
  • Authentication Methods
  • 1. AWS CLI Configuration with Access Keys
  • 2. Environment Variables
  • 3. AWS IAM Roles (Recommended for EC2 & Production)
  • 4. AWS Single Sign-On (AWS SSO)
  • 5. Web Identity Federation with Amazon Cognito
  • 6. Using MFA with AWS CLI
  • Assuming Roles
  • Best Practices for AWS Authentication
  • Troubleshooting Authentication Issues
  • References
Edit on GitHub
  1. Cloud Platforms
  2. AWS

Authentication

Guide to programmatically authenticating with AWS using the AWS CLI and SDK

PreviousAWSNextBest Practices

Last updated 4 days ago

Overview

Programmatic access to AWS requires secure authentication. This guide covers various methods to authenticate with AWS services using command-line tools (AWS CLI) and SDKs, following security best practices as of 2025.

Prerequisites

  • installed (current version as of May 2025: 2.17.x)

  • Basic understanding of AWS IAM concepts

  • Terminal or command-line interface

Authentication Methods

1. AWS CLI Configuration with Access Keys

This is the most basic method, but should be used carefully and mainly for development environments.

Setup Process

  1. Create Access Keys in AWS Console:

    • Log in to the AWS Management Console

    • Navigate to IAM → Users → Security credentials

    • Create access key (ideally for a specific purpose)

  2. Configure AWS CLI:

aws configure

You'll be prompted to enter:

  • AWS Access Key ID

  • AWS Secret Access Key

  • Default region name (e.g., us-west-2)

  • Default output format (json, yaml, text, table)

This creates configuration files in ~/.aws/credentials and ~/.aws/config.

For Specific Profiles

For managing multiple AWS accounts or roles:

aws configure --profile project1

Then use the profile with any command:

aws s3 ls --profile project1

2. Environment Variables

More secure for CI/CD pipelines or temporary sessions:

export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_DEFAULT_REGION=us-west-2

Then run AWS CLI commands normally without specifying credentials.

3. AWS IAM Roles (Recommended for EC2 & Production)

For EC2 instances, Lambda functions, or other AWS services:

  1. Create an IAM role with appropriate permissions

  2. Attach the role to your EC2 instance or service

  3. The AWS CLI will automatically use the instance profile credentials

No manual configuration is needed with this approach, making it the most secure option for resources running within AWS.

4. AWS Single Sign-On (AWS SSO)

For enterprise environments with centralized identity management:

  1. Configure AWS SSO in your organization

  2. Configure the AWS CLI for SSO:

aws configure sso

  1. Authenticate via the browser:

aws sso login --profile sso-profile

5. Web Identity Federation with Amazon Cognito

For mobile or web applications:

aws configure set region us-west-2
aws configure set web_identity_token_file /path/to/token/file
aws configure set role_arn arn:aws:iam::123456789012:role/role-name

6. Using MFA with AWS CLI

For enhanced security with Multi-Factor Authentication:

  1. Create a temporary session:

aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code 123456

  1. Use the temporary credentials:

export AWS_ACCESS_KEY_ID=returned_access_key
export AWS_SECRET_ACCESS_KEY=returned_secret_key
export AWS_SESSION_TOKEN=returned_session_token

Assuming Roles

Assuming roles is powerful for cross-account access or privilege escalation:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/example-role --role-session-name example-session

Store the returned credentials as environment variables or in AWS CLI profile.

Best Practices for AWS Authentication

  1. Use IAM Roles whenever possible instead of access keys

  2. Implement the principle of least privilege for all credentials

  3. Rotate access keys regularly (ideally every 90 days)

  4. Never hardcode credentials in application code

  5. Use MFA for all IAM users with console access

  6. Audit authentication methods with AWS CloudTrail

  7. Use temporary credentials instead of long-term access keys

  8. Implement identity federation for enterprise environments

Troubleshooting Authentication Issues

  • Check credential precedence: AWS CLI follows a specific order to find credentials

  • Verify IAM permissions: Ensure the user/role has appropriate permissions

  • Check region configuration: Some services are region-specific

  • Validate MFA token if using MFA-protected API access

  • Examine AWS CLI version: Some authentication methods require newer versions

References

☁️
AWS CLI
Official AWS CLI Authentication Documentation
AWS IAM Best Practices
AWS CLI Configuration and credential file settings