Edit

Authentication

Guide to programmatically authenticating with AWS using the AWS CLI and SDK

Overview

Programmatic access to AWS requires secure authentication. This guide covers various methods to authenticate with AWS services using command-line tools (AWS CLI) and SDKs, following security best practices as of 2025.

Prerequisites

  • AWS CLI installed (current version as of May 2025: 2.17.x)

  • Basic understanding of AWS IAM concepts

  • Terminal or command-line interface

Authentication Methods

1. AWS CLI Configuration with Access Keys

This is the most basic method, but should be used carefully and mainly for development environments.

Setup Process

  1. Create Access Keys in AWS Console:

    • Log in to the AWS Management Console

    • Navigate to IAM → Users → Security credentials

    • Create access key (ideally for a specific purpose)

  2. Configure AWS CLI:

You'll be prompted to enter:

  • AWS Access Key ID

  • AWS Secret Access Key

  • Default region name (e.g., us-west-2)

  • Default output format (json, yaml, text, table)

This creates configuration files in ~/.aws/credentials and ~/.aws/config.

For Specific Profiles

For managing multiple AWS accounts or roles:

Then use the profile with any command:

2. Environment Variables

More secure for CI/CD pipelines or temporary sessions:

Then run AWS CLI commands normally without specifying credentials.

3. AWS IAM Roles (Recommended for EC2 & Production)

For EC2 instances, Lambda functions, or other AWS services:

  1. Create an IAM role with appropriate permissions

  2. Attach the role to your EC2 instance or service

  3. The AWS CLI will automatically use the instance profile credentials

No manual configuration is needed with this approach, making it the most secure option for resources running within AWS.

4. AWS Single Sign-On (AWS SSO)

For enterprise environments with centralized identity management:

  1. Configure AWS SSO in your organization

  2. Configure the AWS CLI for SSO:

  1. Authenticate via the browser:

5. Web Identity Federation with Amazon Cognito

For mobile or web applications:

6. Using MFA with AWS CLI

For enhanced security with Multi-Factor Authentication:

  1. Create a temporary session:

  1. Use the temporary credentials:

Assuming Roles

Assuming roles is powerful for cross-account access or privilege escalation:

Store the returned credentials as environment variables or in AWS CLI profile.

Best Practices for AWS Authentication

  1. Use IAM Roles whenever possible instead of access keys

  2. Implement the principle of least privilege for all credentials

  3. Rotate access keys regularly (ideally every 90 days)

  4. Never hardcode credentials in application code

  5. Use MFA for all IAM users with console access

  6. Audit authentication methods with AWS CloudTrail

  7. Use temporary credentials instead of long-term access keys

  8. Implement identity federation for enterprise environments

Troubleshooting Authentication Issues

  • Check credential precedence: AWS CLI follows a specific order to find credentials

  • Verify IAM permissions: Ensure the user/role has appropriate permissions

  • Check region configuration: Some services are region-specific

  • Validate MFA token if using MFA-protected API access

  • Examine AWS CLI version: Some authentication methods require newer versions

References

PreviousAWSNextBest Practices

Last updated