Authenticating using IAM user credentials for the AWS CLI (original) (raw)

Warning

To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such asAWS IAM Identity Center.

This section explains how to configure basic settings with an IAM user. These include your security credentials using the config andcredentials files.To instead see configuration instructions for AWS IAM Identity Center, see Configuring IAM Identity Center authentication with the AWS CLI.

Topics

• Step 1: Create your IAM user
• Step 2: Get your access keys
• Configure the AWS CLI
  • Using aws configure
  • Importing access keys via .CSV file
  • Directly editing the config and credentials files

Step 1: Create your IAM user

Create your IAM user by following the Creating IAM users (console) procedure in the IAM User Guide.

• For Permission options, choose Attach policies directly for how you want to assign permissions to this user.
• Most "Getting Started" SDK tutorials use the Amazon S3 service as an example. To provide your application with full access to Amazon S3, select theAmazonS3FullAccess policy to attach to this user.

Step 2: Get your access keys

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane of the IAM console, select Users and then select the User name of the user that you created previously.
3. On the user's page, select the Security credentials page. Then, under Access keys, select Create access key.
4. For Create access key Step 1, chooseCommand Line Interface (CLI).
5. For Create access key Step 2, enter an optional tag and select Next.
6. For Create access key Step 3, selectDownload .csv file to save a.csv file with your IAM user's access key and secret access key. You need this information for later.
7. Select Done.

Configure the AWS CLI

For general use, the AWS CLI needs the following pieces of information:

• Access key ID
• Secret access key
• AWS Region
• Output format

The AWS CLI stores this information in a profile (a collection of settings) named default in thecredentials file. By default, the information in this profile is used when you run an AWS CLI command that doesn't explicitly specify a profile to use. For more information on the credentials file, see Configuration and credential file settings in the AWS CLI.

To configure the AWS CLI, use one of the following procedures:

Topics

• Using aws configure
• Importing access keys via .CSV file
• Directly editing the config and credentials files

Using aws configure

For general use, the aws configure command is the fastest way to set up your AWS CLI installation. This configure wizard prompts you for each piece of information you need to get started. Unless otherwise specified by using the--profile option, the AWS CLI stores this information in thedefault profile.

The following example configures a default profile using sample values. Replace them with your own values as described in the following sections.

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

The following example configures a profile named userprod using sample values. Replace them with your own values as described in the following sections.

$ aws configure --profile userprod
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Importing access keys via .CSV file

Instead of using aws configure to enter in access keys, you can import the plain text .csv file you downloaded after you created your access keys.

The .csv file must contain the following headers.

• User Name - This column must be added to your .csv. This is used to create the profile name used in the theconfig and credentials files when you import.
• Access key ID
• Secret access key

Note

During initial access keys creation, once you close the Download .csv file dialog box, you cannot access your secret access key after you close the dialog box. If you need a .csv file, you'll need to create one yourself with the required headers and your stored access keys information. If you do not have access to your access keys information, you need to create a new access keys.

To import the .csv file, use the aws configure import command with the --csv option as follows:

$ aws configure import --csv file://credentials.csv

For more information, see [aws_configure_import](./cli-configure-files.html#cli-config-aws%5Fconfigure%5Fimport).

Directly editing the config andcredentials files

To directly edit the config andcredentials files, perform the following.

1. Create or open the shared AWS credentials file. This file is ~/.aws/credentials on Linux and macOS systems, and %USERPROFILE%\.aws\credentials on Windows. For more information, see Configuration and credential file settings in the AWS CLI.
2. Add the following text to the shared credentials file. Replace the sample values in the .csv file that you downloaded earlier and save the file.

[default]  
aws_access_key_id = AKIAIOSFODNN7EXAMPLE  
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY