ACCT.13 Use short-lived credentials for access to your AWS resources
Determine how your developers access AWS services and resources through the AWS Command Line Interface (AWS CLI)
Choose the approach that matches your current AWS access pattern
-
Sign in with console credentials (Recommended) – If you use root, IAM users, or federation with IAM for AWS account access, use
aws loginto obtain temporary credentials for AWS CLI or AWS SDK access. -
Sign in with IAM Identity Center credentials – If you use IAM Identity Center for AWS account access, this approach provides centralized identity management and automatic credential rotation.
-
Federated access through your corporate identity provider – Use your organization's existing identity provider, such as Okta, Active Directory, or Ping Identity, with MFA enforcement.
To obtain temporary AWS CLI credentials using the
aws login
-
Install or update the AWS CLI. For more information, see Installing or updating to the latest version of the AWS CLI in the AWS CLI documentation.
-
Enter
aws loginand follow the authentication prompts. -
Authenticate using your IAM user credentials and MFA.
After you authenticate, the AWS CLI manages temporary credentials for your session. When
your session expires, enter aws login again to re-authenticate. For
information about session duration settings, see IAM role session duration in
the IAM documentation.
For AWS Partner integrations and third-party solutions, use short-lived credentials where
possible. IAM temporary delegation for AWS Partners allows you integrate AWS Partner
products by using short-lived credentials instead of long-lived access keys. IAM Outbound Identity Federation
