# Authentication and access
Providing AWS credentials

Updated with information about creating credential profiles in the shared AWS credentials file.SSO and MFA support for AWS credentials

Updated to document new support for AWS Single Sign-On (IAM Identity Center) and multi-factor authentication in AWS credentials.Authentication and access

Providing AWS credentials is now Authentication and access. Refactoring TOC and subtopics to meet AWS style and secuirty requirements.

You don't need to authenticate with AWS to start working with the AWS Toolkit for Visual Studio with Amazon Q. However, most AWS resources are managed through an AWS account. To access all of the AWS Toolkit for Visual Studio with Amazon Q services and features, you'll need at least 2 types of account authentication:

1. Either **AWS Identity and Access Management (IAM)** or **AWS IAM Identity Center** authentication for your AWS accounts. Most AWS services and resources are manged through IAM and IAM Identity Center.

1. An **AWS Builder ID** is either optional for certain other AWS services.

The following topics contain additional details and set up instructions for each credential type and authentication method.

**Topics**
+ [

# AWS IAM Identity Center credentials in AWS Toolkit for Visual Studio
](sso-credentials.md)
+ [

# AWS IAM credentials
](keys-profiles-credentials.md)
+ [

# AWS Builder ID
](builder-id.md)
+ [

# Multi-factor authentication (MFA) in Toolkit for Visual Studio
](mfa-credentials.md)
+ [

# Setting up external credentials
](external-credentials.md)
+ [

# Updating firewalls and gateways to allow access
](endpoints.md)

# AWS IAM Identity Center credentials in AWS Toolkit for Visual Studio
IAM Identity Center

AWS IAM Identity Center is the recommended best practice for managing your AWS account authentication.

For detailed instructions on how to set up IAM Identity Center for Software Development Kits (SDKs) and the AWS Toolkit for Visual Studio, see the [IAM Identity Center authentication](https://docs.aws.amazon.com/sdkref/latest/guide/access-sso.html) section of the *AWS SDKs and Tools Reference Guide*.

## Authenticating with IAM Identity Center from the AWS Toolkit for Visual Studio


To authenticate with IAM Identity Center from the AWS Toolkit for Visual Studio by adding an IAM Identity Center profile to your `credentials` or `config` file, complete the following steps.

1. From your preferred text editor, open the AWS credentials information stored in the `<hone-directory>\.aws\credentials` file.

1. From the `credentials file` under the section `[default]`, add a template for a named IAM Identity Center profile. The following is an example template:
**Important**  
Do not use the word *profile* when creating an entry in the `credential` file because creates a conflict with the `credential` file naming conventions.  
Include the prefix word `profile_` only when configuring a named profile in the `config` file.

   ```
   [sso-user-1]
   sso_start_url = https://example.com/start
   sso_region = us-east-2
   sso_account_id = 123456789011
   sso_role_name = readOnly
   region = us-west-2
   ```
+ **`sso_start_url`**: The URL that points to your organization's IAM Identity Center user portal.
+ **`sso_region`**: The AWS Region that contains your IAM Identity Center portal host. This can be different from the AWS Region specified later in the default `region` parameter.
+ **`sso_account_id`**: The AWS account ID that contains the IAM role with the permission that you want to grant to this IAM Identity Center user.
+ **`sso_role_name`**: The name of the IAM role that defines the user's permissions when using this profile to get credentials through IAM Identity Center.
+ **`region`**: The default AWS Region that this IAM Identity Center user signs into.

**Note**  
You can also add an IAM Identity Center enabled profile to your AWS CLI by running the `aws configure sso` command. After running this command, you provide values for the IAM Identity Center start URL (`sso_start_url`) and the AWS Region (`region`) that hosts the IAM Identity Center directory.  
For more information, see [Configuring the AWS CLI to use AWS Single Sign-On](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) in the *AWS Command Line Interface User Guide*.

### Signing in with IAM Identity Center


When signing in with an IAM Identity Center profile, the default browser is launched to the `sso_start_url` specified in your `credential file`. You must verify your IAM Identity Center login before you can access your AWS resources in AWS Toolkit for Visual Studio. If your credentials expire, you'll have to repeat the connection process to obtain new temporary credentials.

# AWS IAM credentials
IAM credentials

AWS IAM credentials authenticate with your AWS account through locally stored access keys.

The following sections describe how to set up IAM credentials to authenticate with your AWS account from the AWS Toolkit for Visual Studio.

**Important**  
Before setting up IAM credentials to authenticate with your AWS account, note that:  
If you've already set IAM credentials through another AWS service (such as the AWS CLI), then the AWS Toolkit for Visual Studio automatically detects those credentials.
AWS recommends using AWS IAM Identity Center authentication. For additional information about AWS IAM best practices, see the [Security best practice in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) section of the *AWS Identity and Access Management User Guide*.
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as AWS IAM Identity Center. For more information see the [What is IAM Identity Center?](https://docs.aws.amazon.com//singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.

## Creating an IAM user


 Before you can set up the AWS Toolkit for Visual Studio to authenticate with your AWS account, you need to complete **Step 1: Create your IAM user** and **Step 2: Get your access keys** in the [Authenticate using long-term credentials](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) topic in the *AWS SDKs and Tools Reference Guide*. 

**Note**  
 **Step 3: Update the shared credentials** is optional.  
If you complete Step 3, the AWS Toolkit for Visual Studio automatically detects your credentials from the `credentials file`.  
If you haven't completed Step 3, the AWS Toolkit for Visual Studio walks you through the process of creating a `credentials file` as described in the [Creating a credentials file from the AWS Toolkit for Visual Studio](https://docs.aws.amazon.com/) section, located below. 

## Creating a credentials file


To add a user to or create a `credentials file` from the AWS Toolkit for Visual Studio:

**Note**  
 When new user profile is added from the toolkit:   
If a `credentials file` already exists, the new user information is added to the existing file.
 If a `credentials file` doesn't exist a new file is created.

1. From the AWS Explorer choose **New Account Profile** icon to open the **New Account Profile** dialog.  
![\[AWS Explorer interface showing services and profile selection dropdown.\]](http://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/images/credentials_ui.png)

1. Complete the required fields in the **New Account Profile** dialog and choose the **OK** button to create the IAM user.

## Editing IAM user credentials from the toolkit


To edit IAM user credentials from the toolkit, complete the following steps:

1. From the **Credentials** drop-down in the AWS Explorer, choose the IAM user credential you want to edit.

1. Choose the **Edit Profile** icon to open the **Edit Profile** dialog.

1. From the **Edit Profile** dialog complete your updates and choose the **OK** button to save your changes.

To delete IAM user credentials from the toolkit, complete the following steps:

1. From the **Credentials** drop down in the AWS Explorer, choose the IAM user credential you want to delete.

1. Choose the **Delete Profile** icon to open the **Delete Profile** prompt.

1. Confirm that you want to delete the profile to remove it from your `Credentials file`.

**Important**  
 Profiles that support advanced access features, such as IAM Identity Center or Multi-factor authentication (MFA) in the **Edit Profile** dialog, can't be edited from the AWS Toolkit for Visual Studio. To make changes to these types of profiles, you must edit the `credentials file`using a text editor. 

## Editing IAM user credentials from a text editor


In addition to managing IAM users with the AWS Toolkit for Visual Studio, you can edit `credential files` from your preferred text editor. The default location of the `credential file` in Windows is `C:\Users\USERNAME\.aws\credentials`.

For more details on the location and structure of `credential files`, see the [Shared config and credentials files](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.htm) section of the *AWS SDKs and Tools Reference guide*.

## Creating IAM users from the AWS Command Line Interface (AWS CLI)


The AWS CLI is another tool you can use to create an IAM user in the `credentials file`, using the command `aws configure`.

For detailed information about creating IAM users from the AWS CLI see the [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) topics in the *AWS CLI User Guide*.

The Toolkit for Visual Studio supports the following configuration properties:

```
aws_access_key_id
aws_secret_access_key
aws_session_token
credential_process
credential_source
external_id
mfa_serial
role_arn
role_session_name
source_profile
sso_account_id
sso_region
sso_role_name
sso_start_url
```

# AWS Builder ID
AWS Builder ID

AWS Builder ID is an additional AWS authentication method that may be required to use certain services or features, such as cloning a 3rd party repository with Amazon CodeCatalyst.

For detailed information about the AWS Builder ID authentication method, see the [Sign in with AWS Builder ID](https://docs.aws.amazon.com/signin/latest/userguide/sign-in-aws_builder_id.html) topic in the *AWS Sign-in* User Guide.

For additional information about cloning a repository for CodeCatalyst from AWS Toolkit for Visual Studio, see the [Working with Amazon CodeCatalyst](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/codecatalyst-overview.html) topic in this User Guide.

# Multi-factor authentication (MFA) in Toolkit for Visual Studio
Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is additional security for your AWS accounts. MFA requires users to provide sign-in credentials and unique authentication from an AWS supported MFA mechanism when accessing AWS websites or services.

AWS supports a range of both virtual and hardware devices for MFA authentication. The following is an example of a virtual MFA device enabled through a smartphone application. For more information on MFA device options, see [Using multi-factor authentication (MFA) in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*.

## Step 1: Creating an IAM role to delegate access to IAM users


The following procedure describes how to set up role deligation for assigning permissions to an IAM user. For detailed information of role deligation, see the [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) topic in the *AWS Identity and Access Management User Guide*.

1. Go to the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).

1. Choose **Roles** in the navigation bar, and then choose **Create Role**.

1. In the **Create role** page, choose **Another AWS account**.

1. Enter your required **Account ID** and mark the **Require MFA** check box. 
**Note**  
To find your 12-digit account number (ID), go to the navigation bar in the console, and then choose **Support**, **Support Center**.

1. Choose **Next: Permissions**.

1. Attach existing policies to your role or create a new policy for it. The policies that you choose on this page determine which AWS services the IAM user can access with the Toolkit.

1. After attaching policies, choose **Next: Tags** for the option of adding IAM tags to your role. Then choose **Next: Review** to continue.

1. In the **Review** page, enter a required **Role name** (*toolkit-role*, for example). You can also add an optional **Role description**. 

1. Choose **Create role**.

1. When the confirmation message displays ("The role **toolkit-role** has been created", for example), choose the name of the role in the message.

1. In the **Summary** page, choose the copy icon to copy the **Role ARN** and paste it into a file. (You need this ARN when configuring the IAM user to assume the role.).

## Step 2: Creating an IAM user that assumes the role's permissions


This step creates an IAM user without permissions so that an in-line policy can be added.

1. Go to the IAM console at [https://console.aws.amazon.com/iam](https://console.aws.amazon.com/iam).

1. Choose **Users** in the navigation bar and then choose **Add user**.

1. In the **Add user** page, enter a required **User name** (*toolkit-user*, for example) and mark the **Programmatic access** check box.

1. Choose **Next: Permissions**, **Next: Tags**, and **Next: Review** to move through the next pages. You're not adding permissions at this stage because the user is going to assume the role's permissions.

1. In the **Review** page, you're informed that **This user has no permissions**. Choose **Create user**.

1. In the **Success** page, choose **Download .csv** to download the file containing the access key ID and secret access key. (You need both when defining the user's profile in the credentials file.)

1. Choose **Close**.

## Step 3: Adding a policy to allow the IAM user to assume the role


 The following procedure creates an in-line policy that allows the user to assume the role (and that role's permissions).

1. In the **Users** page of the IAM console, choose the IAM user you've just created (*toolkit-user*, for example).

1. In the **Permissions** tab of the **Summary** page, choose **Add inline policy**. 

1. In the **Create policy** page, choose **Choose a service**, enter **STS** in **Find a service**, and then choose **STS** from the results. 

1. For **Actions**, start entering the term *AssumeRole*. Mark the **AssumeRole** check box when it appears. 

1. In the **Resource section**, ensure **Specific** is selected, and click **Add ARN** to restrict access.

1. In the **Add ARN(s)** dialog box, for the **Specify ARN for role** add the ARN of the role you that you created in Step 1.

   After you add the role's ARN, the trusted account and role name associated with that role are displayed in **Account** and **Role name with path**.

1. Choose **Add**.

1. Back in the **Create policy** page, choose **Specify request conditions (optional)**, mark the **MFA required** check box, and then choose **close** to confirm..

1. Choose **Review policy**

1. In **Review policy** page, enter a **Name** for the policy, and then choose **Create policy**.

   The **Permissions** tab displays the new inline policy attached directly to IAM user.

## Step 4: Managing a virtual MFA device for the IAM user


1. Download and install a virtual MFA application to your smartphone.

    For a list of supported applications, see the [Multi-factor Authentication](https://aws.amazon.com/iam/features/mfa/?audit=2019q1) resource page.

1. In the IAM console, choose **Users** from the navigation bar and then choose the user that's assuming a role (*toolkit-user*, in this case). 

1. In the **Summary** page, choose the **Security credentials** tab, and for **Assigned MFA device** choose **Manage**.

1. In the **Manage MFA device** pane, choose **Virtual MFA device**, and then choose **Continue**.

1. In the **Set up virtual MFA device** pane, choose **Show QR code** and then scan the code using the virtual MFA application that you installed on your smartphone.

1. After you scan the QR code, the virtual MFA application generates one-time MFA codes. Enter two consecutive MFA codes in **MFA code 1** and **MFA code 2**.

1. Choose **Assign MFA**.

1. Back in the **Security credentials** tab for the user, copy the ARN of the new **Assigned MFA device**.

   The ARN includes your 12-digit account ID and the format is similar to the following: `arn:aws:iam::123456789012:mfa/toolkit-user`. You need this ARN when defining the MFA profile in the next step.

## Step 5: Creating profiles to allow MFA


The following procedure creates the profiles allowing MFA when accessing AWS services from the Toolkit for Visual Studio.

The profiles that you create include three pieces of information that you've copied and stored during the previous steps:
+ Access keys (access key ID and secret access key) for the IAM user
+ ARN of the role that's delegating permissions to the IAM user 
+ ARN of the virtual MFA device that's assigned to the IAM user 

In the AWS shared credential file or SDK Store that contain your AWS credentials, add the following entries:

```
[toolkit-user]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[mfa]
source_profile = toolkit-user
role_arn = arn:aws:iam::111111111111:role/toolkit-role
mfa_serial = arn:aws:iam::111111111111:mfa/toolkit-user
```

There are two profiles defined in the example provided:
+ `[toolkit-user]` profile includes the access key and secret access key that were generated and saved when you created the IAM user in Step 2.
+ `[mfa]` profile defines how multi-factor authentication is supported. There are three entries:

  ◦ `source_profile`: Specifies the profile whose credentials are used to assume the role specified by this `role_arn` setting in this profile. In this case, it's the `toolkit-user` profile.

  ◦ `role_arn`: Specifies the Amazon Resource Name (ARN) of the IAM role that you want to use to perform operations requested using this profile. In this case, it's the ARN for the role you created in Step 1.

  ◦ `mfa_serial`: Specifies the identification or serial number of the MFA device that the user must use when assuming a role. In this case, it's the ARN of the virtual device you set up in Step 3.

# Setting up external credentials
External credentials

If you have a method to generate or look up credentials that isn't directly supported by AWS, you can add to the shared credentials file a profile that contains the `credential_process` setting. This setting specifies an external command that's run to generate or retrieve authentication credentials to use. For example, you might include an entry similar to the following in the `config` file:

```
[profile developer]
credential_process = /opt/bin/awscreds-custom --username helen
```

For more information on using external credentials and the associated security risks, see [Sourcing credentials with an external process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) in the *AWS Command Line Interface User Guide*.

# Updating firewalls and gateways to allow access
Updating firewalls and gatewaysUpdating firewalls and gateways to allow access

Lists of endpoints and resources that must be allow listed to access all service and features in the AWS Toolkit for Visual Studio with Amazon Q for extensions.

If you filter access to specific AWS domains or URL endpoints by using a web-content filtering solution, the following endpoints must be allow listed in order to access all of the services and features available through the AWS Toolkit for Visual Studio and Amazon Q. For detailed steps on how to troubleshoot firewall and proxy settings for the AWS Toolkit with Amazon Q, see the [Firewall and proxy settings](https://docs.aws.amazon.com//toolkit-for-visual-studio/latest/user-guide/general-troubleshoot.html#general-troubleshoot-firewall) section in the *Troubleshooting* topic in this User Guide. For detailed information about configuring a corporate proxy for Amazon Q, see the [Configuring a corporate proxy in Amazon Q](https://docs.aws.amazon.com//amazonq/latest/qdeveloper-ug/firewall.html#corp-proxy) topic in the *Amazon Q Developer User Guide*.

## AWS Toolkit for Visual Studio Endpoints


The following are lists of AWS Toolkit for Visual Studio specific endpoints and references that need to be allow listed.

### Endpoints


```
https://idetoolkits-hostedfiles.amazonaws.com/*
https://idetoolkits.amazonwebservices.com/*
http://vstoolkit.amazonwebservices.com/*
https://aws-vs-toolkit.s3.amazonaws.com/*
https://raw.githubusercontent.com/aws/aws-toolkit-visual-studio/main/version.json
https://aws-toolkit-language-servers.amazonaws.com/*
```

## Amazon Q plugin endpoints


The following is a list of Amazon Q plugin specific endpoints and references that need to be allow listed.

```
https://idetoolkits-hostedfiles.amazonaws.com/*    (Plugin for configs)
https://idetoolkits.amazonwebservices.com/*   (Plugin for endpoints)
https://aws-toolkit-language-servers.amazonaws.com/*  (Language Server Process)
https://client-telemetry.us-east-1.amazonaws.com/ (Telemetry)                
https://cognito-identity.us-east-1.amazonaws.com    (Telemetry)
https://aws-language-servers.us-east-1.amazonaws.com (Language Server Process)
```

## Amazon Q Developer endpoints


The following is a list of Amazon Q Developer specific endpoints and references that need to be allow listed.

```
https://codewhisperer.us-east-1.amazonaws.com (Inline,Chat, QSDA,...)
https://q.us-east-1.amazonaws.com (Inline,Chat, QSDA....)
https://desktop-release.codewhisperer.us-east-1.amazonaws.com/ (Download URL for CLI.)
https://specs.q.us-east-1.amazonaws.com (URL for auto-complete specs used by CLI)
* aws-language-servers.us-east-1.amazonaws.com (Local Workspace context)
```

## Amazon Q Code Transform Endpoints


The following is a list of Amazon Q Code Transform specific endpoints and references that need to be allow listed.

```
https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-policies.html
```

## Authentication endpoints


The following is a list of authentication endpoints and references that need to be allow listed.

```
[Directory ID or alias].awsapps.com 
* oidc.[Region].amazonaws.com
*.sso.[Region].amazonaws.com
*.sso-portal.[Region].amazonaws.com
*.aws.dev
*.awsstatic.com
*.console.aws.a2z.com
*.sso.amazonaws.com
```

## Identity Endpoints


The following lists contain endpoints that are specific to identity, such as AWS IAM Identity Center and AWS Builder ID.

### AWS IAM Identity Center


For details on required endpoints for IAM Identity Center, see the [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) topic in the *AWS IAM Identity Center* User Guide.

### Enterprise IAM Identity Center


```
https://[Center director id].awsapps.com/start (should be permitted to initiate auth)
https://us-east-1.signin.aws (for facilitating authentication, assuming IAM Identity Center is in IAD)
https://oidc.(us-east-1).amazonaws.com
https://log.sso-portal.eu-west-1.amazonaws.com
https://portal.sso.eu-west-1.amazonaws.com
```

### AWS Builder ID


```
https://view.awsapps.com/start (must be blocked to disable individual tier) 
https://codewhisperer.us-east-1.amazonaws.com and q.us-east-1.amazonaws.com (should be permitted)
```

## Telemetry


The following is a Telemetry specific endpoint that needs to be allow listed.

```
https://telemetry.aws-language-servers.us-east-1.amazonaws.com/
https://client-telemetry.us-east-1.amazonaws.com
```

## References


The following is a list of endpoint references.

```
idetoolkits-hostedfiles.amazonaws.com
cognito-identity.us-east-1.amazonaws.com
amazonwebservices.gallery.vsassets.io
eu-west-1.prod.pr.analytics.console.aws.a2z.com
prod.pa.cdn.uis.awsstatic.com
portal.sso.eu-west-1.amazonaws.com
log.sso-portal.eu-west-1.amazonaws.com
prod.assets.shortbread.aws.dev
prod.tools.shortbread.aws.dev
prod.log.shortbread.aws.dev
a.b.cdn.console.awsstatic.com
assets.sso-portal.eu-west-1.amazonaws.com
oidc.eu-west-1.amazonaws.com
aws-toolkit-language-servers.amazonaws.com
aws-language-servers.us-east-1.amazonaws.com
idetoolkits.amazonwebservices.com
```