Configure the Amazon CLI to use Amazon IAM Identity Center

There are primarily two ways to authenticate users with Amazon IAM Identity Center (IAM Identity Center) to get credentials to run Amazon Command Line Interface (Amazon CLI) commands through the config file:

(Recommended) SSO token provider configuration. The SSO token provider configuration, your Amazon SDK or tool can automatically retrieve refreshed authentication tokens.
Legacy non-refreshable configuration. When using the legacy non-refreshable configuration, you need to manually refresh the token as it periodically expires.

When using IAM Identity Center, you can login to Active Directory, a built-in IAM Identity Center directory, or another IdP connected to IAM Identity Center. You can map these credentials to an Amazon Identity and Access Management (IAM) role for you to run Amazon CLI commands.

Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you can connect Microsoft Azure AD as described in the blog article The Next Evolution in IAM Identity Center.

Note

For information on using bearer auth, which uses no account ID and role, see Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.

Topics in this section

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Authentication and access credentials

Configure automatic token refresh