**Help improve this page**
To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page.
# Set up Amazon CLI
The [Amazon CLI](https://www.amazonaws.cn/cli/) is a command line tool for working with Amazon services, including Amazon EKS. It is also used to authenticate IAM users or roles for access to the Amazon EKS cluster and other Amazon resources from your local machine. To provision resources in Amazon from the command line, you need to obtain an Amazon access key ID and secret key to use in the command line. Then you need to configure these credentials in the Amazon CLI. If you haven’t already installed the Amazon CLI, see [Install or update the latest version of the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-install.html) in the * Amazon Command Line Interface User Guide*.
## To create an access key
1. Sign into the [Amazon Web Services Management Console](https://console.amazonaws.cn/).
1. For single-user or multiple-user accounts:
+ **Single-user account –**:: In the top right, choose your Amazon user name to open the navigation menu. For example, choose ** `webadmin` **.
+ **Multiple-user account –**:: Choose IAM from the list of services. From the IAM Dashboard, select **Users**, and choose the name of the user.
1. Choose **Security credentials**.
1. Under **Access keys**, choose **Create access key**.
1. Choose **Command Line Interface (CLI)**, then choose **Next**.
1. Choose **Create access key**.
1. Choose **Download .csv file**.
## To configure the Amazon CLI
After installing the Amazon CLI, do the following steps to configure it. For more information, see [Configure the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-configure.html) in the * Amazon Command Line Interface User Guide*.
1. In a terminal window, enter the following command:
```
aws configure
```
Optionally, you can configure a named profile, such as `--profile cluster-admin`. If you configure a named profile in the Amazon CLI, you must **always** pass this flag in subsequent commands.
1. Enter your Amazon credentials. For example:
```
Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: region-code
Default output format [None]: json
```
## To get a security token
If needed, run the following command to get a new security token for the Amazon CLI. For more information, see [get-session-token](https://docs.amazonaws.cn/cli/latest/reference/sts/get-session-token.html) in the * Amazon CLI Command Reference*.
By default, the token is valid for 15 minutes. To change the default session timeout, pass the `--duration-seconds` flag. For example:
```
aws sts get-session-token --duration-seconds 3600
```
This command returns the temporary security credentials for an Amazon CLI session. You should see the following response output:
```
{
"Credentials": {
"AccessKeyId": "ASIA5FTRU3LOEXAMPLE",
"SecretAccessKey": "JnKgvwfqUD9mNsPoi9IbxAYEXAMPLE",
"SessionToken": "VERYLONGSESSIONTOKENSTRING",
"Expiration": "2023-02-17T03:14:24+00:00"
}
}
```
## To verify the user identity
If needed, run the following command to verify the Amazon credentials for your IAM user identity (such as *ClusterAdmin*) for the terminal session.
```
aws sts get-caller-identity
```
This command returns the Amazon Resource Name (ARN) of the IAM entity that’s configured for the Amazon CLI. You should see the following example response output:
```
{
"UserId": "AKIAIOSFODNN7EXAMPLE",
"Account": "01234567890",
"Arn": "arn:aws-cn:iam::01234567890:user/ClusterAdmin"
}
```
## Next steps
+ [Set up kubectl and eksctl](install-kubectl.md)
+ [Quickstart: Deploy a web app and store data](quickstart.md)