Configure tool authentication with Amazon - Amazon Tools for PowerShell
Enable and configure IAM Identity CenterConfigure the Tools for PowerShell to use IAM Identity Center.Start an Amazon access portal sessionExampleAdditional information
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure tool authentication with Amazon

You must establish how your code authenticates with Amazon when developing with Amazon Web Services services. There are different ways in which you can configure programmatic access to Amazon resources, depending on the environment and the Amazon access available to you.

To see various methods of authentication for the Tools for PowerShell, see Authentication and access in the Amazon SDKs and Tools Reference Guide.

This topic assumes that a new user is developing locally, has not been given a method of authentication by their employer, and will be using Amazon IAM Identity Center to obtain temporary credentials. If your environment doesn't fall under these assumptions, some of the information in this topic might not apply to you, or some of the information might have already been given to you.

Configuring this environment requires several steps, which are summarized as follows:

  1. Enable and configure IAM Identity Center

  2. Configure the Tools for PowerShell to use IAM Identity Center.

  3. Start an Amazon access portal session

Enable and configure IAM Identity Center

To use Amazon IAM Identity Center, it must first be enabled and configured. To see details about how to do this for PowerShell, look at Step 1 in the topic for IAM Identity Center authentication in the Amazon SDKs and Tools Reference Guide. Specifically, follow any necessary instructions under I do not have established access through IAM Identity Center.

Configure the Tools for PowerShell to use IAM Identity Center.

Note

Starting with version 4.1.538 of the Tools for PowerShell, the recommended method to configure SSO credentials and start an Amazon access portal session is to use the Initialize-AWSSSOConfiguration and Invoke-AWSSSOLogin cmdlets, as described in this topic. If you don't have access to that version of the Tools for PowerShell (or later) or can't use those cmdlets, you can still perform these tasks by using the Amazon CLI. To find out how, see Use the Amazon CLI for portal login.

The following procedure updates the shared Amazon config file with SSO information that the Tools for PowerShell uses to obtain temporary credentials. As a consequence of this procedure, an Amazon access portal session is also started. If the shared config file already has SSO information and you just want to know how to start an access portal session using the Tools for PowerShell, see the next section in this topic, Start an Amazon access portal session.

  1. If you haven't already done so, open PowerShell and install the Amazon Tools for PowerShell as appropriate for your operating system and environment, including the common cmdlets. For information about how to do this, see Installing the Amazon Tools for PowerShell.

    For example, if installing the modularized version of the Tools for PowerShell on Windows, you would most likely run commands similar to the following:

    Install-Module -Name AWS.Tools.Installer
Install-AWSToolsModule AWS.Tools.Common

  2. Run the following command. Replace the example property values with values from your IAM Identity Center configuration. For information about these properties and how to find them, see IAM Identity Center credential provider settings in the Amazon SDKs and Tools Reference Guide.

    $params = @{
  ProfileName = 'my-sso-profile'
  AccountId = '111122223333'
  RoleName = 'SamplePermissionSet'
  SessionName = 'my-sso-session'
  StartUrl = 'https://provided-domain.awsapps.com/start'
  SSORegion = 'us-west-2'
  RegistrationScopes = 'sso:account:access'
};
Initialize-AWSSSOConfiguration @params

    Alternatively, you can simply use the cmdlet by itself, Initialize-AWSSSOConfiguration, and the Tools for PowerShell prompts you for the property values.

    Considerations for certain property values:

    • If you simply followed the instructions to enable and configure IAM Identity Center, the value for -RoleName might be PowerUserAccess. But if you created an IAM Identity Center permission set specifically for PowerShell work, use that instead.

    • Be sure to use the Amazon Web Services Region where you have configured IAM Identity Center.

  3. At this point, the shared Amazon config file contains a profile called my-sso-profile with a set of configuration values that can be referenced from the Tools for PowerShell. To find the location of this file, see Location of the shared files in the Amazon SDKs and Tools Reference Guide.

    The Tools for PowerShell uses the profile's SSO token provider to acquire credentials before sending requests to Amazon. The sso_role_name value, which is an IAM role connected to an IAM Identity Center permission set, should allow access to the Amazon Web Services services used in your application.

    The following sample shows the profile that was created by using the command shown above. Some of the property values and their order might be different in your actual profile. The profile's sso-session property refers to the section named my-sso-session, which contains settings to initiate an Amazon access portal session.

    [profile my-sso-profile]
sso_account_id=111122223333
sso_role_name=SamplePermissionSet
sso_session=my-sso-session

[sso-session my-sso-session]
sso_region=us-west-2
sso_registration_scopes=sso:account:access
sso_start_url=https://provided-domain.awsapps.com/start/

  4. If you already have an active Amazon access portal session, the Tools for PowerShell informs you that you are already logged in.

    If that's not the case, the Tools for PowerShell attempts to automatically open the SSO authorization page in your default web browser. Follow the prompts in your browser, which might include an SSO authorization code, username and password, and permission to access Amazon IAM Identity Center accounts and permission sets.

    The Tools for PowerShell informs you that SSO login was successful.

Start an Amazon access portal session

Before running commands that accesses Amazon Web Services services, you need an active Amazon access portal session so that the Tools for PowerShell can use IAM Identity Center authentication to resolve credentials. To sign in to the Amazon access portal, run the following command in PowerShell, where -ProfileName my-sso-profile is the name of the profile that was created in the shared config file when you followed the procedure in the previous section of this topic.

Invoke-AWSSSOLogin -ProfileName my-sso-profile

If you already have an active Amazon access portal session, the Tools for PowerShell informs you that you are already logged in.

If that's not the case, the Tools for PowerShell attempts to automatically open the SSO authorization page in your default web browser. Follow the prompts in your browser, which might include an SSO authorization code, username and password, and permission to access Amazon IAM Identity Center accounts and permission sets.

The Tools for PowerShell informs you that SSO login was successful.

To test if you already have an active session, run the following command after installing or importing the AWS.Tools.SecurityToken module as needed.

Get-STSCallerIdentity -ProfileName my-sso-profile

The response to the Get-STSCallerIdentity cmdlet reports the IAM Identity Center account and permission set configured in the shared config file.

Example

The following is an example of how to use IAM Identity Center with the Tools for PowerShell. It assumes the following:

  • You have enabled IAM Identity Center and configured it as described previously in this topic. The SSO properties are in the my-sso-profile profile, which was configured earlier in this topic.

  • When you log in through the Initialize-AWSSSOConfiguration or Invoke-AWSSSOLogin cmdlets, the user has at least read-only permissions for Amazon S3.

  • Some S3 buckets are available for that user to view.

Install or import the AWS.Tools.S3 module as needed and then use the following PowerShell command to display a list of the S3 buckets.

Get-S3Bucket -ProfileName my-sso-profile

Additional information

  • For more options on authentication for the Tools for PowerShell, such as the use of profiles and environment variables, see the configuration chapter in the Amazon SDKs and Tools Reference Guide.

  • Some commands require an Amazon Region to be specified. There are a number of ways to do so, including the -Region cmdlet option, the [default] profile, and the AWS_REGION environment variable. For more information, see Specify Amazon Regions in this guide and Amazon Region in the Amazon SDKs and Tools Reference Guide.

  • To learn more about best practices, see Security best practices in IAM in the IAM User Guide.

  • To create short-term Amazon credentials, see Temporary Security Credentials in the IAM User Guide.

  • To learn about other credential providers, see Standardized credential providers in the Amazon SDKs and Tools Reference Guide.

Topics