Authenticating with Amazon using Amazon SDK for C++ - Amazon SDK for C++
Using console credentialsUsing IAM Identity CenterMore authentication information
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authenticating with Amazon using Amazon SDK for C++

You must establish how your code authenticates with Amazon when developing with Amazon Web Services services. You can configure programmatic access to Amazon resources in different ways depending on the environment and the Amazon access available to you. For choices on all primary methods of authentication, and guidance on configuring it for the SDK, see Authentication and access in the Amazon SDKs and Tools Reference Guide.

Using console credentials

For local development, we recommend that new users use their existing Amazon Management Console sign-in credentials for programmatic access to Amazon services. After a browser-based authentication flow, Amazongenerates temporary credentials that work across local development tools like the Amazon CLI, Amazon Tools for PowerShell and Amazon SDKs. This feature simplifies the process of configuring and managing Amazon CLI credentials, especially if you prefer interactive authentication over managing long-term access keys.

If you choose this method, follow the instructions to login with console credentials using the Amazon CLI. See Login for Amazon local development using console credentials for more details.

Once set up with Amazon CLI, the default credential provider chain will automatically start using the login token cached by Amazon CLI to make requests.

Using IAM Identity Center

This method includes installing the Amazon CLI for ease of configuration and for regularly signing in to the Amazon access portal.

If you choose this method, complete the procedure for IAM Identity Center authentication in the Amazon SDKs and Tools Reference Guide. Afterwards, your environment should contain the following elements:

  • The Amazon CLI, which you use to start an Amazon access portal session before you run your application.

  • A shared Amazonconfig file having a [default] profile with a set of configuration values that can be referenced from the SDK. To find the location of this file, see Location of the shared files in the Amazon SDKs and Tools Reference Guide.

  • The shared config file sets the region setting. This sets the default Amazon Web Services Region that the SDK uses for Amazon requests. This Region is used for SDK service requests that aren't specified with a Region to use.

  • The SDK uses the profile's SSO token provider configuration to acquire credentials before sending requests to Amazon. The sso_role_name value, which is an IAM role connected to an IAM Identity Center permission set, should allow access to the Amazon Web Services services used in your application.

    The following sample config file shows a default profile set up with SSO token provider configuration. The profile's sso_session setting refers to the named sso-session section. The sso-session section contains settings to initiate an Amazon access portal session.

    [default]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
region = us-east-1
output = json

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://provided-domain.awsapps.com/start
sso_registration_scopes = sso:account:access

The Amazon SDK for C++ does not need additional packages (such as SSO and SSOOIDC) to be added to your application to use IAM Identity Center authentication.

Start an Amazon access portal session

Before running an application that accesses Amazon Web Services services, you need an active Amazon access portal session for the SDK to use IAM Identity Center authentication to resolve credentials. Depending on your configured session lengths, your access will eventually expire and the SDK will encounter an authentication error. To sign in to the Amazon access portal, run the following command in the Amazon CLI.

aws sso login

Since you have a default profile setup, you do not need to call the command with a --profile option. If your SSO token provider configuration is using a named profile, the command is aws sso login --profile named-profile.

To test if you already have an active session, run the following Amazon CLI command.

aws sts get-caller-identity

The response to this command should report the IAM Identity Center account and permission set configured in the shared config file.

Note

If you already have an active Amazon access portal session and run aws sso login, you will not be required to provide credentials.

The sign-in process might prompt you to allow the Amazon CLI access to your data. Because the Amazon CLI is built on top of the SDK for Python, permission messages may contain variations of the botocore name.

More authentication information

Human users, also known as human identities, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your Amazon environments and applications. Human users that are members of your organization are also known as workforce identities, that means you, the developer. Use temporary credentials when accessing Amazon. You can use an identity provider for your human users to provide federated access to Amazon accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use Amazon IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. For more alternatives, see the following: