The [Amazon SDK for JavaScript V3 API Reference Guide](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/) describes in detail all the API operations for the Amazon SDK for JavaScript version 3 (V3). 

# SDK authentication with Amazon
<a name="getting-your-credentials"></a>

You must establish how your code authenticates with Amazon when developing with Amazon Web Services services. You can configure programmatic access to Amazon resources in different ways depending on the environment and the Amazon access available to you. 

To choose your method of authentication and configure it for the SDK, see [Authentication and access](https://docs.amazonaws.cn/sdkref/latest/guide/access.html) in the *Amazon SDKs and Tools Reference Guide*. 

We recommend that new users who are developing locally and are not given a method of authentication by their employer to set up Amazon IAM Identity Center. This method includes installing the Amazon CLI for ease of configuration and for regularly signing in to the Amazon access portal. If you choose this method, your environment should contain the following elements after you complete the procedure for [IAM Identity Center authentication](https://docs.amazonaws.cn/sdkref/latest/guide/access-sso.html) in the *Amazon SDKs and Tools Reference Guide*:
+ The Amazon CLI, which you use to start an Amazon access portal session before you run your application.
+ A [shared Amazon`config` file](https://docs.amazonaws.cn/sdkref/latest/guide/file-format.html) having a `[default]` profile with a set of configuration values that can be referenced from the SDK. To find the location of this file, see [Location of the shared files](https://docs.amazonaws.cn/sdkref/latest/guide/file-location.html) in the *Amazon SDKs and Tools Reference Guide*.
+  The shared `config` file sets the [https://docs.amazonaws.cn/sdkref/latest/guide/feature-region.html](https://docs.amazonaws.cn/sdkref/latest/guide/feature-region.html) setting. This sets the default Amazon Web Services Region that the SDK uses for Amazon requests. This Region is used for SDK service requests that aren't specified with a Region to use. 
+  The SDK uses the profile's [SSO token provider configuration](https://docs.amazonaws.cn/sdkref/latest/guide/feature-sso-credentials.html#feature-sso-credentials-profile) to acquire credentials before sending requests to Amazon. The `sso_role_name` value, which is an IAM role connected to an IAM Identity Center permission set, allows access to the Amazon Web Services services used in your application.

  The following sample `config` file shows a default profile set up with SSO token provider configuration. The profile's `sso_session` setting refers to the named [`sso-session` section](https://docs.amazonaws.cn/sdkref/latest/guide/file-format.html#section-session). The `sso-session` section contains settings to initiate an Amazon access portal session.

  ```
  [default]
  sso_session = my-sso
  sso_account_id = {{111122223333}}
  sso_role_name = {{SampleRole}}
  region = us-east-1
  output = json
  
  [sso-session my-sso]
  sso_region = us-east-1
  sso_start_url = {{https://provided-domain.awsapps.com/start}}
  sso_registration_scopes = sso:account:access
  ```

The Amazon SDK for JavaScript v3 does not need additional packages (such as `SSO` and `SSOOIDC`) to be added to your application to use IAM Identity Center authentication.

For details on using this credential provider explicitly, see [https://www.npmjs.com/package/@aws-sdk/credential-providers#fromsso](https://www.npmjs.com/package/@aws-sdk/credential-providers#fromsso) on the npm (Node.js package manager) website.

## Start an Amazon access portal session
<a name="accessportal"></a>

Before running an application that accesses Amazon Web Services services, you need an active Amazon access portal session for the SDK to use IAM Identity Center authentication to resolve credentials. Depending on your configured session lengths, your access will eventually expire and the SDK will encounter an authentication error. To sign in to the Amazon access portal, run the following command in the Amazon CLI.

```
aws sso login
```

If you followed the guidance and have a default profile setup, you do not need to call the command with a `--profile` option. If your SSO token provider configuration is using a named profile, the command is `aws sso login --profile named-profile`.

To optionally test if you already have an active session, run the following Amazon CLI command.

```
aws sts get-caller-identity
```

If your session is active, the response to this command reports the IAM Identity Center account and permission set configured in the shared `config` file.

**Note**  
If you already have an active Amazon access portal session and run `aws sso login`, you will not be required to provide credentials.   
The sign-in process might prompt you to allow the Amazon CLI access to your data. Because the Amazon CLI is built on top of the SDK for Python, permission messages might contain variations of the `botocore` name.

## Using console login credentials
<a name="use-con-login-creds"></a>

You can use your existing Amazon Management Console sign-in credentials for programmatic access to Amazon services. After a browser-based authentication flow, Amazon generates temporary credentials that work across local development tools like the Amazon CLI and Amazon SDK for JavaScript. This feature simplifies the process of configuring and managing Amazon CLI credentials. To learn how to get started, follow the instructions to [Login for Amazon local development using console credentials](https://docs.amazonaws.cn/cli/latest/userguide/cli-configure-sign-in.html).

When you run the **aws login** command, you can select from your active console sessions, or sign in through the browser-based authentication flow and this will automatically generate temporary credentials. The Amazon SDK for JavaScript automatically refreshes credentials 5 minutes before expiration, with each set of credentials valid for up to 12 hours. For more information see [https://docs.amazonaws.cn/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-credential-providers/#fromlogincredentials](https://docs.amazonaws.cn/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-credential-providers/#fromlogincredentials). 

## More authentication information
<a name="credother"></a>

Human users, also known as *human identities*, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your Amazon environments and applications. Human users that are members of your organization - that means you, the developer - are known as *workforce identities*. 

Use temporary credentials when accessing Amazon. You can use an identity provider for your human users to provide federated access to Amazon accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use Amazon IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. For more alternatives, see the following:
+ To learn more about best practices, see [Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
+ To create short-term Amazon credentials, see [Temporary Security Credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*.
+ To learn about other Amazon SDK for JavaScript V3 credential providers, see [Standardized credential providers](https://docs.amazonaws.cn/sdkref/latest/guide/standardized-credentials.html) in the *Amazon SDKs and Tools Reference Guide*.