Authenticate using short-term credentials - Amazon SDKs and Tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authenticate using short-term credentials

We recommend configuring your SDK or tool to use IAM Identity Center authentication for your SDK or tool with extended session duration options. However, you can copy and use temporary credentials that are available in the Amazon access portal. New credentials will need to be copied when these expire. You can use the temporary credentials in a profile or use them as values for system properties and environment variables.

Best practice: Instead of manually managing access keys and a token in the credentials file, we recommend your application uses temporary credentials delivered from:

Set up a credentials file using short-term credentials retrieved from Amazon access portal
  1. Create a shared credentials file.

  2. In the credentials file, paste the following placeholder text until you paste in working temporary credentials.

    [default] aws_access_key_id=<value from Amazon access portal> aws_secret_access_key=<value from Amazon access portal> aws_session_token=<value from Amazon access portal>
  3. Save the file. The file ~/.aws/credentials should now exist on your local development system. This file contains the [default] profile that the SDK or tool uses if a specific named profile is not specified.

  4. Sign in to the Amazon access portal.

  5. Follow these instructions for Manual credential refresh to copy IAM role credentials from the Amazon access portal.

    1. For step 4 in the linked instructions, choose the IAM role name that grants access for your development needs. This role typically has a name like PowerUserAccess or Developer.

    2. For step 7 in the linked instructions, select the Manually add a profile to your Amazon credentials file option and copy the contents.

  6. Paste the copied credentials into your local credentials file. The generated profile name is not needed if you are using the default profile. Your file should resemble the following.

    [default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
  7. Save the credentials file.

When the SDK creates a service client, it will access these temporary credentials and use them for each request. The settings for the IAM role chosen in step 5a determine how long the temporary credentials are valid. The maximum duration is twelve hours.

After the temporary credentials expire, repeat steps 4 through 7.