Authenticate using short-term credentials
We recommend configuring your SDK or tool to use IAM Identity Center authentication for your SDK or tool with extended session duration options. However, you can copy and use temporary credentials that are available in the Amazon access portal. New credentials will need to be copied when these expire. You can use the temporary credentials in a profile or use them as values for system properties and environment variables.
Best practice: Instead of manually managing access keys and a token in the credentials file, we recommend your application uses temporary credentials delivered from:
-
An Amazon compute service, such as running your application on Amazon Elastic Compute Cloud or in Amazon Lambda.
-
Another option in the credential provider chain, such as IAM Identity Center authentication for your SDK or tool.
-
Or use the Process credential provider to retrieve temporary credentials.
Set up a credentials file using short-term credentials retrieved from Amazon access portal
-
In the credentials file, paste the following placeholder text until you paste in working temporary credentials.
[default] aws_access_key_id=
<value from Amazon access portal>
aws_secret_access_key=<value from Amazon access portal>
aws_session_token=<value from Amazon access portal>
-
Save the file. The file
~/.aws/credentials
should now exist on your local development system. This file contains the [default] profile that the SDK or tool uses if a specific named profile is not specified. -
Follow these instructions for Manual credential refresh to copy IAM role credentials from the Amazon access portal.
-
For step 4 in the linked instructions, choose the IAM role name that grants access for your development needs. This role typically has a name like PowerUserAccess or Developer.
-
For step 7 in the linked instructions, select the Manually add a profile to your Amazon credentials file option and copy the contents.
-
-
Paste the copied credentials into your local
credentials
file. The generated profile name is not needed if you are using thedefault
profile. Your file should resemble the following.[default] aws_access_key_id=
AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
-
Save the
credentials
file.
When the SDK creates a service client, it will access these temporary credentials and use them for each request. The settings for the IAM role chosen in step 5a determine how long the temporary credentials are valid. The maximum duration is twelve hours.
After the temporary credentials expire, repeat steps 4 through 7.