Authentication and access - Amazon SDKs and Tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authentication and access

You must establish how your code authenticates with Amazon when you develop with Amazon Web Services services. You can configure programmatic access to Amazon resources in different ways, depending on the environment and the Amazon access available to you.

Authentication options for code running locally (not in Amazon)

  • IAM Identity Center authentication for your SDK or tool – As a security best practice, we recommend using Amazon Organizations with IAM Identity Center to manage access across all your Amazon Web Services accounts. You can create users in Amazon IAM Identity Center, use Microsoft Active Directory, use a SAML 2.0 identity provider (IdP), or individually federate your IdP to Amazon Web Services accounts. To check if your Region supports IAM Identity Center, see Amazon IAM Identity Center endpoints and quotas in the Amazon Web Services General Reference.

  • IAM Roles Anywhere – You can use IAM Roles Anywhere to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of Amazon. To use IAM Roles Anywhere, your workloads must use X.509 certificates.

  • Assume a role with Amazon credentials – You can assume an IAM role to temporarily access Amazon resources that you might not have access to otherwise.

  • Amazon access keys – Other options that might be less convenient or might increase the security risk to your Amazon resources.

Authentication options for code running within an Amazon environment

If your code runs on Amazon, credentials can be made automatically available to your application. For example, if your application is hosted on Amazon Elastic Compute Cloud, and there is an IAM role associated with that resource, the credentials are automatically made available to your application. Likewise, if you use Amazon ECS or Amazon EKS containers, the credentials set for the IAM role can be automatically obtained by the code running inside the container through the SDK’s credential provider chain.

  • Using IAM roles for Amazon EC2 instances – Use IAM roles to securely run your application on an Amazon EC2 instance.

  • You can programmatically interact with Amazon using IAM Identity Center in the following ways:

Authentication through a web-based identity provider - Mobile or client-based web applications

If you are creating mobile applications or client-based web applications that require access to Amazon, build your app so that it requests temporary Amazon security credentials dynamically by using web identity federation.

With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, app users can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in Amazon that map to an IAM role with permissions to use the resources in your Amazon Web Services account.

To learn how to configure this for your SDK or tool, see Assume a role with web identity or OpenID Connect.

For mobile applications, consider using Amazon Cognito. Amazon Cognito acts as an identity broker and does much of the federation work for you. For more information, see Using Amazon Cognito for mobile apps in the IAM User Guide.

More information about access management

The IAM User Guide has the following information about securely controlling access to Amazon resources:

The Amazon Web Services General Reference has foundational basics on the following:

Amazon Builder ID

Your Amazon Builder ID complements any Amazon Web Services accounts you might already own or want to create. While an Amazon Web Services account acts as a container for Amazon resources you create and provides a security boundary for those resources, your Amazon Builder ID represents you as an individual. You can sign in with your Amazon Builder ID to access developer tools and services such as Amazon CodeWhisperer and Amazon CodeCatalyst.