Prerequisites Configure programmatic access using IAM Identity Center Refreshing portal access sessions

Using IAM Identity Center to authenticate AWS SDK and tools

AWS IAM Identity Center can be used to provide AWS credentials when developing an AWS application on a non-AWS compute service environments. If you are developing on an AWS resource, such as Amazon Elastic Compute Cloud (Amazon EC2) or AWS Cloud9, we recommend getting credentials from that service instead.

Use IAM Identity Center authentication if you already use Identity Center for AWS account access or need to manage access for an organization.

In this tutorial, you establish IAM Identity Center access and will configure it for your SDK or tool by using the AWS access portal and the AWS CLI.

The AWS access portal is the web location where you manually sign in to the IAM Identity Center. The format of the URL isd-xxxxxxxxxx.awsapps.com/startoryour_subdomain.awsapps.com/start. When signed in to the AWS access portal, you can view AWS accounts and roles that have been configured for that user. This procedure uses the AWS access portal to get configuration values you need for the SDK/tool authentication process.
The AWS CLI is used to configure your SDK or tool to use IAM Identity Center authentication for API calls made by your code. This one-time process updates your shared AWSconfig file, that is then used by your SDK or tool when you run your code.

Prerequisites

Before starting this procedure, you should have completed the following:

If you do not have an AWS account,sign up for an AWS account .
If you haven't enabled IAM Identity Center yet,enable IAM Identity Center by following the instructions in theAWS IAM Identity Center User Guide.

Configure programmatic access using IAM Identity Center

Step 1: Establish access and select appropriate permission set

Choose one of the following methods to access your AWS credentials.

Add a user and add administrative permissions by following the Configure user access with the default IAM Identity Center directory procedure in theAWS IAM Identity Center User Guide.
TheAdministratorAccess permission set should not be used for regular development. Instead, we recommend using the predefinedPowerUserAccess permission set, unless your employer has created a custom permission set for this purpose.
Follow the sameConfigure user access with the default IAM Identity Center directory procedure again, but this time:
- Instead of creating theAdmin team group, create aDev team group, and substitute this thereafter in the instructions.
- You can use the existing user, but the user must be added to the newDev team group.
- Instead of creating theAdministratorAccess permission set, create aPowerUserAccess permission set, and substitute this thereafter in the instructions.
When you are done, you should have the following:
- ADev team group.
- An attachedPowerUserAccess permission set to theDev team group.
- Your user added to theDev team group.
Exit the portal and sign in again to see your AWS accounts and options forAdministrator orPowerUserAccess. SelectPowerUserAccess when working with your tool/SDK.

Sign in to AWS through your identity provider's portal. If your Cloud Administrator has granted youPowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set.

Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help.

Sign in to AWS through the AWS access portal. If your Cloud Administrator has granted youPowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set.

Contact your IT team for help.

Step 2: Configure SDKs and tools to use IAM Identity Center

On your development machine, install the latest AWS CLI.
1. See Installing or updating the latest version of the AWS CLI in theAWS Command Line Interface User Guide.
2. (Optional) To verify that the AWS CLI is working, open a command prompt and run theaws --version command.
Sign in to the AWS access portal. Your employer may provide this URL or you may get it in an email followingStep 1: Establish access. If not, find yourAWS access portal URL on theDashboard ofhttps://console.aws.amazon.com/singlesignon/.
1. In the AWS access portal, in theAccounts tab, select the individual account to manage. The roles for your user are displayed. ChooseAccess keys to get credentials for command line or programmatic access for the appropriate permission set. Use the predefinedPowerUserAccess permission set, or whichever permission set you or your employer has created to apply least-privilege permissions for development.
2. In theGet credentials dialog box, choose eitherMacOS and Linux orWindows, depending on your operating system.
3. Choose theIAM Identity Center credentials method to get theIssuer URL andSSO Region values that you need for the next step. Note:SSO Start URL can be used interchangeably withIssuer URL.
In the AWS CLI command prompt, run theaws configure sso command. When prompted, enter the configuration values that you collected in the previous step. For details on this AWS CLI command, seeConfigure your profile with theaws configure sso wizard.
1. For the promptSSO Start URL, enter the value you obtained forIssuer URL.
2. ForCLI profile name, we recommend enteringdefault when you are getting started. For information about how to set non-default (named) profiles and their associated environment variable, seeProfiles.
(Optional) In the AWS CLI command prompt, confirm the active session identity by running theaws sts get-caller-identity command. The response should show the IAM Identity Center permission set that you configured.
If you are using an AWS SDK, create an application for your SDK in your development environment.
1. For some SDKs, additional packages such asSSO andSSOOIDC must be added to your application before you can use IAM Identity Center authentication. For details, see your specific SDK.
2. If you previously configured access to AWS, review your shared AWScredentials file for anyAWS access keys. You must remove any static credentials before the SDK or tool will use the IAM Identity Center credentials because of theUnderstand the credential provider chain precedence.

For a deep dive into how the SDKs and tools use and refresh credentials using this configuration, seeHow IAM Identity Center authentication is resolved for AWS SDKs and tools.

To configure IAM Identity Center provider settings directly in the sharedconfig file, seeIAM Identity Center credential provider in this guide.

Refreshing portal access sessions

Your access will eventually expire and the SDK or tool will encounter an authentication error. When this expiration occurs depends on your configured session lengths. To refresh the access portal session again when needed, use the AWS CLI to run theaws sso login command.

You can extend both the IAM Identity Center access portal session duration and the permission set session duration. This lengthens the amount of time that you can run code before you need to manually sign in again with the AWS CLI. For more information, see the following topics in theAWS IAM Identity Center User Guide:

IAM Identity Center session duration –Configure the duration of your users' AWS access portal sessions
Permission set session duration –Set session duration

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understand IAM Identity Center authentication

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.