Movatterモバイル変換

[0]ホーム
URL:

Authentication and access credentials for the AWS CLI - AWS Command Line Interface
DocumentationAWS Command Line InterfaceUser Guide for Version 2
Configuration and credential precedenceAdditional topics in this section

Authentication and access credentials for the AWS CLI

You must establish how the AWS CLI authenticates with AWS when you develop with AWS services. To configure credentials for programmatic access for the AWS CLI, choose one of the following options. The options are in order of recommendation.

Authentication typePurposeInstructions

IAM Identity Center workforce users short-term credentials

(Recommended) Use short-term credentials for an IAM Identity Center workforce user.

Security best practice is to use AWS Organizations with IAM Identity Center. It combines short-term credentials with a user directory, such as the built-in IAM Identity Center directory or Active Directory.

Configuring IAM Identity Center authentication with the AWS CLI
IAM user short-term credentialsUse IAM user short-term credentials, which are more secure than long-term credentials. If your credentials are compromised, there is a limited time they can be used before they expire.Authenticating with short-term credentials for the AWS CLI
IAMor IAM Identity Center userson an Amazon EC2 instance.Use Amazon EC2 instance metadata to query for temporary credentials using the role assigned to the Amazon EC2 instance.Using Amazon EC2 instance metadata as credentials in the AWS CLI
Assume roles for permissionsPair another credential method and assume a role for temporary access to AWS services your user might not have access to.Using an IAM role in the AWS CLI
IAM user long-term credentials(Not recommended) Use long-term credentials, which have no expiration.Authenticating using IAM user credentials for the AWS CLI
External storage of IAMor IAM Identity Center workforce users(Not recommended) Pair another credential method but store credential values in a location outside of the AWS CLI. This method is only as secure as the external location the credentials are stored.Sourcing credentials with an external process in the AWS CLI

Configuration and credential precedence

Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain authentication take precedence over others. The AWS CLI authentication settings take precedence in the following order:

  1. Command line options – Overrides settings in any other location, such as the--region,--output, and--profile parameters.

  2. Environment variables – You can store values in your system's environment variables.

  3. Assume role – Assume the permissions of an IAM role through configuration or theassume-role command.

  4. Assume role with web identity – Assume the permissions of an IAM role using web identity through configuration or theassume-role-with-web-identity command.

  5. AWS IAM Identity Center – The IAM Identity Center configuration settings stored in theconfig file are updated when you run theaws configure sso command. Credentials are then authenticated when you run theaws sso login command. Theconfig file is located at~/.aws/config on Linux or macOS, or atC:\Users\USERNAME\.aws\config on Windows.

  6. Credentials file – Thecredentials andconfig file are updated when you run the commandaws configure. Thecredentials file is located at~/.aws/credentials on Linux or macOS, or atC:\Users\USERNAME\.aws\credentials on Windows.

  7. Custom process – Get your credentials from an external source.

  8. Configuration file – Thecredentials andconfig file are updated when you run the commandaws configure. Theconfig file is located at~/.aws/config on Linux or macOS, or atC:\Users\USERNAME\.aws\config on Windows.

  9. Container credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, seeIAM Roles for Tasks in theAmazon Elastic Container Service Developer Guide.

  10. Amazon EC2 instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, seeIAM Roles for Amazon EC2 in theAmazon EC2 User Guide andUsing Instance Profiles in theIAM User Guide.

Additional topics in this section

Endpoints
IAM Identity Center authentication
[8]ページ先頭
©2009-2025 Movatter.jp