The AWS SDK for JavaScript v2 has reached end-of-support. We recommend that you migrate toAWS SDK for JavaScript v3. For additional details and information on how to migrate, please refer to thisannouncement.
SDK authentication with AWS
You must establish how your code authenticates with AWS when developing with AWS services. You can configure programmatic access to AWS resources in different ways depending on the environment and the AWS access available to you.
To choose your method of authentication and configure it for the SDK, seeAuthentication and access in theAWS SDKs and Tools Reference Guide.
We recommend that new users who are developing locally and are not given a method of authentication by their employer should set up AWS IAM Identity Center. This method includes installing the AWS CLI for ease of configuration and for regularly signing in to the AWS access portal. If you choose this method, your environment should contain the following elements after you complete the procedure forIAM Identity Center authentication in theAWS SDKs and Tools Reference Guide:
The AWS CLI, which you use to start an AWS access portal session before you run your application.
Ashared AWS
configfile having a[default]profile with a set of configuration values that can be referenced from the SDK. To find the location of this file, seeLocation of the shared files in theAWS SDKs and Tools Reference Guide.The shared
configfile sets theregionsetting. This sets the default AWS Region that the SDK uses for AWS requests. This Region is used for SDK service requests that aren't specified with a Region to use.The SDK uses the profile'sSSO token provider configuration to acquire credentials before sending requests to AWS. The
sso_role_namevalue, which is an IAM role connected to an IAM Identity Center permission set, allows access to the AWS services used in your application.The following sample
configfile shows a default profile set up with SSO token provider configuration. The profile'ssso_sessionsetting refers to the namedsso-sessionsection. Thesso-sessionsection contains settings to initiate an AWS access portal session.[default]sso_session = my-ssosso_account_id =111122223333sso_role_name =SampleRoleregion = us-east-1output = json[sso-session my-sso]sso_region = us-east-1sso_start_url =https://provided-domain.awsapps.com/startsso_registration_scopes = sso:account:access
The SDK for JavaScript does not need additional packages (such asSSO andSSOOIDC) to be added to your application to use IAM Identity Center authentication.
Start an AWS access portal session
Before running an application that accesses AWS services, you need an active AWS access portal session for the SDK to use IAM Identity Center authentication to resolve credentials. Depending on your configured session lengths, your access will eventually expire and the SDK will encounter an authentication error. To sign in to the AWS access portal, run the following command in the AWS CLI.
aws sso loginIf you followed the guidance and have a default profile setup, you do not need to call the command with a--profile option. If your SSO token provider configuration is using a named profile, the command isaws sso login --profile named-profile.
To optionally test if you already have an active session, run the following AWS CLI command.
aws sts get-caller-identityIf your session is active, the response to this command reports the IAM Identity Center account and permission set configured in the sharedconfig file.
If you already have an active AWS access portal session and runaws sso login, you will not be required to provide credentials.
The sign-in process might prompt you to allow the AWS CLI access to your data. Because the AWS CLI is built on top of the SDK for Python, permission messages might contain variations of thebotocore name.
More authentication information
Human users, also known ashuman identities, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your AWS environments and applications. Human users that are members of your organization - that means you, the developer - are known asworkforce identities.
Use temporary credentials when accessing AWS. You can use an identity provider for your human users to provide federated access to AWS accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use AWS IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. For more alternatives, see the following:
To learn more about best practices, seeSecurity best practices in IAM in theIAM User Guide.
To create short-term AWS credentials, seeTemporary Security Credentials in theIAM User Guide.
To learn about other SDK for JavaScript credential providers, seeStandardized credential providers in theAWS SDKs and Tools Reference Guide.
