AWS account setup
  • AWS account setup
  • How to
    • How to log in to the AWS console
    • How to get credentials for working locally, e.g. the AWS CLI
    • How to select a role in the AWS CLI
    • How to get credentials for staff who aren't developers
  • Users, IAM roles, accounts, and so on
    • Introduction
    • What are our AWS accounts?
    • What is an initial role?
    • What are our standard roles?
  • Networking
    • Our VPC setup
Powered by GitBook
On this page
  1. How to

How to get credentials for working locally, e.g. the AWS CLI

PreviousHow to log in to the AWS consoleNextHow to select a role in the AWS CLI

Last updated 2 months ago

Developers can get short-lived credentials for working locally (lasting up to 4 hours).

This is meant to reduce the risk profile of lost secrets; e.g. if a laptop is stolen, it's less likely to have useful AWS credentials than if we all had long-lived, permanent credentials.

You can use the aws CLI application to do this when signing in via IAM Identity Center.

To configure your CLI for single sign on you can:

  1. Follow the instructions to to ensure you have access.

  2. Return to the IAM Identity Center app, or .

  3. Select the "Access Keys" option for the "Digital Engagement Platform" account.

  4. You should see instructions for multiple ways in which to use your temporary credentials. To set up your CLI to work with collection AWS roles, run:

    > aws configure sso
SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.
SSO start URL [https://wellcome.awsapps.com/start/#]:
SSO region [eu-west-1]:
There are 2 AWS accounts available to you.
Using the account ID 760097843905
The only role available to you is: platform-superdev
Using the role name "weco-developer"
CLI default client Region [eu-west-1]:
CLI default output format [None]:

    The SSO session name should can be empty. Specify the start URL and region from the instructions. When asked to select a profile name specify default.

    This will create an entry in ~/.aws/config that looks like:

    [default]
sso_start_url = https://wellcome.awsapps.com/start/#
sso_region = eu-west-1
sso_account_id = 760097843905
sso_role_name = weco-developer
region = eu-west-1

  5. Ensure that your ~/.aws/credentials file matches the one in this repository. If there is already a default profile specified this process will fail.

  6. Once the configuration process is complete you can sign-in using the command:

    aws sso login

    After sign-in, you will assume an .

    You then need to assume a to start doing things.

log into the AWS console
visit this link
credentials file
initial role
specific role