How to get credentials for working locally, e.g. the AWS CLI

Developers can get short-lived credentials for working locally (lasting up to 4 hours).

This is meant to reduce the risk profile of lost secrets; e.g. if a laptop is stolen, it's less likely to have useful AWS credentials than if we all had long-lived, permanent credentials.

You can use the aws CLI application to do this when signing in via IAM Identity Center.

To configure your CLI for single sign on you can:

  1. Follow the instructions to log into the AWS console to ensure you have access.

  2. Return to the IAM Identity Center app, or visit this link.

  3. Select the "Access Keys" option for the "Digital Engagement Platform" account.

  4. You should see instructions for multiple ways in which to use your temporary credentials. To set up your CLI to work with collection AWS roles, run:

    > aws configure sso
SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.
SSO start URL [https://wellcome.awsapps.com/start/#]:
SSO region [eu-west-1]:
There are 2 AWS accounts available to you.
Using the account ID 760097843905
The only role available to you is: platform-superdev
Using the role name "weco-developer"
CLI default client Region [eu-west-1]:
CLI default output format [None]:

    The SSO session name should can be empty. Specify the start URL and region from the instructions. When asked to select a profile name specify default.

    This will create an entry in ~/.aws/config that looks like:

    [default]
sso_start_url = https://wellcome.awsapps.com/start/#
sso_region = eu-west-1
sso_account_id = 760097843905
sso_role_name = weco-developer
region = eu-west-1

  5. Ensure that your ~/.aws/credentials file matches the one credentials file in this repository. If there is already a default profile specified this process will fail.

  6. Once the configuration process is complete you can sign-in using the command:

    aws sso login

    After sign-in, you will assume an initial role.

    You then need to assume a specific role to start doing things.

PreviousHow to log in to the AWS consoleNextHow to select a role in the AWS CLI

Last updated