TalksAWS re:Invent 2025 - Programmatically access AWS with your console credentials (SEC354)
AWS re:Invent 2025 - Programmatically access AWS with your console credentials (SEC354)
AWS re:Invent 2025 - Programmatically Access AWS with Your Console Credentials (SEC354)
Overview
This presentation discusses a new AWS feature that allows developers to programmatically access AWS services using their AWS console credentials, rather than having to manage separate long-term access keys.
The goal is to provide a secure and simple way for developers to access AWS programmatically, eliminating the need for long-term access keys that can be compromised.
Key Challenges Addressed
Many developers struggle with the complexity of managing separate access methods for the AWS console and programmatic access.
Long-term access keys pose a security risk, as they can be stolen and misused, leading to security incidents.
The process of creating and managing access keys is often not straightforward for new AWS users.
The AWS Login Feature
The new "AWS Login" CLI command allows developers to use their AWS console credentials for programmatic access.
When running aws login, the CLI opens the user's default browser, authenticates them to the AWS console, and securely retrieves temporary security credentials.
These temporary credentials can be used for up to 12 hours and are automatically refreshed behind the scenes.
The credentials can be used across all 11 AWS SDKs, as well as for deployment to AWS services like EC2 and Lambda.
Technical Details
AWS Login uses the OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE) to protect against interception attacks.
The temporary credentials are short-lived (up to 12 hours) and cryptographically secured to prevent theft across devices.
To use the AWS Login feature, users need the signin-authorize-oauth2-access and signin-create-oauth2-token permissions, which can be granted through a managed policy.
Business Impact
Eliminates the need for developers to create and manage long-term access keys, reducing the security risk of credential compromise.
Provides a seamless experience for developers, allowing them to use the same credentials for both console and programmatic access.
Improves productivity by enabling developers to easily access AWS services from their local development environments without additional setup.
Aligns with security best practices by encouraging the use of short-term, temporary credentials over long-term access keys.
Examples and Use Cases
A developer creating a Python script to access multiple AWS services can use the same AWS Login credentials across the AWS SDK, without having to manage separate access keys.
When deploying the script to an EC2 instance or Lambda function, the same short-term credentials can be used, providing a consistent and secure access experience.
The remote authentication option allows developers working in headless environments, such as Linux VMs, to still use the AWS Login feature by authenticating across devices.
Key Takeaways
The AWS Login feature provides a secure and simplified way for developers to access AWS programmatically using their console credentials.
It eliminates the need for long-term access keys, reducing the security risk of credential compromise and aligning with best practices.
The temporary credentials can be used across all AWS SDKs and for deployment to AWS services, providing a seamless experience for developers.
The technical implementation, including OAuth 2.0 and PKCE, ensures the security of the authentication process.
The feature is designed to improve developer productivity and adoption of secure access practices for AWS.
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.
