Authenticate via the AWS command line interface (CLI)
CLI access requires AWS access keys. We recommend using aws-vault for managing all aspects related to CLI authentication. To use
aws-vault you will need to generate AWS Access Keys for your IAM user in the security account.
aws-vault is not the only method which can be used to authenticate on the CLI. Please refer to A Comprehensive Guide to Authenticating to AWS on the Command Line for several other options.
MFA is required for the Reference Architecture, including on the CLI. See configuring your IAM user for instructions on setting up an MFA token.
Access resources in the security account
To authenticate to the security account, you only need your AWS access keys and an MFA token. See the guide on adding credentials to
You should be able to run the following command using AWS CLI
aws-vault exec <YOUR_SECURITY_ACCOUNT_PROFILE_NAME> -- aws sts get-caller-identity
and expect to get an output with your user's IAM role:
Accessing all other accounts
To authenticate to all other accounts (e.g., dev, stage, prod), you will need the ARN of an IAM Role in that account to assume. To configure accessing accounts using assumed roles with
aws-vault refer to these instructions.
Given the following command (where
YOUR_ACCOUNT_PROFILE_NAME will be any account other than your security account)
aws-vault exec <YOUR_ACCOUNT_PROFILE_NAME> -- aws sts get-caller-identity
you should expect to see the following output: