When you’re working with AWS as a backend engineer — especially with Java and Spring Boot stacks — there will inevitably come a moment when you need to run commands against your AWS resources using the AWS Command Line Interface (CLI) or AWS SDKs.
And that moment comes with a crucial question: “How do I locally authenticate securely?”
In this post, I’ll break down the different ways to authenticate the AWS CLI, with a deep dive into IAM user long-term credentials. I’ll also share practical recommendations on when to use which method, where these fit in your development lifecycle, and how your organization should guide you for production-grade authentication.
👉 This post is primarily about local development and testing. When you’re ready for production or CI/CD pipelines, always defer to your company’s security standards and policies — they exist for good reason!
Why Understanding AWS CLI Authentication Matters
The AWS CLI is a powerful tool that lets you script, manage, and automate AWS resources from your terminal. But with great power comes great responsibility: misconfiguring your authentication can expose sensitive resources or cause costly security breaches.
AWS offers several authentication methods for the CLI, but they’re not all created equal — and they’re not all meant for the same use cases.
AWS SDKs uses the AWS CLI authentication as default to perform actions.
🗂️ The Main Authentication Methods for AWS CLI
AWS divides CLI authentication into four main options (based on the official AWS CLI documentation):
- IAM User Long-Term Credentials
- IAM Assume Roles
- Federated Identity (SSO)
- Instance Metadata
Let’s briefly cover each, then focus on the IAM user option.
1️⃣ IAM User Long-Term Credentials
What it is:
These are the classic Access Key ID and Secret Access Key pairs. You create them for an IAM user, store them locally (e.g., in ~/.aws/credentials), and the CLI uses them to sign requests.
✅ Use Case:
Best suited for local development and testing when you want quick, direct CLI access to your AWS account.
❌ Risks:
These keys never expire by default — so if they’re committed to Git, shared accidentally, or remain on a stolen laptop, they could lead to a security disaster.
💡 Best Practices:
- Rotate your keys regularly.
- Never hardcode them in source files.
- Use
aws configureto store them in your local credentials file. - Limit their permissions strictly via IAM policies.
📌 Example: Configuring IAM User Long-Term Credentials
Here’s a simple step-by-step for local CLI use:
aws configureYou’ll be prompted for:
AWS Access Key ID [None]: YOUR_ACCESS_KEY_ID
AWS Secret Access Key [None]: YOUR_SECRET_ACCESS_KEY
Default region name [None]: us-east-1
Default output format [None]: jsonThis stores your credentials in ~/.aws/credentials and config in ~/.aws/config.
2️⃣ IAM Assume Roles
What it is:
Roles provide temporary credentials that applications or users can assume to get permissions. In practice, you might assume a role via the CLI using sts:AssumeRole.
✅ Use Case:
Perfect for test scripts or apps that need temporary elevated access.
For local testing, you can assume a role like this:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/YourRoleName --role-session-name CLI-SessionThen export the returned temporary credentials to your shell environment:
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...🎯 Why roles are recommended:
Temporary credentials expire automatically. This is much safer than storing long-term keys on your machine indefinitely.
3️⃣ Federated Identities / SSO
What it is:
Large companies often use AWS IAM Identity Center (formerly AWS SSO) or a SAML-based IdP to grant CLI access. You authenticate using your corporate credentials — no long-term keys needed.
✅ Use Case:
Enterprise setups. You log in via aws sso login and get temporary session tokens.
🧠 Note:
If your company offers SSO, use it! It’s the safest and most compliant option for CLI work.
4️⃣ EC2 or ECS Instance Metadata
What it is:
For workloads running inside AWS, such as EC2 instances or ECS tasks, you can attach an IAM role directly. The CLI running on that instance pulls credentials from the instance metadata service.
✅ Use Case:
Production workloads, containerized apps, or automation running inside AWS. Not applicable for local dev.
✅ So, What Should You Use?
- For local development and quick tests, IAM user long-term credentials are fine — as long as you handle them responsibly.
- For automated tests and ephemeral workloads, IAM roles with temporary credentials are much safer.
- For production or company-managed environments, your company should provide the right method, typically via SSO or managed roles.
📢 A Crucial Reminder: Let Your Company Lead
Your employer’s cloud security team should define how you authenticate in production. This blog post focuses on safe local usage for your own testing.
Never roll your own approach for production — always align with your org’s standards, compliance rules, and audit requirements.
🔒 Practical Tips for Working with IAM User Long-Term Credentials
Here are some real-world tips I use when working with IAM keys for local development:
- 🔑 Encrypt your credentials: Use OS-level disk encryption. If your laptop gets stolen, your keys won’t be compromised.
- 📁 Use multiple profiles: Need to switch between accounts? Add profiles to
~/.aws/credentials:
[default]
aws_access_key_id = YOUR_DEFAULT_ACCESS_KEY
aws_secret_access_key = YOUR_DEFAULT_SECRET_KEY
[staging]
aws_access_key_id = YOUR_STAGING_ACCESS_KEY
aws_secret_access_key = YOUR_STAGING_SECRET_KEYThen run:
aws s3 ls --profile staging- 🔄 Rotate keys regularly: Delete old keys and generate new ones periodically.
- ❌ Never commit
.aws/credentialsto Git: Add it to your.gitignoreand educate your team about the risks.
⚡️ Wrapping Up
The AWS CLI is an indispensable tool for backend engineers working with Java and Spring Boot on cloud workloads. But its power depends on secure, thoughtful authentication.
👉 For local testing, IAM user long-term credentials are acceptable — if you follow best practices.
👉 For ephemeral jobs, roles are more secure.
👉 For production, trust your company’s guidelines.
👉 For enterprise, SSO is the gold standard.
Keep your keys tight, your commits clean, and your authentication secure.