AWS Authentication: IAM Identity Center (SSO) - The right way in 2026

Eduar Castaño — Fri, 13 Mar 2026 01:26:44 +0000

The right way to authenticate in AWS in 2026. Goodbye access keys, hello temporary credentials.

The problem with access keys

For years, the "normal" way to use the AWS CLI was:

aws configure
# Access Key: AKIAIOSFODNN7EXAMPLE
# Secret Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCY...

Problems:

Credentials never expire (until you delete them manually)
If you push them to Git by mistake → serious security breach
Each dev has different credentials → hard to manage
When someone leaves the company, you have to delete their keys manually

AWS no longer recommends this method for humans.

The solution: IAM Identity Center (SSO)

Previously called "AWS SSO". It's the recommended method since 2022 and the standard in 2026.

Advantages:

Temporary credentials (expire automatically every 8-12 hours)
Single login for multiple AWS accounts
Integration with identity providers (Google Workspace, Okta, Azure AD)
Built-in MFA
When someone leaves, they lose access automatically

Prerequisites

AWS CLI v2 (v1 doesn't support SSO)
An AWS account with admin permissions (for initial setup)
Browser for login

Setup: Step by step

1. Enable IAM Identity Center

In AWS Console:

Go to: IAM Identity Center
Click "Enable" (it's free, no cost)
Confirm the region (recommended: us-east-1 or your primary region)

AWS will automatically create the necessary infrastructure.

2. Choose identity source

You have 3 options:

Option A: IAM Identity Center directory (for general purposes)

AWS creates its own directory
You manage users directly in AWS

Option B: Active Directory (for companies with on-premise AD)

Connects with an existing AD
Users and groups sync automatically

Option C: External Identity Provider (most common in companies)

Google Workspace, Okta, Azure AD, etc.
True Single Sign-On
Ideal for: teams already using an IdP

For this guide, we'll use Option A (simplest).

3. Create first user

Using IAM Identity Center directory:

IAM Identity Center → Users → Add user
Fill in:

   Username: ed.developer
   Email: ed@example.com
   First name: Ed
   Last name: Dev
   Display name: Ed Developer

Click Add user
An activation link will be sent by email

Activate user:

Open the email
Click the link
Create a password
Set up MFA (recommended: authenticator app like Google Authenticator)

4. Create a group

Best practice: assign permissions to groups, not individual users.

IAM Identity Center → Groups → Create group
Name: Developers
Description: Development team with PowerUser access
Click Create group
Add users to group → select the user → Add users

5. Assign permissions

IAM Identity Center → AWS accounts
Select your AWS account
Click Assign users or groups
Tab Groups → select Developers
Click Next
Permission sets → select PowerUserAccess (allows almost everything except IAM)
- For full admin: AdministratorAccess
- For readonly: ViewOnlyAccess
Click Next → Submit

The process takes 1-2 minutes to apply.

6. Get SSO Start URL

The "SSO Start URL" is the gateway to AWS.

IAM Identity Center → Dashboard
Copy the AWS access portal URL
- It looks like: https://d-9067xxxxxx.awsapps.com/start

Configure AWS CLI with SSO

Install AWS CLI v2

aws cli

Configure SSO profile

aws configure sso

It will ask:

SSO session name (Recommended): my-sso

A name for the session
Example: work, personal, company-name

SSO start URL: https://d-9067xxxxxx.awsapps.com/start

The one generated from the Dashboard

SSO region: us-east-1

The region where IAM Identity Center was enabled

SSO registration scopes: (Enter for default)

Leave the default: sso:account:access

The browser will open → authorize access → available AWS accounts will be shown.

Select:

AWS account: account (12-digit number)
IAM role: PowerUserAccess

Back in the terminal:

CLI default client Region: us-east-1

Region for resources

CLI default output format: json

Options: json, yaml, text, table

CLI profile name: dev

Profile name
Examples: dev, work, personal, default

Done! The profile is configured.

Using SSO day to day

Login

# First time or when credentials expire
aws sso login --profile dev

The browser opens, you log in (with MFA if applicable), and you're done.

Credentials valid for ~8 hours. When they expire, run aws sso login again.

Running commands

Option 1: Specify profile in each command

aws s3 ls --profile dev
aws lambda list-functions --profile dev

Option 2: Set default profile for the session

export AWS_PROFILE=dev
aws s3 ls
aws lambda list-functions

Verify credentials

aws sts get-caller-identity --profile dev

# Output:
# {
#   "UserId": "AROAXXXXX:ed.developer",
#   "Account": "123456789012",
#   "Arn": "arn:aws:sts::123456789012:assumed-role/..."
# }

Logout

aws sso logout --profile dev

Multiple profiles (work + personal)

You can have several profiles configured:

# Configure work profile
aws configure sso
# ... follow wizard, name profile: work

# Configure personal profile
aws configure sso
# ... follow wizard, name profile: personal

# Use each one
aws s3 ls --profile work
aws s3 ls --profile personal

# Or switch between them
export AWS_PROFILE=work
aws s3 ls

export AWS_PROFILE=personal
aws s3 ls

View configuration

Profiles are stored in ~/.aws/config:

cat ~/.aws/config

It looks like this:

[profile dev]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = PowerUserAccess
region = us-east-1
output = json

[sso-session my-sso]
sso_start_url = https://d-9067xxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Common troubleshooting

Error: "Token has expired"

# Solution: Login again
aws sso login --profile dev

Error: "No credentials"

# Check that the profile exists
cat ~/.aws/config

# Make sure to specify the profile
aws s3 ls --profile dev

# Or set it as default
export AWS_PROFILE=dev

Browser doesn't open

# Use device code flow (manual)
aws configure sso --use-device-code

It will generate a code to enter manually in the browser.

"Profile not found"

# List profiles
aws configure list-profiles

# Reconfigure the profile
aws configure sso

Credentials expire too fast

This is normal (security). AWS rotates credentials every 8-12 hours.

Tip: Create an alias:

# In .bashrc or .zshrc
alias awsl='aws sso login --profile dev'

# Now just:
awsl

When to use access keys

Only in these cases:

1. CI/CD pipelines

GitHub Actions, GitLab CI, Jenkins, etc.

# GitHub Actions example
- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-east-1

2. Serverless applications

Lambdas, ECS containers → use IAM roles, not access keys.

Best Practices

Always use SSO for humans
MFA enabled in IAM Identity Center
Least privilege: assign only the necessary permissions
Groups, not users: permissions at the group level
Audit access: review logs in CloudTrail
Don't share access keys between people
Don't use root account for daily tasks

Quick reference commands

# SSO Login
aws sso login --profile dev

# Verify identity
aws sts get-caller-identity --profile dev

# List profiles
aws configure list-profiles

# View profile configuration
aws configure list --profile dev

# Set default profile for current session
export AWS_PROFILE=dev

# Logout
aws sso logout --profile dev

# Reconfigure profile
aws configure sso

Advanced configuration

Profile with different roles

# In ~/.aws/config

[profile dev]
sso_session = my-sso
sso_account_id = 111111111111
sso_role_name = PowerUserAccess
region = us-east-1

[profile dev-readonly]
sso_session = my-sso
sso_account_id = 111111111111
sso_role_name = ViewOnlyAccess
region = us-east-1

[profile prod]
sso_session = my-sso
sso_account_id = 222222222222
sso_role_name = ReadOnlyAccess
region = us-east-1

Resources

TL;DR:

Enable IAM Identity Center
Create user/group
Assign permissions (PowerUserAccess)
aws configure sso
aws sso login --profile dev
Profit

Access keys only for CI/CD. For everything else: SSO.

Forem: Eduar Castaño