Accessing AWS credentials from the console

When working on an AWS account it’s sometimes useful to have CLI access to run commands that automate repetitive tasks or to get to pesky resources that don’t show up on the console. If you federate into an AWS account through Identity Center you could simply get the credentials through the portal when selecting an account. If you get console access through other means those credentials are not always available.

Now, AWS CloudShell provides an in-browser CLI that makes this process easier, but a terminal in the browser is gross. Fortunately, you can use the same credentials CloudShell uses locally on your own machine. Searching how to do this will bring up many articles. Here’s my way that uses Python with AWS’ boto3 library and prints the credentials in a way that easy to copy and paste into your terminal to be used by the AWS CLI tool. This relies on environment variables and you may want to adjust the syntax to match your platform.

From the AWS Console, open CloudShell and paste the following snippet. This creates a file called creds.py with the Python code.

cat << EOF > creds.py
import boto3

session = boto3.Session()
response = session.get_credentials()

print(f"""export AWS_ACCESS_KEY_ID={response.access_key}
export AWS_SECRET_ACCESS_KEY={response.secret_key}
export AWS_SESSION_TOKEN={response.token}""")
EOF

Run the file you just created.

python creds.py

This will output the credentials CloudShell is using to access your account, this can now be copied and pasted into your terminal. From there you can run aws sts get-caller-identity to confirm you have access to the right account and you’re good to go.

Slightly related, there’s a great write-up by Aiden Steele on CloudShell’s infrastructure.