Sign In — Get CLI/SDK Credentials
Help developers get AWS credentials for local development using
. This provides short-term, auto-rotating credentials that refresh every 15 minutes and remain valid for up to 12 hours.
Important:
- You MUST run and in the user's local shell — NOT via MCP/API tools.
- You MUST ask the user for confirmation before running . Do not tell the user to run the command themselves — ask if YOU should run it (e.g., "Ready for me to run ?" or "Shall I proceed with ?"). Wait for their response before proceeding.
Prerequisites
The
command requires
AWS CLI version 2.32.0 or later.
Check the installed version:
If the CLI is not installed or is below 2.32.0, inform the user and ask if they'd like to install/update (link them to the
AWS CLI installation guide), or if they'd prefer to continue without this skill's guidance. If they choose to continue without upgrading, respond to their original request as you normally would without this skill.
Flow
Lead with the recommendation
In your first response, always tell the user that
is the fix — explain that it provides short-term, auto-rotating credentials and that it requires AWS CLI 2.32.0 or later. Do not stop at "let me check your CLI version" — name the remediation up front so the user knows where this is going, then describe the precondition checks you'll run before invoking it.
Precondition checks (run silently before asking confirmation)
Run these via the local shell to inform your plan. Report what you find, but do not gate the recommendation on user-supplied output:
- — confirm the CLI is 2.32.0 or later. If not installed or too old, point the user to the AWS CLI installation guide and stop.
aws sts get-caller-identity
— check current credentials.
- Succeeds: Show the user their Account and Arn. Ask whether to keep these or set up different credentials. If they want to switch, recommend
aws login --profile <name>
so the existing default isn't overwritten.
- Fails (missing or expired): proceed with on the default profile.
- (Only if Step 2 succeeded and the user wants different credentials) — if starts with , explain that long-term access keys are less secure (never expire, persist on disk as secrets, grant indefinite access if leaked) and that provides short-term credentials that auto-rotate every 15 minutes, expire automatically, and require no manual rotation.
Confirm and run aws login
Once preconditions are clear, ask the user for confirmation specifically for the
invocation — and only there. Do not tell the user to run the command themselves; ask if you should run it (e.g., "Ready for me to run
?" or "Shall I proceed with
aws login --profile staging
?"). Wait for their response, then run
(or
aws login --profile <name>
).
Verify
After
completes, run
aws sts get-caller-identity
(with
if used) to confirm success. If a named profile was used, remind the user to pass
or set
.
Handling Errors
"command not found" or version too old
The CLI is not installed or below 2.32.0. Direct the user to install or update:
AWS CLI installation guide.
Browser doesn't open
Suggest
which provides a URL and code for cross-device authentication (e.g., when using a remote server without a browser).
Permission error after login
The IAM identity needs the
SignInLocalDevelopmentAccess
managed policy attached (to the user, role, or group). Root users do not need it. Tell the user to ask their administrator to add it, or attach it themselves if they have IAM permissions.
GovCloud or China regions
is not available in AWS GovCloud (US) or AWS China regions. Do not mention this exception proactively — only relevant if the user explicitly states they are in one of these partitions.
Users With Existing Workflows
If the user mentions
or has an existing SSO configuration, do NOT redirect them to
. These are different commands for different situations:
- is for users whose organization has configured AWS IAM Identity Center (SSO). They have profiles in pointing at an SSO start URL. Respect their established workflow.
- If their is failing, help troubleshoot within their context: expired SSO session, revoked authorization, cached token issues (), or Identity Center configuration changes.
Fallback to
Do NOT mention
in your initial response or include it as a table row alongside
. Only offer it as an alternative if:
- The user explicitly declines or asks for alternatives
- The user states they are in GovCloud or China regions (where is unavailable)
When offering it, explain that long-term access keys are less secure: they persist on disk as plaintext, never expire automatically, and grant indefinite access if leaked.
When NOT to Use This Skill
- User is setting up CI/CD credentials — they need IAM roles or OIDC federation, not
Key Points
- Do not front-load troubleshooting — keep the initial response simple and address errors only if they occur
- works with root users, IAM users and federation with IAM
Additional Resources