signing-in-to-aws
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSign In — Get CLI/SDK Credentials
登录 — 获取CLI/SDK凭证
Help developers get AWS credentials for local development using . This provides short-term, auto-rotating credentials that refresh every 15 minutes and remain valid for up to 12 hours.
aws loginImportant:
- You MUST run and
aws loginin the user's local shell — NOT via MCP/API tools.aws --version - You MUST ask the user for confirmation before running . Do not tell the user to run the command themselves — ask if YOU should run it (e.g., "Ready for me to run
aws login?" or "Shall I proceed withaws login?"). Wait for their response before proceeding.aws login
帮助开发者通过获取用于本地开发的AWS凭证。该方式提供短期、自动轮换的凭证,每15分钟刷新一次,最长有效期为12小时。
aws login重要说明:
- 必须在用户的本地shell中运行和
aws login——不能通过MCP/API工具执行。aws --version - 在运行之前,必须征得用户的确认。不要让用户自行运行该命令——询问用户是否由你执行(例如:"准备好让我运行
aws login了吗?"或"我可以执行aws login吗?")。等待用户回复后再继续操作。aws login
Prerequisites
前提条件
The command requires AWS CLI version 2.32.0 or later.
aws loginCheck the installed version:
bash
aws --versionIf the CLI is not installed or is below 2.32.0, inform the user and ask if they'd like to install/update (link them to the AWS CLI installation guide), or if they'd prefer to continue without this skill's guidance. If they choose to continue without upgrading, respond to their original request as you normally would without this skill.
aws login检查已安装的版本:
bash
aws --version如果CLI未安装或版本低于2.32.0,请告知用户并询问他们是否需要安装/更新(将AWS CLI安装指南链接提供给他们),或者是否希望在没有该技能指导的情况下继续操作。如果用户选择不升级就继续,则按照常规方式响应他们的原始请求,不使用本技能。
Flow
流程
Lead with the recommendation
首先给出建议
In your first response, always tell the user that is the fix — explain that it provides short-term, auto-rotating credentials and that it requires AWS CLI 2.32.0 or later. Do not stop at "let me check your CLI version" — name the remediation up front so the user knows where this is going, then describe the precondition checks you'll run before invoking it.
aws login在你的首次回复中,务必告知用户是解决方案——解释它提供短期、自动轮换的凭证,并且需要AWS CLI 2.32.0或更高版本。不要只停留在"让我检查你的CLI版本"——先明确说明修复方案,让用户了解后续流程,然后描述在调用该命令前需要执行的前置检查。
aws loginPrecondition checks (run silently before asking confirmation)
前置条件检查(在询问确认前静默执行)
Run these via the local shell to inform your plan. Report what you find, but do not gate the recommendation on user-supplied output:
- — confirm the CLI is 2.32.0 or later. If not installed or too old, point the user to the AWS CLI installation guide and stop.
aws --version - — check current credentials.
aws sts get-caller-identity- Succeeds: Show the user their Account and Arn. Ask whether to keep these or set up different credentials. If they want to switch, recommend so the existing default isn't overwritten.
aws login --profile <name> - Fails (missing or expired): proceed with on the default profile.
aws login
- Succeeds: Show the user their Account and Arn. Ask whether to keep these or set up different credentials. If they want to switch, recommend
- (Only if Step 2 succeeded and the user wants different credentials) — if
aws configure liststarts withaccess_key, explain that long-term access keys are less secure (never expire, persist on disk as secrets, grant indefinite access if leaked) and thatAKIAprovides short-term credentials that auto-rotate every 15 minutes, expire automatically, and require no manual rotation.aws login
通过本地shell运行以下检查,以确定后续计划。告知用户检查结果,但不要依赖用户提供的输出来限制建议:
- ——确认CLI版本为2.32.0或更高。如果未安装或版本过旧,请引导用户查看AWS CLI安装指南并停止操作。
aws --version - ——检查当前凭证。
aws sts get-caller-identity- 成功:向用户展示其账号和Arn。询问用户是保留现有凭证还是设置不同的凭证。如果用户想要切换,建议使用,以免覆盖现有的默认配置文件。
aws login --profile <name> - 失败(凭证缺失或过期):继续在默认配置文件上执行。
aws login
- 成功:向用户展示其账号和Arn。询问用户是保留现有凭证还是设置不同的凭证。如果用户想要切换,建议使用
- (仅当步骤2成功且用户需要不同凭证时) ——如果
aws configure list以access_key开头,说明长期访问密钥安全性较低(永不过期,以明文形式存储在磁盘上,若泄露会授予无限期访问权限),而AKIA提供的短期凭证会每15分钟自动轮换,自动过期,无需手动轮换。aws login
Confirm and run aws login
确认并运行aws login
Once preconditions are clear, ask the user for confirmation specifically for the invocation — and only there. Do not tell the user to run the command themselves; ask if you should run it (e.g., "Ready for me to run ?" or "Shall I proceed with ?"). Wait for their response, then run (or ).
aws loginaws loginaws login --profile stagingaws loginaws login --profile <name>当前置条件明确后,专门针对的执行请求用户确认——仅在此处询问。不要让用户自行运行该命令;询问用户是否由你执行(例如:"准备好让我运行了吗?"或"我可以执行吗?")。等待用户回复后,再运行(或)。
aws loginaws loginaws login --profile stagingaws loginaws login --profile <name>Verify
验证
After completes, run (with if used) to confirm success. If a named profile was used, remind the user to pass or set .
aws loginaws sts get-caller-identity--profile--profileAWS_PROFILEaws loginaws sts get-caller-identity--profile--profileAWS_PROFILEHandling Errors
错误处理
"command not found" or version too old
"command not found"或版本过旧
The CLI is not installed or below 2.32.0. Direct the user to install or update: AWS CLI installation guide.
CLI未安装或版本低于2.32.0。引导用户进行安装或更新:AWS CLI安装指南。
Browser doesn't open
浏览器无法打开
Suggest which provides a URL and code for cross-device authentication (e.g., when using a remote server without a browser).
aws login --remote建议使用,该命令会提供一个URL和验证码用于跨设备身份验证(例如,在没有浏览器的远程服务器上使用时)。
aws login --remotePermission error after login
登录后出现权限错误
The IAM identity needs the managed policy attached (to the user, role, or group). Root users do not need it. Tell the user to ask their administrator to add it, or attach it themselves if they have IAM permissions.
SignInLocalDevelopmentAccessIAM身份需要附加托管策略(可附加到用户、角色或组)。根用户不需要该策略。告知用户请求管理员添加该策略,或者如果他们拥有IAM权限,可自行附加。
SignInLocalDevelopmentAccessGovCloud or China regions
GovCloud或中国区域
aws loginaws loginUsers With Existing aws sso login
Workflows
aws sso login已有aws sso login
工作流的用户
aws sso loginIf the user mentions or has an existing SSO configuration, do NOT redirect them to . These are different commands for different situations:
aws sso loginaws login- is for users whose organization has configured AWS IAM Identity Center (SSO). They have profiles in
aws sso loginpointing at an SSO start URL. Respect their established workflow.~/.aws/config - If their is failing, help troubleshoot within their context: expired SSO session, revoked authorization, cached token issues (
aws sso login), or Identity Center configuration changes.~/.aws/sso/cache/
如果用户提到或已有SSO配置,请勿引导他们使用。这是针对不同场景的不同命令:
aws sso loginaws login- 适用于所在组织已配置AWS IAM Identity Center(SSO)的用户。他们的
aws sso login中有指向SSO起始URL的配置文件。请尊重他们已建立的工作流。~/.aws/config - 如果他们的失败,请在其现有环境中协助排查问题:SSO会话过期、授权被撤销、缓存令牌问题(
aws sso login)或Identity Center配置变更。~/.aws/sso/cache/
Fallback to aws configure
aws configure回退到aws configure
aws configureDo NOT mention in your initial response or include it as a table row alongside . Only offer it as an alternative if:
aws configureaws login- The user explicitly declines or asks for alternatives
aws login - The user states they are in GovCloud or China regions (where is unavailable)
aws login
When offering it, explain that long-term access keys are less secure: they persist on disk as plaintext, never expire automatically, and grant indefinite access if leaked.
请勿在初始回复中提及,也不要将其与并列作为选项。仅在以下情况下将其作为替代方案提供:
aws configureaws login- 用户明确拒绝或询问替代方案
aws login - 用户说明他们处于GovCloud或中国区域(不可用的区域)
aws login
提供该选项时,需说明长期访问密钥的安全性较低:它们以明文形式存储在磁盘上,不会自动过期,若泄露会授予无限期访问权限。
When NOT to Use This Skill
不适用本技能的场景
- User is setting up CI/CD credentials — they need IAM roles or OIDC federation, not
aws login
- 用户正在设置CI/CD凭证——他们需要IAM角色或OIDC联合身份验证,而非
aws login
Key Points
关键点
- Do not front-load troubleshooting — keep the initial response simple and address errors only if they occur
- works with root users, IAM users and federation with IAM
aws login
- 不要一开始就进行故障排查——初始回复要简洁,仅在出现错误时再处理
- 适用于根用户、IAM用户以及与IAM联合身份验证的用户
aws login