signing-in-to-aws

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Sign In — Get CLI/SDK Credentials

登录 — 获取CLI/SDK凭证

Help developers get AWS credentials for local development using
aws login
. This provides short-term, auto-rotating credentials that refresh every 15 minutes and remain valid for up to 12 hours.
Important:
  • You MUST run
    aws login
    and
    aws --version
    in the user's local shell — NOT via MCP/API tools.
  • You MUST ask the user for confirmation before running
    aws login
    . Do not tell the user to run the command themselves — ask if YOU should run it (e.g., "Ready for me to run
    aws login
    ?" or "Shall I proceed with
    aws login
    ?"). Wait for their response before proceeding.
帮助开发者通过
aws login
获取用于本地开发的AWS凭证。该方式提供短期、自动轮换的凭证,每15分钟刷新一次,最长有效期为12小时。
重要说明:
  • 必须在用户的本地shell中运行
    aws login
    aws --version
    ——不能通过MCP/API工具执行。
  • 在运行
    aws login
    之前,必须征得用户的确认。不要让用户自行运行该命令——询问用户是否由你执行(例如:"准备好让我运行
    aws login
    了吗?"或"我可以执行
    aws login
    吗?")。等待用户回复后再继续操作。

Prerequisites

前提条件

The
aws login
command requires AWS CLI version 2.32.0 or later.
Check the installed version:
bash
aws --version
If the CLI is not installed or is below 2.32.0, inform the user and ask if they'd like to install/update (link them to the AWS CLI installation guide), or if they'd prefer to continue without this skill's guidance. If they choose to continue without upgrading, respond to their original request as you normally would without this skill.
aws login
命令要求AWS CLI版本2.32.0或更高
检查已安装的版本:
bash
aws --version
如果CLI未安装或版本低于2.32.0,请告知用户并询问他们是否需要安装/更新(将AWS CLI安装指南链接提供给他们),或者是否希望在没有该技能指导的情况下继续操作。如果用户选择不升级就继续,则按照常规方式响应他们的原始请求,不使用本技能。

Flow

流程

Lead with the recommendation

首先给出建议

In your first response, always tell the user that
aws login
is the fix — explain that it provides short-term, auto-rotating credentials and that it requires AWS CLI 2.32.0 or later. Do not stop at "let me check your CLI version" — name the remediation up front so the user knows where this is going, then describe the precondition checks you'll run before invoking it.
在你的首次回复中,务必告知用户
aws login
是解决方案——解释它提供短期、自动轮换的凭证,并且需要AWS CLI 2.32.0或更高版本。不要只停留在"让我检查你的CLI版本"——先明确说明修复方案,让用户了解后续流程,然后描述在调用该命令前需要执行的前置检查。

Precondition checks (run silently before asking confirmation)

前置条件检查(在询问确认前静默执行)

Run these via the local shell to inform your plan. Report what you find, but do not gate the recommendation on user-supplied output:
  1. aws --version
    — confirm the CLI is 2.32.0 or later. If not installed or too old, point the user to the AWS CLI installation guide and stop.
  2. aws sts get-caller-identity
    — check current credentials.
    • Succeeds: Show the user their Account and Arn. Ask whether to keep these or set up different credentials. If they want to switch, recommend
      aws login --profile <name>
      so the existing default isn't overwritten.
    • Fails (missing or expired): proceed with
      aws login
      on the default profile.
  3. (Only if Step 2 succeeded and the user wants different credentials)
    aws configure list
    — if
    access_key
    starts with
    AKIA
    , explain that long-term access keys are less secure (never expire, persist on disk as secrets, grant indefinite access if leaked) and that
    aws login
    provides short-term credentials that auto-rotate every 15 minutes, expire automatically, and require no manual rotation.
通过本地shell运行以下检查,以确定后续计划。告知用户检查结果,但不要依赖用户提供的输出来限制建议:
  1. aws --version
    ——确认CLI版本为2.32.0或更高。如果未安装或版本过旧,请引导用户查看AWS CLI安装指南并停止操作。
  2. aws sts get-caller-identity
    ——检查当前凭证。
    • 成功:向用户展示其账号和Arn。询问用户是保留现有凭证还是设置不同的凭证。如果用户想要切换,建议使用
      aws login --profile <name>
      ,以免覆盖现有的默认配置文件。
    • 失败(凭证缺失或过期):继续在默认配置文件上执行
      aws login
  3. (仅当步骤2成功且用户需要不同凭证时)
    aws configure list
    ——如果
    access_key
    AKIA
    开头,说明长期访问密钥安全性较低(永不过期,以明文形式存储在磁盘上,若泄露会授予无限期访问权限),而
    aws login
    提供的短期凭证会每15分钟自动轮换,自动过期,无需手动轮换。

Confirm and run aws login

确认并运行aws login

Once preconditions are clear, ask the user for confirmation specifically for the
aws login
invocation — and only there. Do not tell the user to run the command themselves; ask if you should run it (e.g., "Ready for me to run
aws login
?" or "Shall I proceed with
aws login --profile staging
?"). Wait for their response, then run
aws login
(or
aws login --profile <name>
).
当前置条件明确后,专门针对
aws login
的执行请求用户确认——仅在此处询问。不要让用户自行运行该命令;询问用户是否由你执行(例如:"准备好让我运行
aws login
了吗?"或"我可以执行
aws login --profile staging
吗?")。等待用户回复后,再运行
aws login
(或
aws login --profile <name>
)。

Verify

验证

After
aws login
completes, run
aws sts get-caller-identity
(with
--profile
if used) to confirm success. If a named profile was used, remind the user to pass
--profile
or set
AWS_PROFILE
.
aws login
完成后,运行
aws sts get-caller-identity
(如果使用了配置文件则加上
--profile
参数)确认操作成功。如果使用了命名配置文件,请提醒用户传递
--profile
参数或设置
AWS_PROFILE
环境变量。

Handling Errors

错误处理

"command not found" or version too old

"command not found"或版本过旧

The CLI is not installed or below 2.32.0. Direct the user to install or update: AWS CLI installation guide.
CLI未安装或版本低于2.32.0。引导用户进行安装或更新:AWS CLI安装指南

Browser doesn't open

浏览器无法打开

Suggest
aws login --remote
which provides a URL and code for cross-device authentication (e.g., when using a remote server without a browser).
建议使用
aws login --remote
,该命令会提供一个URL和验证码用于跨设备身份验证(例如,在没有浏览器的远程服务器上使用时)。

Permission error after login

登录后出现权限错误

The IAM identity needs the
SignInLocalDevelopmentAccess
managed policy attached (to the user, role, or group). Root users do not need it. Tell the user to ask their administrator to add it, or attach it themselves if they have IAM permissions.
IAM身份需要附加
SignInLocalDevelopmentAccess
托管策略(可附加到用户、角色或组)。根用户不需要该策略。告知用户请求管理员添加该策略,或者如果他们拥有IAM权限,可自行附加。

GovCloud or China regions

GovCloud或中国区域

aws login
is not available in AWS GovCloud (US) or AWS China regions. Do not mention this exception proactively — only relevant if the user explicitly states they are in one of these partitions.
aws login
在AWS GovCloud(美国)或AWS中国区域不可用。不要主动提及此例外情况——仅当用户明确说明他们处于这些分区时才需要告知。

Users With Existing
aws sso login
Workflows

已有
aws sso login
工作流的用户

If the user mentions
aws sso login
or has an existing SSO configuration, do NOT redirect them to
aws login
. These are different commands for different situations:
  • aws sso login
    is for users whose organization has configured AWS IAM Identity Center (SSO). They have profiles in
    ~/.aws/config
    pointing at an SSO start URL. Respect their established workflow.
  • If their
    aws sso login
    is failing, help troubleshoot within their context: expired SSO session, revoked authorization, cached token issues (
    ~/.aws/sso/cache/
    ), or Identity Center configuration changes.
如果用户提到
aws sso login
或已有SSO配置,请勿引导他们使用
aws login
。这是针对不同场景的不同命令:
  • aws sso login
    适用于所在组织已配置AWS IAM Identity Center(SSO)的用户。他们的
    ~/.aws/config
    中有指向SSO起始URL的配置文件。请尊重他们已建立的工作流。
  • 如果他们的
    aws sso login
    失败,请在其现有环境中协助排查问题:SSO会话过期、授权被撤销、缓存令牌问题(
    ~/.aws/sso/cache/
    )或Identity Center配置变更。

Fallback to
aws configure

回退到
aws configure

Do NOT mention
aws configure
in your initial response or include it as a table row alongside
aws login
. Only offer it as an alternative if:
  1. The user explicitly declines
    aws login
    or asks for alternatives
  2. The user states they are in GovCloud or China regions (where
    aws login
    is unavailable)
When offering it, explain that long-term access keys are less secure: they persist on disk as plaintext, never expire automatically, and grant indefinite access if leaked.
请勿在初始回复中提及
aws configure
,也不要将其与
aws login
并列作为选项。仅在以下情况下将其作为替代方案提供:
  1. 用户明确拒绝
    aws login
    或询问替代方案
  2. 用户说明他们处于GovCloud或中国区域(
    aws login
    不可用的区域)
提供该选项时,需说明长期访问密钥的安全性较低:它们以明文形式存储在磁盘上,不会自动过期,若泄露会授予无限期访问权限。

When NOT to Use This Skill

不适用本技能的场景

  • User is setting up CI/CD credentials — they need IAM roles or OIDC federation, not
    aws login
  • 用户正在设置CI/CD凭证——他们需要IAM角色或OIDC联合身份验证,而非
    aws login

Key Points

关键点

  • Do not front-load troubleshooting — keep the initial response simple and address errors only if they occur
  • aws login
    works with root users, IAM users and federation with IAM
  • 不要一开始就进行故障排查——初始回复要简洁,仅在出现错误时再处理
  • aws login
    适用于根用户、IAM用户以及与IAM联合身份验证的用户

Additional Resources

附加资源