
> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Use 1Password to securely authenticate the AWS CLI

export const name_0 = "AWS"

export const Gethelp = ({command, img, name}) => {
  return <>
      <h3>Inspect your configuration</h3>

      <p>To inspect your current {name} configuration:</p>

      <CodeBlock language="shell" children={`op plugin inspect ${command}`} />

      <p>
        1Password CLI will return a list of the credentials you've configured to use with {name} and their default
        scopes, as well as a list of aliases configured for {name}.
      </p>

      <>
        {img && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img} alt="A terminal window showing the results of the command op plugin inspect." width="900" />
            </Frame>
          </div>}
      </>

      <h3>Clear your credentials</h3>

      <p>To reset the credentials used with {name}:</p>

      <CodeBlock language="shell" children={`op plugin clear ${command}`} />

      <p>You can clear one configuration at a time, in this order of precedence:</p>

      <ol>
        <li>Terminal session default</li>
        <li>
          Directory default, from the current directory to <code>$HOME</code>
        </li>
        <li>Global default</li>
      </ol>

      <p>
        For example, if you're in the directory <code>$HOME/projects/awesomeProject</code> and you have a terminal
        session default, directory defaults for <code>$HOME</code> and <code>$HOME/projects/awesomeProject</code>, and a
        global default credential configured, you would need to run <code>op plugin clear {command}</code> four times to
        clear all of your defaults.
      </p>

      <p>
        To clear your global default credentials, terminal session default, and the defaults for your current directory
        at the same time, run <code>op plugin clear {command} --all</code>.
      </p>
    </>;
};

export const Step3 = ({img, name}) => {
  const fixImgSrc = src => {
    if (!src.startsWith("/")) {
      return "/" + src;
    }
    return src;
  };
  return <>
      <p>
        The next time you enter a command with {name}, you'll be prompted to authenticate with biometrics or system
        authentication.
      </p>

      <>
        {img && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img} alt="A CLI being authenticated using 1Password CLI biometric unlock." width="900" />
            </Frame>
          </div>}
      </>
    </>;
};

export const Step1 = ({command, img1, img2, img3, img4, name}) => {
  return <>
      <p>To get started with the {name} shell plugin:</p>

      <ol>
        <li>
          Sign in to the 1Password account you want to use with the {name} plugin:{" "}
          <CodeBlock language="shell" children={`op signin`} />
        </li>
        <li>If you only want to configure the plugin in a specific directory, change to that directory.</li>
        <li>
          Run the command to set up the plugin:
          <CodeBlock language="shell" children={`op plugin init ${command}`} />
        </li>
      </ol>

      <p>
        You'll be prompted to import your {name} credentials into 1Password or select an existing 1Password item where
        your credentials are saved, then configure when the credentials should be used.
      </p>

      <>
        {img1 && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img1} alt="A terminal window displaying the op plugin init command and options to import or select an item." width="900" />
            </Frame>
          </div>}
      </>

      <h3>Step 1.1: Import or select an item</h3>

      <h4>Import a new item</h4>

      <p>
        If you haven't saved your {name} credentials in 1Password yet, select <strong>Import into 1Password</strong>.
        Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save
        it.
      </p>

      <p>
        If 1Password detects your credentials in your local development environment, you'll be prompted to import them
        automatically.
      </p>

      <>
        {img2 && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img2} alt="A terminal window showing the fields available to import an item, including the token, item name, and vault." width="900" />
            </Frame>
          </div>}
      </>

      <h4>Select an existing item</h4>

      <p>
        If you've already saved your {name} credentials in 1Password, select <strong>Search in 1Password</strong>.
      </p>

      <p>
        You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select{" "}
        <strong>Expand search</strong> to browse all items in your account.
      </p>

      <>
        {img3 && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img3} alt="A terminal window showing the option to search for an existing item in your 1Password account." width="900" />
            </Frame>
          </div>}
      </>

      <h3>Step 1.2: Set default credential scope</h3>

      <p>
        After you select or import your credentials, you'll be prompted to configure when to use the item to
        authenticate {name}.
      </p>

      <>
        {img4 && <div style={{
    textAlign: "center"
  }}>
            <Frame>
              <img src={img4} alt="A terminal window showing the options for configuring when the credentials should be used." width="900" />
            </Frame>
          </div>}
      </>

      <ul>
        <li>
          <strong>"Prompt me for each new terminal session"</strong> will only configure the credentials for the
          duration of the current terminal session. Once you exit the terminal, the default will be removed.
        </li>
        <li>
          <strong>"Use automatically when in this directory or subdirectories"</strong> will make the credentials the
          default in the current directory and all of its subdirectories, as long as no other directory-specific
          defaults are set in them. A terminal-session default takes precedence over a directory-specific one.
        </li>
        <li>
          <strong>"Use as global default on my system"</strong> will set the credentials as the default in all terminal
          sessions and directories. A directory-specific default takes precedence over a global one.
        </li>
      </ul>
    </>;
};

export const Small = ({children}) => {
  return <small>{children}</small>;
};

The AWS shell plugin allows you to use 1Password to securely authenticate [the AWS CLI <Icon icon="arrow-up-right-from-square" />](https://aws.amazon.com/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.

Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the AWS CLI with biometrics.

If you use `cdk`, you can also set up the [AWS CDK Toolkit shell plugin](/cli/shell-plugins/aws-cdk-toolkit/). If you use `eksctl`, you can set up the [eksctl shell plugin](/cli/shell-plugins/eksctl/).

<Frame>
  <video loop autoPlay muted playsInline>
    <source type="video/mp4" src="https://mintcdn.com/ab-634991b8/yUoYYIzgPdDyhkO0/static/videos/aws.mp4?fit=max&auto=format&n=yUoYYIzgPdDyhkO0&q=85&s=fbe7aa46d03ac09b169f0fa707fde0c3" data-path="static/videos/aws.mp4" />

    <source type="video/webm" src="https://mintcdn.com/ab-634991b8/yUoYYIzgPdDyhkO0/static/videos/aws.webm?fit=max&auto=format&n=yUoYYIzgPdDyhkO0&q=85&s=0e269a9c4f7a1db1209e33e903f25a31" data-path="static/videos/aws.webm" />
  </video>
</Frame>

## Requirements

1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.<br />
   <Small>If you've already installed 1Password CLI, learn how to <a href="/cli/reference/update/">update your installation</a>.</Small>
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the AWS CLI. <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)

After you install the AWS CLI, make sure you have an AWS config file at `~/.aws/config` on Mac or Linux, or `C:\Users\USERNAME\.aws\config` on Windows. If you don't have a config file:

1. Use [`aws configure` <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/cli/latest/reference/configure/) to create one.
2. When prompted, skip entering your AWS access key pair to avoid writing your credentials on disk in the `.aws/credetials` file.

The following shells are supported:

* Bash
* Zsh
* fish

## Before you begin: Create and save an AWS access key

If you've already created an AWS access key, [skip to Step 1](#step-1-configure-your-default-credentials).

If you haven't created an access key yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:

<CardGroup cols={2}>
  <div>
    1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
    2. [Follow the steps](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console#Using_CreateAccessKey) to create an access key for the AWS CLI.
    3. On the "Retrieve access keys" page, select **Show** to reveal the secret access key.
    4. Select **Save item** when 1Password asks if you want to save an item for the AWS access key.
    5. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
  </div>

  <div>
    <Frame>
      <img alt="The pop-up screen to save your AWS access key in 1Password." src="https://mintcdn.com/ab-634991b8/Ul-COtb5ywadNlrP/static/img/shell-plugins/aws-save.png?fit=max&auto=format&n=Ul-COtb5ywadNlrP&q=85&s=1dbff1f579b57b088ad124ff7355a53c" width="350" data-path="static/img/shell-plugins/aws-save.png" />
    </Frame>
  </div>
</CardGroup>

## Step 1: Configure your default credentials

<Tip>
  **If you use AWS in multiple environments**

  If you want to use the AWS shell plugin in multiple environments, like production and development, [learn how to set up your plugin for seamless context switching](/cli/shell-plugins/environments/).
</Tip>

<Step1 name="AWS" command="aws" img1="/static/img/shell-plugins/aws-1.png" img2="/static/img/shell-plugins/aws-2.png" img3="/static/img/shell-plugins/aws-3.png" img4="/static/img/shell-plugins/aws-4.png" />

## Step 2: Source the plugins.sh file

<p>To make the plugin available, source your <code>plugins.sh</code> file. For example:</p>

```sh theme={null}
source ~/.config/op/plugins.sh
```

<p>The file path for your <code>op</code> folder may vary depending on your <a href="/cli/config-directories/">configuration directory</a>. <code>op plugin init</code> will output a source command with the correct file path.</p>

<p>If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:</p>

<CodeGroup>
  <CodeBlock filename="Bash" language="shell" children={`echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc`} />

  <CodeBlock filename="Zsh" language="shell" children={`echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc`} />

  <CodeBlock filename="fish" language="shell" children={`echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish`} />
</CodeGroup>

## Step 3: Use the CLI

<Step3 name="AWS" command="aws" img="https://mintcdn.com/ab-634991b8/Ul-COtb5ywadNlrP/static/img/shell-plugins/aws-5.png?fit=max&auto=format&n=Ul-COtb5ywadNlrP&q=85&s=29e1785425ad21c02080c96aaad2ee55" width="2032" height="900" data-path="static/img/shell-plugins/aws-5.png" />

## Step 4: Remove imported credentials from disk

After you save your AWS credentials in 1Password, you can remove all local copies you currently have stored on disk.

Plaintext access keys are commonly stored in your AWS [shared credentials file <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-file.html) (default location: `~/.aws/credentials`). If you remove your credentials from this file, make sure to configure shell plugins for any other tools that use the file to authenticate to AWS, like [Terraform](/cli/shell-plugins/terraform/).

## Optional: Assume multiple roles

You can use the AWS shell plugin to assume multiple roles in the same way you'd assume roles with the AWS CLI, by defining role profiles [in your AWS config file. <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-prepare) For example:

```html ~/.aws/config theme={null}
[profile prod]
role_arn = arn:aws:iam::123456789012:role/prod
source_profile = wendyappleseed
```

Then include the `--profile` flag to call an AWS command using a role. For example:

```shell theme={null}
aws sts get-caller-identity --profile prod
```

If you want to always use the same profile, you can set the `AWS_PROFILE` environment variable. In that case, the `--profile` flag would only be needed to override the default set in the environment. For example:

```shell theme={null}
export AWS_PROFILE=prod
```

## Optional: Set up multi-factor authentication

If you use [multi-factor authentication <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) with AWS, you can configure the AWS shell plugin to provide your one-time password.

You can do this in two ways:

* [Add the ARN for your multi-factor authentication device to a profile in your AWS config file. <Icon icon="arrow-up-right-from-square" />](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa)
* Add the one-time password code and ARN to the item in 1Password where your AWS credentials are stored. If you choose this option, your multi-factor authentication information will be treated as your `default` profile and used globally with every other profile.

<h3>Save your one-time password and ARN in 1Password</h3>

<CardGroup cols={2}>
  <div>
    <h4>Step 1: Save your QR code</h4>

    2. Open and unlock the 1Password app.
    3. Select the item where your AWS credentials are saved, then select **Edit**.
    4. Select **Add More** > **One-Time Password**.
    5. [Follow the steps to enable a virtual multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) for your AWS account.
    6. Select **Show secret key** in the AWS wizard, then copy the string of characters into the One-Time Password field on your item.
    7. Select **Save**.

    Your item will now show a one-time password that you can use to finish the AWS multi-factor authentication device set-up flow.
  </div>

  <div>
    Your edited item must include the `one-time password` and `mfa serial` fields:

    <Frame>
      <img alt="The AWS item in 1Password with MFA credentials added." src="https://mintcdn.com/ab-634991b8/Ul-COtb5ywadNlrP/static/img/shell-plugins/aws-mfa.png?fit=max&auto=format&n=Ul-COtb5ywadNlrP&q=85&s=bd93eb598d2546197eb749c500776ac2" width="350" data-path="static/img/shell-plugins/aws-mfa.png" />
    </Frame>
  </div>
</CardGroup>

<h4>Step 2: Save the ARN for your multi-factor authentication device</h4>

1. Find the [ARN for your multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html) and copy it.
2. Open and unlock the 1Password app.
3. Select the item where you saved your AWS credentials then select **Edit**.
4. Select **Add More** > **Text**.
5. Paste the ARN as the value of the field.
6. Title the field `mfa serial`.
7. Select **Save**.

1Password CLI will detect your multi-factor authentication credentials if they're saved in fields titled `one-time password` and `mfa serial`. If your one-time password isn't detected, make sure your fields are titled correctly.

1Password CLI will then set the `AWS_SECRET_ACCESS_KEY`, `AWS_ACCESS_KEY_ID` and `AWS_SESSION_TOKEN` provisional environment variables to specify the temporary multi-factor authentication session values.

## Next steps

<p>1Password Shell Plugins support <a href="/cli/shell-plugins/#get-started">more than 60 third-party CLIs</a>. To see a list of supported CLIs:</p>

<CodeBlock language="shell" children={`op plugin list`} />

<p>To choose another plugin to get started with:</p>

<CodeBlock language="shell" children={`op plugin init`} />

<p>To use shell plugins for seamless context switching, learn how to configure a plugin in <a href="/cli/shell-plugins/environments/">multiple environments</a> or with <a href="/cli/shell-plugins/multiple-accounts/">multiple accounts.</a></p>

## Get help

<Gethelp name="AWS" command="aws" img="https://mintcdn.com/ab-634991b8/Ul-COtb5ywadNlrP/static/img/shell-plugins/aws-6.png?fit=max&auto=format&n=Ul-COtb5ywadNlrP&q=85&s=17ae1e62d7c9c38ceefa454b549dda7d" width="2064" height="1040" data-path="static/img/shell-plugins/aws-6.png" />

## Reference

<p>1Password authenticates with {name_0} by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.</p>

<p>If you saved your {name_0} credentials in 1Password manually rather than using <code>op plugin</code> to import a new item, make sure that your field names match the table below.</p>

<p>If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.</p>

| 1Password field names     | Environment variables   |
| ------------------------- | ----------------------- |
| Access Key ID             | `AWS_ACCESS_KEY_ID`     |
| Secret Access Key         | `AWS_SECRET_ACCESS_KEY` |
| Default region (optional) | `AWS_DEFAULT_REGION`    |

<h2>Learn more</h2>

<ul>
  <li><a href="/cli/shell-plugins/environments/">Use shell plugins to switch between multiple environments</a></li>
  <li><a href="/cli/shell-plugins/multiple-accounts/">Use shell plugins with multiple accounts</a></li>
  <li><a href="/cli/shell-plugins/contribute/">Build your own shell plugins</a></li>
  <li><a href="/get-started/secure-ai-access">Workflow: Secure AI access</a></li>
</ul>
