All posts
September 13, 20251 min read

AWS CLI Identity Federation: Secure, Zero-Key Access

AWS CLI identity federation replaces static credentials with temporary, scoped access tied to a trusted identity provider. Instead of creating IAM users and juggling access keys, you use a federation link from your SSO or enterprise IdP—Okta, Azure AD, Google Workspace, or any OIDC/SAML provider. The AWS CLI starts a session using Security Token Service (STS), giving you time-limited credentials that vanish when they expire. This changes how teams work. Developers no longer store secrets. Engin

Free White Paper

Identity Federation + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

AWS CLI identity federation replaces static credentials with temporary, scoped access tied to a trusted identity provider. Instead of creating IAM users and juggling access keys, you use a federation link from your SSO or enterprise IdP—Okta, Azure AD, Google Workspace, or any OIDC/SAML provider. The AWS CLI starts a session using Security Token Service (STS), giving you time-limited credentials that vanish when they expire.

This changes how teams work. Developers no longer store secrets. Engineers no longer rotate keys. Access is verified in real time against the identity provider, enforcing your org’s policies automatically. Audit logs show who connected, from where, and for how long.

The setup flow is simple but powerful. Configure your AWS IAM Identity Center or federation roles. Map those roles to groups in your IdP. Enable AWS CLI SSO profiles or OIDC-based federation. Test it. No manual credentials. No forgotten key files. From that point forward, running aws s3 ls or aws ec2 describe-instances starts a secure, federated session behind the scenes.

Continue reading? Get the full guide.

Identity Federation + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Identity federation for the AWS CLI eliminates one of the biggest security liabilities in cloud operations: long-lived IAM keys. Attack surface shrinks. Compliance becomes easier. Onboarding a new engineer is as fast as adding them to an IdP group.

You can dry-run federation with aws sts get-caller-identity to confirm you’re pulling from the right session. You can chain it with role assumptions for cross-account work without touching sensitive keys. You can make it just-in-time, so nobody has permanent privileges.

This isn't theory. It's production-ready, and it works for global teams across regions and accounts without breaking workflows. The trust boundary moves from local machines to your identity layer, where it belongs.

If you want to see AWS CLI identity federation live, ready in minutes, check out hoop.dev. Walk in with your IdP credentials, run commands, and watch secure, zero-key access happen in real time. Your CLI will never be the same.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts