AWS CLI-Style Profiles for JWT-Based Authentication

Andrios Robert

15 Sep 2025 • 1 min read

The first time I typed aws s3 ls and got an instant, signed, scoped response, I realized something: configuration mattered as much as code. Profiles made AWS CLI feel effortless. But what if you need that same CLI-style profile power in a world moving fast toward JWT-based authentication?

JWTs are everywhere now. They’re short-lived, portable, and don’t need server-side session storage. But they’re also inconvenient to manage securely if you’re used to the permanence and simplicity of your ~/.aws/credentials file. Without a system, you end up pasting tokens into environment variables and hoping they don’t expire mid-task.

AWS CLI-style profiles solve the chaos for APIs beyond AWS. They give names to identities. They enable fast switching between roles, environments, and permission sets. Pair this with JWT-based auth and you get a clean, repeatable workflow: persistent profile entries that dynamically fetch fresh tokens when needed, without storing secrets at rest.

The pattern is simple:

Define a named profile in a config file.
Link it to a command that knows how to get and refresh a JWT.
Run CLI tools or SDKs that automatically read and use that profile.

Done right, you get a frictionless local developer experience, no matter how many services, tenants, or accounts you touch. You sidestep the security debt of static keys. You stop embedding tokens in code or terminals. You gain auditable, traceable authentication without slowing execution.

This method works for REST APIs, GraphQL, gRPC—anything that takes a Bearer token. It also plays well with CI/CD pipelines, letting automation use the same named profiles developers use locally. Short-lived JWTs and CLI profiles are not just compatible—they make each other stronger.

The magic is in the handoff: profiles abstract the complexity of identity retrieval, while JWTs enforce modern security best practices. Under the hood, a profile’s command might call an OAuth 2.0 endpoint, exchange a refresh token, and write a temporary access token to an in-memory store. To the CLI user, it still looks like a single, stable identity name.

With the right tooling, you can set up AWS CLI-style profiles backed by JWTs in minutes. You can see this running live without building your own token retrieval scripts, hook it into your dev tools, and unify authentication across your stack.

Try it now at hoop.dev and experience JWT-based CLI profiles without friction.

Sign up for more like this.