---
title: Configure access
url: /docs/iac/get-started/aws/configure/
---
## Configure access to AWS

Pulumi's CLI needs access to your AWS account to manage cloud resources.

If you've already [installed](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) the AWS CLI, Pulumi will respect and use your configuration settings.

You must use an IAM user account that has [programmatic access](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html) with rights to deploy and manage S3 buckets.

### Testing access

To test that your AWS access is configured properly, run:

<!-- chooser: os -->
<!-- option: linux -->

```bash
$ aws sts get-caller-identity
```

<!-- /option -->

<!-- option: windows -->

```powershell
> aws sts get-caller-identity
```

<!-- /option -->
<!-- /chooser -->

If your AWS user ID, account, and ARN are printed, your configuration is correct. If not, read on:

```
{
    "UserId": "BXO3165...ZP36NYY5FOU:my-session",
    "Account": "9263...9123",
    "Arn": "arn:aws:sts::9263...9123:assumed-role/.../my-session"
}
```

### Alternative approaches

If you don't have the AWS CLI installed, or you plan on using Pulumi in a CI/CD pipeline, [retrieve your access key ID and secret access key](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) and then set the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables on your workstation:

<!-- chooser: os -->
<!-- option: linux -->

```bash
$ export AWS_ACCESS_KEY_ID="<YOUR_ACCESS_KEY_ID>"
$ export AWS_SECRET_ACCESS_KEY="<YOUR_SECRET_ACCESS_KEY>"
```

<!-- /option -->

<!-- option: windows -->

```powershell
> $env:AWS_ACCESS_KEY_ID = "<YOUR_ACCESS_KEY_ID>"
> $env:AWS_SECRET_ACCESS_KEY = "<YOUR_SECRET_ACCESS_KEY>"
```

<!-- /option -->
<!-- /chooser -->

> **Note:** Consider using [Pulumi ESC's AWS login support](/docs/esc/integrations/dynamic-login-credentials/aws-login) for dynamic,
short-lived AWS credentials via OpenID Connect (OIDC) instead of long-lived static credentials. This is a security best practice.

You may optionally use AWS profiles if your configuration requires them:

<!-- chooser: os -->
<!-- option: linux -->

```bash
$ export AWS_PROFILE="<YOUR_PROFILE_NAME>"
```

<!-- /option -->

<!-- option: windows -->

```powershell
> $env:AWS_PROFILE = "<YOUR_PROFILE_NAME>"
```

<!-- /option -->
<!-- /chooser -->

For detailed information on Pulumi's use of AWS credentials, see [AWS Setup](/registry/packages/aws/installation-configuration/).

---
[← Previous step](/docs/iac/get-started/aws/begin/)
[Next: Create project →](/docs/iac/get-started/aws/create-project/)