aws-federated-auth is a tool developed at UPenn by Wharton Computing and ISC to provide an easy-to-use CLI-based method to authenticate into an Amazon Web Services (AWS) session. It is written in Python and hosted in GitHub here, but on most Research-IT systems, you will find it pre-packaged and available via CLI.


General Usage

aws-federated-auth allows you to temporarily assume an identity (IAM role) in AWS using your PennKey credentials. This allows you to access authorized resources in various Research-IT and Wharton-supported AWS accounts without needing additional credentials or extra mechanisms. Successful authentication will populate an AWS credentials file in your system user profile with one or more role(s) associated with your PennKey credentials. That file is located at:

  • Linux: ~/.aws/credentials
  • Windows: %USERPROFILE%\.aws\credentials

Please note the . in the .aws directory in both file paths.

Using aws-federated-auth on Research-IT systems (including HPC3 and Windows systems)

Usage on HPC3, Windows, and most Linux systems is nearly identical. In Windows, aws-federated-auth is available in both PowerShell and Command Prompt sessions. On HPC3, it is available from any node in the cluster via bash.

From your preferred shell run:


Enter your PennKey username and password and complete the multifactor authentication (MFA) process, if applicable. Once this is done, press “Return” on the prompt. You will see a response with one or more lines like:

windows-research-contosorole 43200 935200023773 contosorole

You are now authenticated into an AWS session. The session duration (listed in the response as “MAX DURATION”) is generally 12 hours. You will need to re-authenticate using aws-federated-auth after that 12-hour window has expired.