Support AWS CLI v2.32.0+ 'aws login' credentials (console credentials for local development)

[ajd-uk]

Description

AWS recently released a new authentication method called aws login (AWS CLI v2.32.0+) that allows developers to use their AWS Management Console credentials for programmatic access. This eliminates the need for long-term access keys.

Announcement: https://aws.amazon.com/about-aws/whats-new/2025/11/console-credentials-aws-cli-sdk-authentication/
Blog: https://aws.amazon.com/blogs/security/simplified-developer-access-to-aws-with-aws-login/
Documentation: https://docs.aws.amazon.com/signin/latest/userguide/command-line-sign-in.html

Affected Resource(s)

• AWS Provider authentication

Expected Behavior

The Terraform AWS Provider should natively recognize and use credentials generated by aws login, similar to how it currently supports AWS SSO credentials after #10851 was resolved.

Current Behavior

The provider does not recognize the new login credential type. Credentials are stored in ~/.aws/login/cache/ but Terraform cannot use them directly.

Workaround

Currently, users must configure credential_process as a bridge:

[profile my-login]
login_session = arn:aws:iam::123456789012:user/username
region = us-east-1

[profile terraform-process]
credential_process = aws configure export-credentials --profile my-login --format process
region = us-east-1

Affected Resource(s) or Data Source(s)

No response

Potential Terraform Configuration

Would you like to implement the enhancement?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[ewbankkit]

@ajd-uk Have you tried with a Terraform AWS Provider version >= 6.23.0?
Using aws login seems to work fine for me with the latest code.
I have no AWS_ environment variables set and my provider configuration is

provider "aws" {
  region = "us-west-2"
}

% terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_vpc.test will be created
  + resource "aws_vpc" "test" {
      + arn                                  = (known after apply)
      + cidr_block                           = "10.1.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = (known after apply)
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + region                               = "us-west-2"
      + tags_all                             = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply"
now.

[ajd-uk]

The issue actually seems more related to the S3 backend @ewbankkit

I can apply a basic VPC but as soon as I add an S3 backend for the state file I get the error, actually I had two different errors on two separate init:

aws_vpc.main: Creating...
aws_vpc.main: Creation complete after 1s [id=vpc-0ad7363077fadcf47]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
% terraform init   
Initializing the backend...
╷
│ Error: No valid credential sources found
│ 
│ Please see https://developer.hashicorp.com/terraform/language/backend/s3
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata,
│ request canceled, context deadline exceeded
│ 

╷
│ Error: No valid credential sources found
│ 
│ Please see https://developer.hashicorp.com/terraform/language/backend/s3
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata,
│ exceeded maximum number of attempts, 3, request send failed, Get
│ "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host
│ is down
│ 
╵

[G-Tarik]

Exactly the same problem here. With local state works just fine. With S3 backend not (error as above).

$ terraform init
Initializing the backend...
Initializing modules...
╷
│ Error: No valid credential sources found
│ 
│ Please see https://developer.hashicorp.com/terraform/language/backend/s3
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
│ 

Versions:

• terraform: v1.14.1
• aws provider: 6.25.0

Side note: with SSO (aws sso login) S3 backend worked.

[ewbankkit]

This will require an update to the S3 Backend which is compiled into the terraform binary.
I have opened hashicorp/terraform#37976 to track this.
Please use that issue for additional comments.