# AWS credentials To do anything with Takomo, you need to have valid AWS credentials configured. Under the hood, Takomo uses AWS JavaScript SDK to acquire the credentials. Take a look at [the SDK's documentation](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html) to learn the ways you can configure credentials. ## Using profile The easiest way to provide credentials when running Takomo on your local computer is to configure a profile in the **\~/.aws/credentials** file and then either export the profile name in `AWS_PROFILE` environment variable or pass it on with the `--profile` command-line option. #### Example Configure a profile in the **\~/.aws/credentials** file: {% code title="\~/.aws/credentials" %} ```yaml [my-profile] aws_access_key_id= aws_secret_access_key= ``` {% endcode %} You can then provide the profile in an environment variable: ```bash AWS_PROFILE=my-profile tkm stacks deploy ``` Or, you can use the `--profile` command line option: ```bash tkm stacks deploy --profile my-profile ``` ## Assuming roles If you have an IAM user in one account that you use to assume roles from the same or other accounts, you can configure the access keys for the user in the credentials file and then create separate profiles for each of the roles. #### Example Configure a profile and roles in the credentials file. {% code title="\~/.aws/credentials" %} ```yaml [manager] aws_access_key_id= aws_secret_access_key= [account-a-admin] role_arn=arn:aws:iam::123456789012:role/admin source_profile=manager [account-b-readonly] role_arn=arn:aws:iam::210987654321:role/readonly source_profile=manager ``` {% endcode %} Now, when you run a command with **account-a-admin** profile, AWS SDK uses the access keys you have configured for the **manager** profile to assume the **arn:aws:iam::123456789012:role/admin** IAM role referenced by the **account-a-admin** profile. ```bash tkm stacks deploy --profile account-a-admin ``` ## Assuming roles that require MFA You can specify in an IAM role's trust policy that the user must provide an MFA token to assume it. Then, to assume the role, you need to configure your IAM user's MFA device with `mfa_serial` property in the role's profile like so: {% code title="\~/.aws/credentials" %} ```yaml [manager] aws_access_key_id= aws_secret_access_key= [account-a-admin] role_arn=arn:aws:iam::123456789012:role/admin source_profile=manager mfa_serial=arn:aws:iam::224466880011:mfa/username ``` {% endcode %} When you run a command, Takomo will ask you the MFA code. ```bash tkm stacks deploy --profile account-admin ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.takomo.io/configuration/aws-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.