Table of contents

User Management in AWS

To work with govuk-aws and govuk-aws-data, you will require an account in AWS.

GDS central users account

GDS maintains a central account for AWS access. You will need to request an account from the Technology and Operations team. To sign in, go to the gds-users account page, and use the following credentials:

  • Account ID or alias: “gds-users”
  • Username: your Cabinet Office email address
  • Password: your password

Ensure that you create both MFA and access keys once you have access to your account.

Make a note of the ARN of the “Assigned MFA device”. The format will be:


Switching roles to GOV.UK accounts

Add your ARN to GOV.UK account role

Find your “User ARN”. This is located under your users profile within IAM in the central account.

The format will be:


You will need someone who already has access to the account you wish to get access to.

They will need to:

When this has been deployed, you should also gain access to edit this data.

Switch role

To switch role to a GOV.UK account, you can either do this through the console or command line.

See details for GOV.UK accounts.


To switch to the role using the console, see guidance published by Amazon.


There are two methods to assume roles using the CLI.

Both methods require the following:

  • Role ARN: arn:aws:iam::<Account ID>:role/<Role Name> (Account IDs are here and Role Names are here)
  • MFA ARN: the ARN assigned to the MFA device in your account (be careful not to use your User ARN!)

Both methods will allow a valid session up to eight hours. Once the hour has elapsed, you will need to rerun the assume-role command. If you want to switch between environments, you will need to re-authenticate with MFA.

Storing credentials on disk

Create ~/.aws/config:

[profile govuk-<environment>]
role_arn = <Role ARN>
mfa_serial = <MFA ARN>
source_profile = gds
region = eu-west-1

[profile gds]
mfa_serial = <MFA ARN>
region = eu-west-1

Create ~/.aws/credentials:

aws_access_key_id = <access key id>
aws_secret_access_key = <secret access key>

You can get the key ID and secret by following the instructions for IAM based access keys here

To test the configuration, use awscli.

aws --profile govuk-<environment> s3 ls

You should be prompted for an MFA token. If successful, you should receive some output.

Exporting credentials to environment

Ensure awscli is installed. Ensure you have your MFA token ready, and run:

aws sts assume-role \
  --role-session-name "$(whoami)-$(date +%d-%m-%y_%H-%M)" \
  --role-arn <Role ARN> \
  --serial-number <MFA ARN> \
  --duration-seconds 28800 \
  --token-code <MFA token>

If successful, this will output some credentials. Store them in your environment using the following environment variables. Refresh them when they expire after eight hours with another aws sts assume-role command.

This page was last reviewed . It needs to be reviewed again by the page owner #govuk-2ndline.