AWS Credentials Setup for Local Deploy
You have two options: IAM Identity Center (SSO) or IAM User with access keys. SSO is recommended.
Option A: AWS IAM Identity Center (SSO) — Recommended
bash
# 1. Configure SSO profile
aws configure ssoIt will prompt:
SSO session name: mpac
SSO start URL: https://<your-org>.awsapps.com/start # get from your AWS admin
SSO region: us-east-1 # SSO region, not deploy region
SSO registration scopes: sso:account:accessThen select your account and permission set. Give the profile a name like mpac-dev.
This creates ~/.aws/config:
ini
[profile mpac-dev]
sso_session = mpac
sso_account_id = 123456789012
sso_role_name = AdministratorAccess # or your role name
region = ap-northeast-1
[sso-session mpac]
sso_start_url = https://<your-org>.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:accessbash
# 2. Login (opens browser, valid ~8 hours)
aws sso login --profile mpac-dev
# 3. Verify
aws sts get-caller-identity --profile mpac-dev
# 4. Deploy
make deploy-smartpos-dev AWS_PROFILE=mpac-devOption B: IAM User with Access Keys
bash
# 1. Create named profile
aws configure --profile mpac-devIt will prompt:
AWS Access Key ID: AKIA...
AWS Secret Access Key: ****
Default region name: ap-northeast-1
Default output format: jsonThis creates ~/.aws/credentials:
ini
[mpac-dev]
aws_access_key_id = AKIA...
aws_secret_access_key = ****And ~/.aws/config:
ini
[profile mpac-dev]
region = ap-northeast-1
output = jsonbash
# 2. Verify
aws sts get-caller-identity --profile mpac-dev
# 3. Deploy
make deploy-smartpos-dev AWS_PROFILE=mpac-devRequired IAM Permissions
The deploying user/role needs these permissions at minimum:
| Service | Why |
|---|---|
cloudformation:* | Create/update/delete stacks |
ec2:* | VPC, subnets, security groups, bastion |
ecs:* | Cluster, services, task definitions |
rds:* | PostgreSQL instance |
elasticache:* | Redis cluster |
ecr:* | Container registry |
elasticloadbalancing:* | ALB, target groups, listeners |
iam:* | Roles, policies for ECS tasks |
s3:* | Template bucket, app buckets |
secretsmanager:* | DB/Redis secrets |
route53:* | DNS records |
logs:* | CloudWatch log groups |
servicediscovery:* | Cloud Map namespaces |
For dev, AdministratorAccess or PowerUserAccess + IAM permissions is simplest. For staging/prod, use a scoped policy like shared/iam-policies/ci-cd-deploy-policy.json.
Two ways to use the profile
bash
# Option 1: Pass to make (per-command)
make deploy-smartpos-dev AWS_PROFILE=mpac-dev
# Option 2: Export (session-wide)
export AWS_PROFILE=mpac-dev
make deploy-smartpos-dev
make status-smartpos
# all commands in this terminal use mpac-devQuick verification before deploying
bash
# Check identity
aws sts get-caller-identity --profile mpac-dev
# Expected output:
# {
# "UserId": "AROA...:your-name",
# "Account": "123456789012",
# "Arn": "arn:aws:sts::123456789012:assumed-role/..."
# }
# Check region
aws configure get region --profile mpac-dev
# Expected: ap-northeast-1If that works, you're ready for the deployment steps from the previous guide.