# Authentication and access for the AWS Toolkit for JetBrains
You don't need to authenticate with AWS to start working with the AWS Toolkit for JetBrains. However, most AWS resources are managed through an AWS account. If you've already set up an AWS account and authentication method, see the [Connecting to AWS](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/account-connect.html) topic in this User Guide to get started connecting to your AWS account.
The following topics contain additional details and set up instructions for each AWS credential type and authentication method that's compatible with the AWS Toolkit for JetBrains.
**Topics**
+ [AWS IAM Identity Center](identity-center.md)
+ [IAM credentials](setup-credentials.md)
+ [AWS Builder ID](builder-id.md)
+ [Updating firewalls and gateways](endpoints.md)
# AWS IAM Identity Center
AWS IAM Identity Center is the recommended best practice for managing your AWS account authentication.
For detailed instructions on how to set up IAM Identity Center for Software Development Kits (SDKs) and the AWS Toolkit for JetBrains, see the [IAM Identity Center authentication](https://docs.aws.amazon.com//sdkref/latest/guide/access-sso.html) section in the *AWS SDKs and Tools Reference Guide*.
For instructions on how to authenticate and connect your IAM Identity Center account with the AWS Toolkit for JetBrains, see the [Connecting to AWS](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/account-connect.html) topic in this User Guide.
# AWS IAM credentials
AWS Identity and Access Management (AWS IAM) Credentials authenticate with your AWS account through locally-stored access keys.
For instructions on how to authenticate with your existing IAM Credentials in the AWS Toolkit for JetBrains, see the [Connecting to AWS](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/account-connect.html) topic in this User Guide.
The following sections describe how to set up new IAM Credentials.
**Important**
Before setting up IAM credentials to authenticate with your AWS account, note that:
If you've already set IAM credentials through another AWS service (such as the AWS CLI), then the AWS Toolkit for JetBrains automatically detects those credentials and makes them available.
AWS recommends using IAM Identity Center authentication. For additional information about AWS IAM best practices, see the [Security best practice in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html) section of the AWS *Identity and Access Management* User Guide.
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [What is IAM Identity Center?](https://docs.aws.amazon.com//singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
## Prerequisites
Before you can configure the AWS Toolkit for JetBrains to authenticate with IAM user credentials, the following prerequisites must be met. If you've already set up IAM user credentials through another service (such as the AWS Command Line Interface), then you can skip the prerequisite steps and proceed to the following sections.
1. **Create an IAM user**. For detailed instructions on how to create an IAM user, see [Step 1: Create your IAM user](https://docs.aws.amazon.com//sdkref/latest/guide/access-iam-users.html#step1authIamUser) in the *AWS SDKs and Tools Reference Guide*.
1. **Get your IAM user access keys**. For detailed instructions on how to get your IAM user access keys, see [Step 2: Get your access keys](https://docs.aws.amazon.com//sdkref/latest/guide/access-iam-users.html#stepGetKeys) in the *AWS SDKs and Tools Reference Guide*.
1. **Optional: Update the shared credentials file**. For detailed instructions on how to update the shared credentials file, see [Step 3: Update the shared credentials file](https://docs.aws.amazon.com//sdkref/latest/guide/access-iam-users.html#stepauthIamUser) in the *AWS SDKs and Tools Reference Guide*.
**Note**
If the optional prerequisite **Step 3: Update the shared credentials file** has been completed, the AWS Toolkit for JetBrains automatically detects your credentials during the **Creating a shared credentials file from the AWS Toolkit for JetBrains** procedure described in the following section.
## Creating a shared credentials file from the AWS Toolkit for JetBrains
Your *shared config file* and *shared credentials file* store configuration and credential information for your AWS accounts. For more information about shared configuration and credentials, see the [Where are configuration settings stored?](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where) section in the *AWS Command Line Interface User Guide*.
**Creating a shared credentials file from the AWS Toolkit for JetBrains**
1. From the AWS Toolkit for JetBrains open **AWS Connection Settings** by choosing the **...** (ellipsis) icon.
1. From the **AWS Connection Settings** menu, choose **Set up authentication** to open the **AWS Toolkit for JetBrains** connection UI.
1. From the **AWS Explorer** section of the **Authenticate with AWS Toolkit** connection UI, choose the **Authenticate with IAM** link to open the **AWS Toolkit: Setup Authentication** dialog.
1. From the **IAM Credentials** tab, enter your **Profile Name**, **Access Key ID**, and **Secret Access Key**, then choose the **Connect** button to add the profile to your config file and connect the Toolkit with your AWS account.
1. The Toolkit **AWS Explorer** updates to display your AWS services and resources when authentication is complete and a connection has been established.
## Configuring shared credentials
The following procedure describes how to configure your shared credentials files from the AWS Toolkit for JetBrains.
1. From the AWS Toolkit for JetBrains, choose **\$1 Add Connection to AWS** to open the **AWS Toolkit: Add Connection** dialog box.
1. From the **AWS Toolkit: Add Connection** dialog box, choose **Edit AWS Credential files(s)** to open your **Credential File**.
1. When your `credentials file` opens in the JetBrains, locate the section labeled `[default]`.
1. From the `[default]` section, locate the entry `#aws_access_key_id =`, remove the `#` and enter your AWS access key. The entry should look similar to the following:
**aws\$1access\$1key\$1id = AKIAIOSFODNN7EXAMPLE**
1. From the `[default]` section, locate the entry `#aws_secret_access_key =`, remove the `#` and enter your AWS secret access key. The entry should look similar to the following:
**aws\$1secret\$1access\$1key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY**
The final version of your updated credentials file resembles the following:
```
[default]
# The access key and secret key pair identify your account and grant access to AWS.
# Treat your secret key like a password. Never share your secret key with anyone. Do
# not post it in online forums, or store it in a source control system. If your secret
# key is ever disclosed, immediately use IAM to delete the access key and secret key
# and create a new key pair. Then, update this file with the replacement key details.
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
1. Save your changes to the file, the AWS Toolkit for JetBrains automatically detects your updated credentials and connects to your AWS account.
**aws\$1secret\$1access\$1key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY**
# Authenticating with an AWS Builder ID
This topic describes how to authenticate with your AWS Builder ID from the AWS Toolkit for JetBrains. For detailed information about the AWS Builder ID authentication method, see the [Sign in with AWS Builder ID](https://docs.aws.amazon.com/signin/latest/userguide/sign-in-aws_builder_id.html) topic in the *AWS Sign-In* User Guide.
For instructions on how to authenticate and connect your AWS Builder ID account with the AWS Toolkit for JetBrains, see the [Connecting to AWS](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/account-connect.html) topic in this User Guide.
# Updating firewalls and gateways to allow access
If you filter access to specific AWS domains or URL endpoints by using a web-content filtering solution, the following endpoints must be allow listed in order to access all of the services and features available through the AWS Toolkit for JetBrains and Amazon Q.
## AWS Toolkit for JetBrains Endpoints
The following are lists of AWS Toolkit for JetBrains specific endpoints and references that need to be allow listed.
### Endpoint
```
https://idetoolkits.amazonwebservices.com/endpoints.json
```
### Hosted files
```
https://idetoolkits-hostedfiles.amazonaws.com/Notifications/Jetbrains/combined/2.x.json
```
## Amazon Q plugin endpoints
The following is a list of Amazon Q plugin specific endpoints and references that need to be allow listed.
```
https://idetoolkits-hostedfiles.amazonaws.com/* (Plugin for configs)
https://idetoolkits.amazonwebservices.com/* (Plugin for endpoints)
https://aws-toolkit-language-servers.amazonaws.com/* (Language Server Process)
https://client-telemetry.us-east-1.amazonaws.com/ (Telemetry)
https://cognito-identity.us-east-1.amazonaws.com (Telemetry)
https://aws-language-servers.us-east-1.amazonaws.com (Language Server Process)
```
## Amazon Q Developer endpoints
The following is a list of Amazon Q Developer specific endpoints and references that need to be allow listed.
```
https://codewhisperer.us-east-1.amazonaws.com (Inline,Chat, QSDA,...)
https://q.us-east-1.amazonaws.com (Inline,Chat, QSDA....)
https://desktop-release.codewhisperer.us-east-1.amazonaws.com/ (Download url for CLI.)
https://specs.q.us-east-1.amazonaws.com (Url for autocomplete specs used by CLI)
* aws-language-servers.us-east-1.amazonaws.com (Local Workspace context)
```
## Amazon Q Code Transform Endpoints
The following is a list of Amazon Q Code Transform specific endpoints and references that need to be allow listed.
```
https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-policies.html
```
## Authentication endpoints
The following is a list of authentication endpoints and references that need to be allow listed.
```
[Directory ID or alias].awsapps.com
* oidc.[Region].amazonaws.com
*.sso.[Region].amazonaws.com
*.sso-portal.[Region].amazonaws.com
*.aws.dev
*.awsstatic.com
*.console.aws.a2z.com
*.sso.amazonaws.com
```
## Identity Endpoints
The following lists contain endpoints that are specific to identity, such as AWS IAM Identity Center and AWS Builder ID.
### AWS IAM Identity Center
For details on required endpoints for IAM Identity Center, see the [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) topic in the *AWS IAM Identity Center* User Guide.
### Enterprise IAM Identity Center
```
https://[Center director id].awsapps.com/start (should be permitted to initiate auth)
https://us-east-1.signin.aws (for facilitating authentication, assuming IAM Identity Center is in IAD)
https://oidc.(us-east-1).amazonaws.com
log.sso-portal.eu-west-1.amazonaws.com
portal.sso.eu-west-1.amazonaws.com
```
### AWS Builder ID
```
https://view.awsapps.com/start (must be blocked to disable individual tier)
https://codewhisperer.us-east-1.amazonaws.com and q.us-east-1.amazonaws.com (should be permitted)
```
## Telemetry
The following is a Telemetry specific endpoint that needs to be allow listed.
```
https://client-telemetry.us-east-1.amazonaws.com
```
## References
The following is a list of endpoint references.
```
idetoolkits-hostedfiles.amazonaws.com
cognito-identity.us-east-1.amazonaws.com
amazonwebservices.gallery.vsassets.io
eu-west-1.prod.pr.analytics.console.aws.a2z.com
prod.pa.cdn.uis.awsstatic.com
portal.sso.eu-west-1.amazonaws.com
log.sso-portal.eu-west-1.amazonaws.com
prod.assets.shortbread.aws.dev
prod.tools.shortbread.aws.dev
prod.log.shortbread.aws.dev
a.b.cdn.console.awsstatic.com
assets.sso-portal.eu-west-1.amazonaws.com
oidc.eu-west-1.amazonaws.com
aws-toolkit-language-servers.amazonaws.com
aws-language-servers.us-east-1.amazonaws.com
idetoolkits.amazonwebservices.com
```