Manage Credentials with ASK CLI

Note: Sign in to the developer console to build or publish your skill.

The Alexa Skills Kit (ASK) Command Line Interface (CLI) stores your Amazon developer credentials so that it can authenticate you when you clone an existing skill, deploy a skill, or otherwise interact with Amazon developer services. If you use the ASK CLI to manage skills that use AWS Lambda for your skill's backend code, the CLI also stores a reference to your Amazon Web Services (AWS) credentials.

Review these guidelines to set up and manage your Amazon developer and AWS credentials with ASK CLI.

Understand profiles

ASK CLI uses profiles, which you can think of as containers that store sets of credentials. With profiles, you can configure sets of different Amazon developer and AWS credentials and use any of them with ASK CLI. Profiles make it easier to manage skills that are owned by different Amazon developer organizations, and backend code in AWS Lambda that is owned by different AWS accounts. The following sections explain how you can configure different sets of credentials into profiles.

By default, ASK CLI stores Amazon developer credentials in the profile named default. Use the default profile when you have only one set of Amazon developer credentials. When you need to use more than one set of Amazon developer credentials, use the ask configure command to create a new profile. Then use the -p or --profile option with an ASK CLI command to specify which profile to use, or use an environment variable named ASK_DEFAULT_PROFILE. Set the variable's value to the name of the profile that you want ASK CLI to use, for example profile_2.

Order of precedence for profiles

ASK CLI searches for profiles in the following order:

When an ASK CLI command uses the -p or --profile option, ASK CLI uses the profile specified with that option.
When the command doesn't use the -p or --profile option, ASK CLI uses the profile that's specified in the value of the ASK_DEFAULT_PROFILE environment variable.
When the command doesn't use the -p or --profile option and there's no ASK_DEFAULT_PROFILE environment variable, ASK CLI uses the profile named default in the ASK CLI configuration file, named cli_config.

For more information about the configuration file, see Manage your Amazon developer credentials directly.

Configure credentials with the 'ask configure' command

Use the ask configure command to set up your Amazon developer and AWS credentials with ASK CLI.

When you run ask configure for the first time, ASK CLI opens a web browser so you can sign in to your Amazon Developer account. After you sign in to your Amazon developer account, use the web page to allow ASK CLI the access that it needs. Then ASK CLI creates a configuration file and stores your Amazon developer credentials in the file in a profile named default. For more information about the configuration file, see Manage your Amazon developer credentials directly.

When the ASK CLI has a configuration file, and then you run ask configure, ASK CLI asks whether you want to overwrite an existing ASK CLI profile or create a new one. ASK CLI also searches for existing AWS profiles, and if found, asks whether you want to use an existing AWS profile or create a new one. For more information about how AWS credentials work with ASK CLI, see Manage your AWS credentials directly.

To use ask configure in an environment without a web browser, add the --no-browser option (ask configure --no-browser).

To see the full syntax and all available options for the ask configure command, see configure command in the ASK CLI Command Reference.

Manage your Amazon developer credentials directly

You can use the ask configure command to manage the Amazon developer credentials that ASK CLI uses. With ask configure, you can perform the following tasks:

Use ask configure to create a new profile or overwrite an existing one.
Use ask configure -p <profile name> to create or overwrite a specific profile.

You can also manage the Amazon developer credentials that ASK CLI uses by directly editing the ASK CLI configuration file or by using the ASK CLI environment variables, as explained in the following sections.

ASK CLI configuration file

The ASK CLI configuration file is stored in your home directory, in a folder named .ask, in a file named cli_config. The following example shows the contents of the ASK CLI configuration file.

{
  "profiles": {
    "default": {
      "aws_profile": "ask_cli_default",
      "token": {
        "access_token": "Atza| ... ",
        "refresh_token": "Atzr| ... ",
        "token_type": "bearer",
        "expires_in": 3600,
        "expires_at": "2019-01-21T01:13:37.228Z"
      },
      "vendor_id": "ABCD1234 ..."
    },
    "profile2": {
      "aws_profile": "ask_cli_2",
      "token": {
        "access_token": "Atza| ... ",
        "refresh_token": "Atzr| ... ",
        "token_type": "bearer",
        "expires_in": 3600,
        "expires_at": "2019-01-21T02:02:07.833Z"
      },
      "vendor_id": "ABCD1234 ..."
    }
  }
}

You can edit this file directly to make changes to your ASK CLI profiles. For example, you can change a profile name, change the associated AWS profile, or change the Amazon developer vendor ID.

Important: Avoid editing the values in the token object. ASK CLI updates those values for you when you run ask configure.

AWS profile

The value of aws_profile represents a profile in the AWS configuration file. For more information about AWS profiles, see Manage your AWS credentials directly.

Vendor ID

The value of vendor_id represents the Amazon developer vendor ID associated with the ASK CLI profile. Every Amazon developer account has a customer ID and one or more vendor IDs. To see them, go to https://developer.amazon.com/mycid.html and sign in with your Amazon developer account. When you run ask configure and sign in to an Amazon developer account with more than one vendor ID, ASK CLI asks you to choose the one to use.

Associate a profile with the environment variables

You can store your Amazon developer credentials in environment variables instead of using the ASK CLI configuration file. In this case, you don't need the ASK CLI configuration file at all. For more information, see ASK CLI environment variables.

ASK CLI environment variables

You can use the ASK CLI environment variables in conjunction with or in addition to the ASK CLI configuration file. The following list describes the ASK CLI environment variables.

ASK_DEFAULT_PROFILE: Use this environment variable in conjunction with the ASK CLI configuration file. When you set the value of this environment variable to one of the profiles in the configuration file, ASK CLI uses the credentials in that profile.
ASK_ACCESS_TOKEN: Use this environment variable to store an Amazon developer access token. When this environment variable exists, ASK CLI uses it instead of the credentials in the configuration file.
ASK_REFRESH_TOKEN: Use this environment variable to store an Amazon developer refresh token. When this environment variable exists, ASK CLI uses it instead of the credentials in the configuration file. When this environment variable and ASK_ACCESS_TOKEN both exist, ASK CLI uses this one.
ASK_VENDOR_ID: Use this environment variable to store an Amazon developer vendor ID. When this environment variable exists, ASK CLI uses it instead of the one it the configuration file.
ASK_CLI_PROXY: Use this environment variable to specify an HTTP proxy for requests made with the ASK CLI.

Manage your AWS credentials directly

If you use ASK CLI to create and manage skills that use AWS Lambda for the skill's backend code, then you need AWS credentials. If you're an AWS developer, you might already have AWS credentials. If you don't already have AWS credentials or you're not sure, see Create AWS credentials.

You can use the ask configure command to manage the AWS credentials that ASK CLI uses. You can also manage the AWS credentials that ASK CLI uses by directly editing the AWS credentials file or by using the AWS environment variables, as explained in the following sections.

AWS credentials file

If you're an AWS developer, you might already have AWS credentials stored in the AWS credentials file. For more information about how to create AWS credentials to use with ASK CLI, see Create AWS credentials.

ASK CLI uses the AWS credentials stored in the AWS credentials file, if one exists. When you use the ask configure command to configure AWS credentials, ASK CLI adds them to the AWS credentials file, creating the file if necessary. By default, ASK CLI stores your AWS credentials in a profile named ask_cli_default in the AWS credentials file.

For more information about the AWS credentials file, see Configuration and Credential Files and Named Profiles in the AWS documentation.

AWS environment variables

You can store AWS credentials in environment variables instead of the AWS credentials file. If the AWS environment variables exist, ASK CLI uses them instead of the values in the AWS credentials file. ASK CLI searches for the following AWS environment variables:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY

For more details about AWS environment variables, see Environment Variables.

Create AWS credentials

If you use ASK CLI to create and manage skills that use AWS Lambda for the skill's backend code, you need AWS credentials. The aws configure command guides you through this process. However, if you don't already have AWS credentials or would prefer to create them manually, complete the following steps to create credentials with the AWS Identity & Access Management (IAM) console.

To create AWS credentials

Sign in to the AWS management console.
Open the IAM dashboard.
On the IAM dashboard, from the left menu under Access management, click Policies.
On the Policies page, click Create Policy.
On the IAM > Policies > Create policy page, under Specify permissions, for Policy editor, select the JSON tab.
Delete any text, and then copy and paste the following policy definition into the text area.

At the bottom of the page, click Next.
On the Review policy page, do the following:
1. For Policy name, enter a name for the policy. For example, ASK-CLI.
2. (Optional) For Description, enter a description. For example, Allows the permissions that ASK CLI needs.
3. To create the policy, at the bottom of the page, click Create policy.
Click Users, then click Add user.
On the Set user details page, do the following:
1. In the User name field, enter a name for the user. For example, ASK-CLI.
2. For Access type, select the Programmatic access check box.
3. Click Next: Permissions.
On the Set permissions page, do the following:
1. Make sure Add user to group is selected.
2. Click Create group. Then, in the Create group window, do the following:
  1. In the Group name field, enter a name for the group. For example, ASK-CLI.
  2. Click Filter policies, then select the Customer managed check box.
  3. Select the check box next to the name of the policy that you created previously (step 5). If you followed these steps exactly, the policy name is ASK-CLI.
  4. Click Create group.
3. Click Next: Tags.
Click Next: Review.
Click Create user.
On the Success page, click Download .csv to download a copy of the user's access key. Save the file in a safe location.
Important: Do not skip this step. This is your only opportunity to save the user's secret access key. If you don't save it now, you must delete this access key and then create a new one.
The credentials file name is credentials.csv. This file contains the AWS IAM user's access key ID and secret access key. Use these values when you configure AWS credentials with the ASK CLI's ask configure command. For more details, see Manage your AWS credentials.

Video: ASK CLI: Set Up AWS Credentials

Was this page helpful?

Provide feedback

Last updated: Feb 06, 2024