aws · ashovlin · Mar 17, 2026 · Mar 17, 2026 · Mar 18, 2026
diff --git a/.changes/next-release/enhancement-configure-2863.json b/.changes/next-release/enhancement-configure-2863.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "``configure``",
+  "description": "Add tip that suggests ``aws login`` during ``aws configure`` for new profiles"
+}
diff --git a/awscli/customizations/configure/configure.py b/awscli/customizations/configure/configure.py
@@ -68,6 +68,8 @@ class ConfigureCommand(BasicCommand):
         'To create a new configuration::\n'
         '\n'
         '    $ aws configure\n'
+        '    Tip: You can now deliver temporary credentials to the AWS CLI\n'
+        '    using your AWS Console session. Simply run \'aws login\'.\n\n'
         '    AWS Access Key ID [None]: accesskey\n'
         '    AWS Secret Access Key [None]: secretkey\n'
         '    Default region name [None]: us-west-2\n'
@@ -127,9 +129,11 @@ def _should_prompt_for_session_token(self, new_values, config):
         new_access_key = new_values.get('aws_access_key_id')
         if new_access_key and not self._needs_session_token(new_values):
             return False
-        
+
         # Prompt if needed for temporary credentials or if already exists
-        return self._needs_session_token(new_values) or config.get('aws_session_token')
+        return self._needs_session_token(new_values) or config.get(
+            'aws_session_token'
+        )
 
     def _run_main(self, parsed_args, parsed_globals):
         # Called when invoked with no args "aws configure"
@@ -142,10 +146,22 @@ def _run_main(self, parsed_args, parsed_globals):
         except ProfileNotFound:
             config = {}
 
+        if not config:
+            sys.stdout.write(
+                '\nTip: You can now deliver temporary credentials'
+                ' to the AWS CLI using your AWS Console session.'
+                ' Simply run \'aws login\'.\n\n'
+            )
+
         for config_name, prompt_text in self.VALUES_TO_PROMPT:
-            if config_name == 'aws_session_token' and not self._should_prompt_for_session_token(new_values, config):
+            if (
+                config_name == 'aws_session_token'
+                and not self._should_prompt_for_session_token(
+                    new_values, config
+                )
+            ):
                 continue
-                
+
             current_value = config.get(config_name)
             new_value = self._prompter.get_value(
                 current_value, config_name, prompt_text

diff --git a/awscli/customizations/login/login.py b/awscli/customizations/login/login.py
@@ -50,6 +50,7 @@ class LoginCommand(BasicCommand):
         'temporary credentials with the ``AWS_LOGIN_CACHE_DIRECTORY`` '
         'environment variable.'
     )
+    EXAMPLES = BasicCommand.FROM_FILE()
     ARG_TABLE = [
         {
             'name': 'remote',

diff --git a/awscli/examples/configure/_description.rst b/awscli/examples/configure/_description.rst
@@ -10,6 +10,10 @@ When you are prompted for information, the current value will be displayed in
 config file.  It does not use any configuration values from environment
 variables or the IAM role.
 
+Tip: You can deliver temporary credentials to the AWS CLI using your AWS
+Console session by running the command ``aws login``. For more information, see
+`Login for AWS local development using console credentials <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html>`__.
+
 Note: the values you provide for the AWS Access Key ID and the AWS Secret
 Access Key will be written to the shared credentials file
 (``~/.aws/credentials``).

diff --git a/awscli/examples/login/_examples.rst b/awscli/examples/login/_examples.rst
@@ -0,0 +1,35 @@
+**Example 1: To login with default parameters**
+
+The following ``login`` example authenticates the CLI using your AWS Console session. A browser window opens automatically to complete the sign-in. ::
+
+    aws login
+
+Output::
+
+    Attempting to open your default browser.
+    If the browser does not open, open the following URL:
+
+    https://signin.aws.amazon.com/...
+
+    Updated profile default to use arn:aws:sts::123456789012:assumed-role/my-role/my-session-name credentials.
+
+For more information, see `Login for AWS local development using console credentials <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html>`__ in the *AWS CLI User Guide*.
+
+**Example 2: To login from a remote host**
+
+The following ``login`` example uses the ``--remote`` option to authenticate from a host where a browser is not available, such as over SSH. You visit the provided URL on another device and paste the authorization code back into the CLI. ::
+
+    aws login --remote
+
+Output::
+
+    Browser will not be automatically opened.
+    Please visit the following URL:
+
+    https://signin.aws.amazon.com/...
+
+    Enter the authorization code displayed in your browser: XXXX
+
+    Updated profile default to use arn:aws:sts::123456789012:assumed-role/my-role/my-session-name credentials.
+
+For more information, see `Login for AWS local development using console credentials <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html>`__ in the *AWS CLI User Guide*.
diff --git a/tests/functional/docs/test_examples.py b/tests/functional/docs/test_examples.py
@@ -283,6 +283,10 @@ def _parse_service_operation(self, command, filename):
         # We know the service is good.  Parse the operation.
         cmd = self._service_command_table[parsed_args.command]
         cmd_table = cmd.create_help_command().command_table
+        if (
+            not cmd_table
+        ):  # skip top-level commands without subcommands like 'aws login'
+            return
         service_parser = ServiceArgParser(
             operations_table=cmd_table, service_name=parsed_args.command
         )