diff --git a/cli/src/account.rs b/cli/src/account.rs
index 300a3fd..8a7e7e3 100644
--- a/cli/src/account.rs
+++ b/cli/src/account.rs
@@ -6,16 +6,15 @@ use rusoto_cognito_identity::*;
 use rusoto_cognito_idp::CognitoIdentityProvider;
 use rusoto_cognito_idp::*;
 
-
 use crate::cache::FileCache;
 use crate::config::*;
 
 
-// By default, CognitoIdentityProviderClient::new will attempt to use
-// the aws credentials on the user's machine (e.g. ~/.aws/credentials
-// or environment variables). If the user doesn't have any
-// credentials, signup and setup will fail. The client returned by
-// this function uses anonymous credentials which prevents this issue.
+/// By default, CognitoIdentityProviderClient::new will attempt to use the aws
+/// credentials on the user's machine (e.g. ~/.aws/credentials or
+/// environment variables). If the user doesn't have any credentials,
+/// any calls with this client will fail. The client returned by this
+/// function uses anonymous credentials which prevents this issue.
 pub fn anonymous_identity_provider_client() -> CognitoIdentityProviderClient {
     CognitoIdentityProviderClient::new_with(
         HttpClient::new().expect("Failed to create HTTP client"),
@@ -24,6 +23,19 @@ pub fn anonymous_identity_provider_client() -> CognitoIdentityProviderClient {
     )
 }
 
+/// By default, CognitoIdentityClient::new will attempt to use the aws
+/// credentials on the user's machine (e.g. ~/.aws/credentials or
+/// environment variables). If the user doesn't have any credentials,
+/// any calls with this client will fail. The client returned by this
+/// function uses anonymous credentials which prevents this issue.
+pub fn anonymous_identity_client() -> CognitoIdentityClient {
+    CognitoIdentityClient::new_with(
+        HttpClient::new().expect("Failed to create HTTP client"),
+        StaticProvider::from(AwsCredentials::default()),
+        Region::UsWest2
+    )
+}
+
 pub async fn signup(client: &CognitoIdentityProviderClient, email: String,
                     username: String, password: String)
                     -> Result<SignUpResponse, RusotoError<SignUpError>> {
@@ -111,11 +123,10 @@ pub async fn setup(id_provider_client: &CognitoIdentityProviderClient,
         Err(error) => {
             match error {
                 RusotoError::Service(e) => Err(e),
-                _ => panic!("Unknown error")
+                _ => panic!("Login failed: {}", error)
             }
         }
     }
-    // future::ready(Ok(())).await
 }
 
 pub type AWSCredentialsResponse = Result<GetCredentialsForIdentityResponse,
diff --git a/cli/src/main.rs b/cli/src/main.rs
index 1c02a56..9c1cf2a 100644
--- a/cli/src/main.rs
+++ b/cli/src/main.rs
@@ -129,7 +129,7 @@ async fn run() -> Result<(), Error> {
                 // TODO first check if there is an existing installation
                 let values = prompt::signup();
                 let id_provider_client = account::anonymous_identity_provider_client();
-                let id_client = CognitoIdentityClient::new(Region::UsWest2);
+                let id_client = account::anonymous_identity_client();
 
                 let user_id = account::signup(&id_provider_client,
                                               values.email.clone(),
@@ -144,6 +144,7 @@ async fn run() -> Result<(), Error> {
 
                 // Prompt the user to confirm they clicked the verification link
                 let mut email_verified = false;
+
                 while !email_verified {
                     println!("Please check your inbox for an email to verify your account.");
                     if prompt::is_email_verified() {
@@ -166,6 +167,8 @@ async fn run() -> Result<(), Error> {
                                 }
                             })
                             .context("Failed to set up account")?;
+
+                        email_verified = true;
                     }
                 };
 
@@ -173,12 +176,8 @@ async fn run() -> Result<(), Error> {
             },
             Command::Setup => {
                 let values = prompt::login();
-                // TODO this must use anonymous credentials otherwise
-                // it will fail on machines that don't have any AWS
-                // credentials
                 let id_provider_client = account::anonymous_identity_provider_client();
-                // CognitoIdentityProviderClient::new_with(rusoto_credential::Anonymous ,Region::UsWest2)
-                let id_client = CognitoIdentityClient::new(Region::UsWest2);
+                let id_client = account::anonymous_identity_client();
 
                 account::setup(&id_provider_client,
                                &id_client,
diff --git a/cli/src/upload_client.rs b/cli/src/upload_client.rs
index c2e9cc8..8f06bc4 100644
--- a/cli/src/upload_client.rs
+++ b/cli/src/upload_client.rs
@@ -94,7 +94,7 @@ async fn ensure_id_token(cache: &FileCache, id_provider_client: &CognitoIdentity
 
 pub async fn authenticated_client(cache: &FileCache) -> Result<S3Client, Error> {
     let id_provider_client = CognitoIdentityProviderClient::new(Region::UsWest2);
-    let id_client = CognitoIdentityClient::new(Region::UsWest2);
+    let id_client = account::anonymous_identity_client();
 
     let refresh_token = ensure_refresh_token(&cache, &id_provider_client).await;
     let identity_id = cache.get("identity").context("Unable to retrieve user ID")?;