Configure and Login to SSO Using Cli Aws Profile

Configure a new SSO profile

$ aws configure sso --profile my-test-profile

This will ask for the SSO URL and the region. Enter the URL that you use in the SSO portal.

SSO start URL [None]: https://<my-account>.awsapps.com/start
SSO Region [None]: eu-west-1

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-west-1.amazonaws.com/

Then enter the code:

XXXX-XXXX

Now the browser opens with the SSO login page enter your username and password and login. After successful login select the account and role in the CLI

There are 7 AWS accounts available to you.
<select the account>
Using the account ID 1234567890

There are 4 roles available to you.
<select the role>
Using the role name "AWSAdministratorAccess"

CLI default client Region [None]: eu-west-1                                     
CLI default output format [None]: json                                          

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile my-test-profile

now you can see the profile created in ~/.aws/config file

[profile my-test-profile]
sso_start_url = https://my-account.awsapps.com/start
sso_region = eu-west-1
sso_account_id = 1234567890
sso_role_name = AWSAdministratorAccess
region = eu-west-1
output = json

NOTE: Do not create any profile for this one with credentials in the ~/.aws/credentials file. Your credentials will be stored in a cache file.

It will cache the credentials in the ~/.aws/sso/cache file

{
  "startUrl": "https://my-account.awsapps.com/start",
  "region": "eu-west-1",
  "accessToken": "eyxxxxx",
  "expiresAt": "2022-05-25T15:19:34Z"
}

Verify the profile by running the following command

aws sts get-caller-identity --profile my-test-profile

These cached credentials expire after the configured SSO session hours.

Renew expired SSO session

Run the following command to renew the SSO credentials

$ aws sso login --profile my-test-profile

AWS CLI opens the browser where you can login to refresh the expired credentials.

Logout from SSO

aws sso logout

Other libraries

Your AWS-SDK library may not work with SSO and it expects the credentials in the ~/.aws/credentials file.

You can sync using the following lib easily

https://www.npmjs.com/package/aws-sso-creds-helper

Install

npm install -g aws-sso-creds-helper

Renew

ssocreds --profile my-test-profile
# or
ssocreds -p my-test-profile

References

• https://docs.amazonaws.cn/en_us/cli/latest/userguide/cli-configure-sso.html
• https://aws.amazon.com/premiumsupport/knowledge-center/sso-temporary-credentials/

• ←Previous
• Next→