AWS CLI SSO made easy

As the pretty self-explanatory title reads, this is AWS CLI IAM Identity Center (SSO) authentication made easy. Without walking you through unneeded details that may only confuse you.

For additional context, the post describes how to authenticate users with AWS IAM Identity Center to get credentials to run AWS Command Line Interface (CLI) commands via SSO token provider configuration, as recommended by AWS, in an easy way. With the SSO token provider configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens.

Getting started

First of all, you have to configure your SSO session, 'linking' your CLI to the AWS IAM Identity Center instance login page.

aws configure sso

The above command triggers a wizard that guides you through configuring an sso-session and a profile. The important parameters you need to fill are:

• sso-session = your_session_name

• sso_start_url = https://my-sso-portal.awsapps.com/start (taken from the IAM Identity Center login portal UI)

• profile = default NOTE: Use the default profile name so every time you login to your AWS SSO session the CLI commands are automatically run using your commonly-used (or only) profile role. (In my case, FullAccess)

• sso_role_name = leave as suggested or give it a descriptive name. (In my case, FullAccess)

The other parameters can be left as default.

Typically, an this is where I couldn't get full clarity from AWS documentation, you would only have to configure one sso-session, as there is usually a single IAM Identity Center instance or AWS Organization you need to access to. If you had to access multiple AWS Organizations or IAM Identity Center portals, configuring additional SSO sessions would be needed.

After introducing all the required information in the configuration wizard, this is how my ~/.aws/config file looks:

You can now configure different profiles for the different accounts and/or roles you have access to within the IAM Identity Center instance (AWS Organization). I am going to configure two additional profiles.

aws configure sso

Running the above command again walks you through the same wizard as before. The main difference now is that you have already configured an sso-session, so such SSO session name would be taken as the default session within which we are going to create a new profile. You could also manually type your existing sso-session name.

This is how my ~/.aws/config file looks now:

You could specify a different sso-session if you wanted to access another AWS Organization or IAM Identity Center portal.

aws configure sso-session

Alright, let’s recap!

• I now have one sso-session (to my AWS Organization or IAM Identity Center instance) and three profiles:

1. default - FullAccess to the 123456789000 account
2. read-only - ReadOnlyAccess role to the 123456789000 account
3. dev-account-admin - DevAccess role to the 123456789011 account

• A profile can be thought as an AWS account+role tuple.

We can now proceed to using the AWS CLI.

Login to the sso-session

The first time, or whenever the token expires, you can either log in to your default profile and sso-session (if you had named a default profile)

aws sso login

or specify the sso-session in case you had configured multiple SSO sessions.

aws sso login --sso-session <session-name>

Running CLI commands

Once logged in to the sso-session, you can simply run the CLI commands as usual without having to re-authenticate until the token expires. Usually after 8 hours, when the token expires, you will have to run the aws sso login command again to refresh the token.

Example:

aws s3 ls

Notice that, if you don’t specify a profile, the command will be run assuming your default profile, if you had any configured. The above command lists the S3 buckets in the 123456789000 account.

If you want to run the CLI command in the scope of a different account or particular role, you need to specify the appropriate profile:

aws s3 ls --profile dev-account-admin

The above command will list the S3 buckets in the 123456789011 account.

Logout from the sso-session

You can logout from your current sso-session before the token expires running

aws sso logout

Wait, what profile am I using?

You can also check which profile you are using running

aws sts get-caller-identity

I hope this post has helped you to easily get going with the AWS CLI using the IAM Identity Center token provider credentials. In any case, if you want to understand this in more detail (or get lost in the weeds :P), you can refer to the AWS documentation.