As the pretty self-explanatory title reads, this is AWS CLI IAM Identity Center (SSO) authentication made easy. Without walking you through unneeded details that may only confuse you.
For additional context, the post describes how to authenticate users with AWS IAM Identity Center to get credentials to run AWS Command Line Interface (CLI) commands via SSO token provider configuration, as recommended by AWS, in an easy way. With the SSO token provider configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens.
Getting started
First of all, you have to configure your SSO session, 'linking' your CLI to the AWS IAM Identity Center instance login page.
aws configure sso
The above command triggers a wizard that guides you through configuring an sso-session
and a profile
. The important parameters you need to fill are:
sso-session
= your_session_namesso_start_url
= https://my-sso-portal.awsapps.com/start (taken from the IAM Identity Center login portal UI)profile
= default NOTE: Use the default profile name so every time you login to your AWS SSO session the CLI commands are automatically run using your commonly-used (or only)profile
role. (In my case, FullAccess)sso_role_name
= leave as suggested or give it a descriptive name. (In my case, FullAccess)
The other parameters can be left as default.
Typically, an this is where I couldn't get full clarity from AWS documentation, you would only have to configure one
sso-session
, as there is usually a single IAM Identity Center instance or AWS Organization you need to access to. If you had to access multiple AWS Organizations or IAM Identity Center portals, configuring additional SSO sessions would be needed.
After introducing all the required information in the configuration wizard, this is how my ~/.aws/config file looks:
You can now configure different profiles
for the different accounts and/or roles you have access to within the IAM Identity Center instance (AWS Organization). I am going to configure two additional profiles
.
aws configure sso
Running the above command again walks you through the same wizard as before. The main difference now is that you have already configured an sso-session
, so such SSO session name would be taken as the default session within which we are going to create a new profile
. You could also manually type your existing sso-session
name.
This is how my ~/.aws/config file looks now:
You could specify a different
sso-session
if you wanted to access another AWS Organization or IAM Identity Center portal.aws configure sso-session
Alright, let’s recap!
- I now have one
sso-session
(to my AWS Organization or IAM Identity Center instance) and threeprofiles
:
- default - FullAccess to the 123456789000 account
- read-only - ReadOnlyAccess role to the 123456789000 account
- dev-account-admin - DevAccess role to the 123456789011 account
- A
profile
can be thought as an AWS account+role tuple.
We can now proceed to using the AWS CLI.
Login to the sso-session
The first time, or whenever the token expires, you can either log in to your default profile
and sso-session
(if you had named a default profile
)
aws sso login
or specify the sso-session
in case you had configured multiple SSO sessions.
aws sso login --sso-session <session-name>
Running CLI commands
Once logged in to the sso-session
, you can simply run the CLI commands as usual without having to re-authenticate until the token expires. Usually after 8 hours, when the token expires, you will have to run the aws sso login
command again to refresh the token.
Example:
aws s3 ls
Notice that, if you don’t specify a profile
, the command will be run assuming your default profile
, if you had any configured. The above command lists the S3 buckets in the 123456789000 account.
If you want to run the CLI command in the scope of a different account or particular role, you need to specify the appropriate profile
:
aws s3 ls --profile dev-account-admin
The above command will list the S3 buckets in the 123456789011 account.
Logout from the sso-session
You can logout from your current sso-session
before the token expires running
aws sso logout
Wait, what profile am I using?
You can also check which profile you are using running
aws sts get-caller-identity
I hope this post has helped you to easily get going with the AWS CLI using the IAM Identity Center token provider credentials. In any case, if you want to understand this in more detail (or get lost in the weeds :P), you can refer to the AWS documentation.
Top comments (0)