How to setup AWS CLI with AWS SSO
January 4, 2022
AWS SSO makes it easy to centrally manage SSO Access to multiple AWS accounts, moves the authentication to the IdP (Identity Provider) and removes the need for managing static, long-lived credentials.
AWS CLI added support for SSO late 2019 (opens in a new tab) so you can use it seamlessly in your developer workflow from the CLI without going to the developers portal every time and paste short-lived credentials to the console.
The first step is to have AWS SSO setup and configured. This should be done by someone with the right admin access permissions to both the IdP and AWS. Check out how to set up AWS SSO with G Suite as IDP (opens in a new tab).
On your local machine, if you don’t already have it, install AWS CLI v2 (opens in a new tab).
Similar to the
aws configure command that creates a new profile in
~/.aws/config with long-lived access keys
aws configure sso command creates a new SSO profile.
aws configure sso will prompt you for:
ep@macbook-pro-73 aws % aws configure sso # This is the URL that you defined when you setup the AWS SSO start URL [None]: [https://your-url.awsapps.com/start](https://your-url.awsapps.com/start) # This is the region that you enabled AWS SSO in SSO Region [None]: us-east-1 # This step will take you to the browser and you will have to click login and allow
# This will suggest to choose an account from which are available to you There are 6 AWS accounts available to you. Using the account ID xxxxxxxxxxxx # This will suggest a role available to you for this account The only role available to you is: AdministratorAccess Using the role name "AdministratorAccess" # Optional: you can choose a default region CLI default client Region [None]: # Optional: you can choose a default output form. You can skip this to use the default CLI default output format [None]: # Here pick a name that you will be able to use later as an alias for this account for –profile argument CLI profile name [AdministratorAccess-345990386405]: cq-dev-admin
That’s it you configured a new profile (in that case named
cq-dev-admin) and to test it run the following command:
aws s3 ls --profile cq-dev-admin ## wil output available s3 buckets
It is common to have multiple accounts available to you via SSO and the neat thing is that you only need to login once to any of those accounts and you can use any of them in the CLI. The only thing that you will need to do is to add the additional profiles either manually (which will probably be faster) or through the interactive CLI. In either your
~/.aws/config should look something like the following:
[profile profile-name-1] sso_start_url = https://xxxxxx.awsapps.com/start sso_region = us-east-1 sso_account_id = yyyyyyy sso_role_name = AdministratorAccess [profile profile-name-1] sso_start_url = https://xxxxxx.awsapps.com/start/ sso_region = us-east-1 sso_account_id = yyyyyyy sso_role_name = AdministratorAccess region = eu-central-1
Once you logged in with any of those profiles (as long as the
sso_region are the same) with the following command:
aws sso login --profile profile-name-1
you can run also without logging in specifically to other profiles!
aws s3 ls --profile profile-name-2
You can also logout and clear the temporary credentials with
aws sso logout but this will probably not be necessary most of the time as they expire every hour or so (or a maximum of 12 hours depending on what you admin defined (opens in a new tab) as session duration) so most probably you will have to re-run
aws sso login --profile profile-name-1 once a day or so.
If you are using AWS SSO (you probably should :) ) you can definitely enjoy the smooth integration and developer experience with the AWS CLI.
If you are a CloudQuery user you can also enjoy using your temporary SSO credentials in conjunction with CloudQuery seamlessly by specifying AWS_PROFILE=your-sso-profile-name.