AWS SSO makes it easy to centrally manage SSO Access to multiple AWS accounts, moves the authentication to the IdP (Identity Provider) and removes the need for managing static, long-lived credentials.
AWS CLI added support for SSO late 2019 so you can use it seamlessly in your developer workflow from the CLI without going to the developers portal every time and paste short-lived credentials to the console.
The first step is to have AWS SSO setup and configured. This should be done by someone with the right admin access permissions to both the IdP and AWS. Check out how to set up AWS SSO with G Suite as IDP.
On your local machine, if you don’t already have it, install AWS CLI v2.
Similar to the
aws configure command that creates a new profile in
~/.aws/config with long-lived access keys
aws configure sso command creates a new SSO profile.
aws configure sso will prompt you for:
That’s it you configured a new profile (in that case named
cq-dev-admin) and to test it run the following command:
It is common to have multiple accounts available to you via SSO and the neat thing is that you only need to login once to any of those accounts and you can use any of them in the CLI. The only thing that you will need to do is to add the additional profiles either manually (which will probably be faster) or through the interactive CLI. In either your
~/.aws/config should look something like the following:
Once you logged in with any of those profiles (as long as the sso_start_url and sso_region are the same) with the following command:
you can run also without logging in specifically to other profiles!
You can also logout and clear the temporary credentials with
aws sso logout but this will probably not be necessary most of the time as they expire every hour or so (or a maximum of 12 hours depending on what you admin defined as session duration) so most probably you will have to re-run
aws sso login --profile profile-name-1 once a day or so.
If you are using AWS SSO (you probably should :) ) you can definitely enjoy the smooth integration and developer experience with the AWS CLI.
If you are a CloudQuery user you can also enjoy using your temporary SSO credentials in conjunction with CloudQuery seamlessly by specifying AWS_PROFILE=your-sso-profile-name.