How to set up AWS CLI with AWS SSO
Prerequisite #
Setup AWS SSO with an IDP #
Install AWS CLI (v2) #
Configure an SSO Profile #
aws configure
command that creates a new profile in ~/.aws/config
with long-lived access keys aws configure sso
command creates a new SSO profile.aws configure sso
will prompt you to:ep@macbook-pro-73 aws % aws configure sso
# This is the URL that you defined when you setup the AWS
SSO start URL [None]: [https://your-url.awsapps.com/start](https://your-url.awsapps.com/start)
# This is the region that you enabled AWS SSO in
SSO Region [None]: us-east-1
# This step will take you to the browser and you will have to click login and allow
# This will suggest to choose an account from which are available to you
There are 6 AWS accounts available to you.
Using the account ID xxxxxxxxxxxx
# This will suggest a role available to you for this account
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
# Optional: you can choose a default region
CLI default client Region [None]:
# Optional: you can choose a default output form. You can skip this to use the default
CLI default output format [None]:
# Here pick a name that you will be able to use later as an alias for this account for –profile argument
CLI profile name [AdministratorAccess-345990386405]: cq-dev-admin
cq-dev-admin
) and to test it run the following command:aws s3 ls --profile cq-dev-admin
## wil output available s3 buckets
Configure Multiple SSO Profiles #
~/.aws/config
should look something like the following:[profile profile-name-1]
sso_start_url = https://xxxxxx.awsapps.com/start
sso_region = us-east-1
sso_account_id = yyyyyyy
sso_role_name = AdministratorAccess
[profile profile-name-1]
sso_start_url = https://xxxxxx.awsapps.com/start/
sso_region = us-east-1
sso_account_id = yyyyyyy
sso_role_name = AdministratorAccess
region = eu-central-1
sso_start_url
and sso_region
are the same) with the following command:aws sso login --profile profile-name-1
aws s3 ls --profile profile-name-2
Logging out #
aws sso logout
but this will probably not be necessary most of the time as they expire every hour or so (or a maximum of 12 hours depending on what you admin defined as session duration) so most probably you will have to re-run aws sso login --profile profile-name-1
once a day or so.Summary #
- Centralized Access Management: Easily manage SSO access to multiple AWS accounts with CloudQuery’s intuitive CLI interface.
- Seamless Integration: Connect AWS SSO with CloudQuery for smooth data querying and management without constantly handling short-lived credentials.
- Enhanced Security: Utilize temporary SSO credentials in conjunction with CloudQuery to maintain secure access to your cloud resources.
- Developer-Friendly Tools: Benefit from CloudQuery’s robust set of tools that simplify data extraction, transformation, and loading (ETL) processes directly from your AWS environment.
Written by Yevgeny Pats
Yevgeny Pats is the Co-Founder & CEO at CloudQuery. Prior to establishing CloudQuery, he successfully founded and exited other startups. He has a background in software engineering and cybersecurity.