• Recent blogs

    How to Configure the AWS CLI to use AWS Single Sign-On

     If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another iDP connected to AWS SSO and get mapped to an AWS Identity and Access Management (IAM) role that enables you to run AWS CLI commands.

    This topic describes how to configure the AWS CLI to authenticate the user with AWS SSO to get short-term credentials to run AWS CLI commands. It includes the following sections:

    Configuring a named profile to use AWS SSO

    You can configure one or more of your AWS CLI named profiles to use a role from AWS SSO.

    You can configure the profile in the following ways:

    • Automatically, using the command aws configure sso

    • Manually, by editing the .aws/config file that stores the named profiles.

    Automatic configuration

    You can add an AWS SSO enabled profile to your AWS CLI by running the following command, providing your AWS SSO start URL and the AWS Region that hosts the AWS SSO directory.

    $ aws configure sso SSO start URL [None]: [None]: https://my-sso-portal.awsapps.com/start SSO region [None]:us-east-1

    The AWS CLI attempts to open your default browser and begin the login process for your AWS SSO account.

    SSO authorization page has automatically been opened in your default browser. Follow the instructions in the browser to complete this authorization request.
    aws sso login
    AWS SSO Login

    If the AWS CLI cannot open the browser, the following message appears with instructions on how to manually start the login process.

    Using a browser, open the following URL: https://my-sso-portal.awsapps.com/verify and enter the following code: QCFK-N451

    AWS SSO uses the code to associate the AWS SSO session with your current AWS CLI session. The AWS SSO browser page prompts you to sign in with your AWS SSO account credentials. This enables the AWS CLI (through the permissions associated with your AWS SSO account) to retrieve and display the AWS accounts and roles that you are authorized to use with AWS SSO.

    Next, the AWS CLI displays the AWS accounts available for you to use. If you are authorized to use only one account, the AWS CLI selects that account for you automatically and skips the prompt. The AWS accounts that are available for you to use are determined by your user configuration in AWS SSO.

    There are 2 AWS accounts available to you.
    > DeveloperAccount, developer-account-admin@example.com (123456789011) 
      ProductionAccount, production-account-admin@example.com (123456789022)

    Use the arrow keys to select the account you want to use with this profile. The ">" character on the left points to the current choice. Press ENTER to make your selection.

    Next, the AWS CLI confirms your account choice, and displays the IAM roles that are available to you in the selected account. If the selected account lists only one role, the AWS CLI selects that role for you automatically and skips the prompt. The roles that are available for you to use are determined by your user configuration in AWS SSO.

    Using the account ID 123456789011 There are 2 roles available to you. > ReadOnly FullAccess

    As before, use the arrow keys to select the IAM role you want to use with this profile. The ">" character on the left points to the current choice. Press <ENTER> to make your selection.

    The AWS CLI confirms your role selection.

    Using the role name "ReadOnly"

    Now you can finish the configuration of your profile, by specifying the default output format, the default AWS Region to send commands to, and providing a name for the profile so you can reference this profile from among all those defined on the local computer. In the following example, the user enters a default Region, default output format, and the name of the profile. You can alternatively press <ENTER> to select any default values that are shown between the square brackets. The suggested profile name is the account ID number followed by an underscore followed by the role name.

    CLI default client Region [None]: us-west-2<ENTER> CLI default output format [None]: json<ENTER> CLI profile name [123456789011_ReadOnly]: my-dev-profile<ENTER>
    A final message describes the completed profile configuration.

    AWS SSO Access granted
    AWS SSO Access granted

    Test the Access in CLI:

    To use this profile, specify the profile name using --profile, as shown:

    aws s3 ls --profile my-dev-profile

    The previous example entries would result in a named profile in ~/.aws/config that looks like the following example.

    [profile my-dev-profile] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-east-1 sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2 output = json

    Signing out of your AWS SSO sessions

    When you are done using your AWS SSO enabled profiles, you can choose to do nothing and let the AWS temporary credentials and your AWS SSO credentials expire. However, you can also choose to run the following command to immediately delete all cached credentials in the SSO credential cache folder and all AWS temporary credentials that were based on the AWS SSO credentials. This makes those credentials unavailable to be used for any future command.

    $ aws sso logout Successfully signed out of all SSO profiles.

    No comments