Hi, I am Agata.
In this article, we will discuss how to use the CLI with AWS Single Sign-On (AWS SSO).
There are two ways to obtain credentials from the SSO user portal or directly from the AWS CLI.
Both of these methods use the CLI with SSO, but I thought they were written in separate places in the AWS documentation and were inaccessible, so I summarized them here.
This one is very simple. Simply configure the settings using the values displayed.
However, an expiration date exists for SSO authentication. (Default is 1 hour and can be extended up to 12 hours by configuration.)
Since authentication is required again after the expiration date, it is recommended to use the system when the use is not frequent and the duration of use is short.
It is easiest because you can just run it straight through the CLI. The list of credentials (in macOS and Linux, export … ), simply paste it into the CLI and execute it.
Setup to write authentication information in ~/.aws/credentials. Paste the credentials into the copied credeitials file.
Set each value to the AWS service client.
This one can be accessed directly from the CLI.
This one has the following advantages over the method accessed from the User Portal, so if you use the CLI frequently, this one is probably better suited for you.
There are automatic and manual configuration methods, but only the automatic configuration method is introduced here.
Execute the following command and enter the SSO start URL and SSO region.
The SSO start URL is the URL of the SSO user portal (such as https://my-sso-portal.awsapps.com/start ).
SSO region is the region where SSO is configured. Note that this is not the region you want to access. If you make a mistake in specifying this, you will get an “Invalid grant provided” error in the step in your browser.
$ aws configure sso SSO start URL [None]: [None]: https://my-sso-portal.awsapps.com/start SSO region [None]:us-east-1
When entered, the following message will appear and the browser will open automatically.
If the browser does not open automatically, open https://device.sso.us-east-1.amazonaws.com/ in your browser and enter the code shown in the message.
Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open or you wish to use a different device to authorize this request, open the following URL: https://device.sso.us-east-1.amazonaws.com/ Then enter the code: XXXX-XXXX
The authentication process proceeds in the browser, and an “Allow” button is displayed on the “Authorize request” screen.
If you click “Allow” and there are no problems, “Request approved” will be displayed. If the SSO region is specified incorrectly, an error message “Invalid grant provided” will appear.
Once the browser has successfully completed the process, return to the CLI.
The CLI will display a list of accessible AWS accounts, which you can select with the arrow keys and press Enter to confirm. If there is only one account in the list, it will be automatically selected and you can proceed.
There are 2 AWS accounts available to you. > DeveloperAccount, email@example.com (123456789011) ProductionAccount, firstname.lastname@example.org (123456789022)
Next, select the IAM role to be used. If there is only one in the list, it will be selected automatically and you can proceed.
Using the account ID 123456789011 There are 2 roles available to you. > ReadOnly FullAccess
Next, set the default client region, default output format, and profile name.
These are the same settings that are normally made when using the CLI.
Note that if the environment variable AWS_PROFILE has been set, the environment variable value is automatically used without asking for the profile name.
CLI default client Region [None]: us-west-2 CLI default output format [None]: json CLI profile name [123456789011_ReadOnly]: my-dev-profile
Finally, the following message is displayed and the configuration is complete.
Let’s execute the command with –profile as shown in the message.
To use this profile, specify the profile name using --profile, as shown: aws s3 ls --profile my-dev-profile