Using the CLI with AWS Single Sign-On

Hi, I am Agata.

In this article, we will discuss how to use the CLI with AWS Single Sign-On (AWS SSO).

There are two ways to obtain credentials from the SSO user portal or directly from the AWS CLI.
Both of these methods use the CLI with SSO, but I thought they were written in separate places in the AWS documentation and were inaccessible, so I summarized them here.

How to retrieve credentials from the User Portal

This one is very simple. Simply configure the settings using the values displayed.
However, an expiration date exists for SSO authentication. (Default is 1 hour and can be extended up to 12 hours by configuration.)
Since authentication is required again after the expiration date, it is recommended to use the system when the use is not frequent and the duration of use is short.

Setup procedure

1. Access the SSO user portal (URL such as https://my-sso-portal.awsapps.com/start used for SSO login) with your browser.
2. Click on the AWS account icon to view the list of accounts.
3. Click on the account for which you want to obtain credentials.
4. Click Command line or programmatic access next to the role name that appears below the account name.
5. The dialog Get credentials for will appear. On this screen, select the environment you wish to use: “macOS and Linux”, “Windows”, or “PowerShell”.
6. Configure the settings in the CLI using the credentials displayed. Select one of the following Option to configure.

Option 1

It is easiest because you can just run it straight through the CLI. The list of credentials (in macOS and Linux, export … ), simply paste it into the CLI and execute it.

Option 2

Setup to write authentication information in ~/.aws/credentials. Paste the credentials into the copied credeitials file.

Option 3

Set each value to the AWS service client.

How to get credentials directly from the AWS CLI

This one can be accessed directly from the CLI.
This one has the following advantages over the method accessed from the User Portal, so if you use the CLI frequently, this one is probably better suited for you.
There are automatic and manual configuration methods, but only the automatic configuration method is introduced here.

• Although there is an authentication process to open a browser during the process, most of the process can be carried out using the CLI.
• When SSO authentication expires, you can log in again with a single command from the CLI.
• Switching between multiple accounts is easy once you have SSO login

Setup procedure

Execute the following command and enter the SSO start URL and SSO region.
The SSO start URL is the URL of the SSO user portal (such as https://my-sso-portal.awsapps.com/start ).
SSO region is the region where SSO is configured. Note that this is not the region you want to access. If you make a mistake in specifying this, you will get an “Invalid grant provided” error in the step in your browser.

$ aws configure sso
SSO start URL [None]: [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]:us-east-1

When entered, the following message will appear and the browser will open automatically.
If the browser does not open automatically, open https://device.sso.us-east-1.amazonaws.com/ in your browser and enter the code shown in the message.

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX

The authentication process proceeds in the browser, and an “Allow” button is displayed on the “Authorize request” screen.
If you click “Allow” and there are no problems, “Request approved” will be displayed. If the SSO region is specified incorrectly, an error message “Invalid grant provided” will appear.

Once the browser has successfully completed the process, return to the CLI.
The CLI will display a list of accessible AWS accounts, which you can select with the arrow keys and press Enter to confirm. If there is only one account in the list, it will be automatically selected and you can proceed.

There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011) 
  ProductionAccount, production-account-admin@example.com (123456789022)

Next, select the IAM role to be used. If there is only one in the list, it will be selected automatically and you can proceed.

Using the account ID 123456789011
There are 2 roles available to you.
> ReadOnly
  FullAccess

Next, set the default client region, default output format, and profile name.
These are the same settings that are normally made when using the CLI.
Note that if the environment variable AWS_PROFILE has been set, the environment variable value is automatically used without asking for the profile name.

CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [123456789011_ReadOnly]: my-dev-profile

Finally, the following message is displayed and the configuration is complete.
Let’s execute the command with –profile as shown in the message.

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile my-dev-profile