This is not a comprehensive post on setting up AWS SSO access but for simple use cases using AWS Identity Center will give you a rough idea of the process

By /

To setup AWS SSO (assuming you have root or close to it on an existing AWS account)… navigate to the AWS Service IAM Identity Center and…

Create an AWS Account and Organization, from my experience if an AWS account is not associated with an AWS Organization – you won’t be able to assign permission sets, and create users for that account, and the SSO setup will be very limited – I suggest creating an organization – if you don’t already have one.

Assign Permission Set(s) to the account – defining what the SSO account can do.

Create a User and assign an account to that user – users that login will be given a choice of accounts (they may have more than one choice).

Note your “SSO start URL’ – used for both console and command line SSO access. You can always find your existing “Start URL” by going to “Identity Center” (AWS).

If you would like to configure AWS SSO command line, after you have went thru the setup above:

Make sure you have AWS CLI V2 installed:

aws --version
aws-cli/2.15.36 Python/3.11.8...

Configure SSO

aws sso configure

Running the command above will ask you a series of questions about your Start URL (available from Identity Center). Region, the account you want to SSO to and the AWS profile name you want to store your SSO credentials under. Naming your profile with something meaningful will help you but, you can always type out the contents of .aws/config to see what you already setup if you forget.

Once this is complete, you can then begin an SSO session for command line by doing the following – note: a token is usually provided for an hour or more depending on how you set it up in the aws sso configure step above.

aws sso login --profile <your SSO profile>

Once a token is allocated/provided, issuing AWS CLI command is simply:

aws <command> –profile <your SSO profile> e.g.

aws s3 ls --profile myssoprofile

Can display how a particular profile is configured with

aws configure list --profile <yourProfileName>
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile              lxxxxxxx_xc           manual    --profile
access_key     ****************WDOO              sso
secret_key     ****************rMAq              sso
    region                us-east-1      config-file    ~/.aws/config
Post Views: 55
Scroll to Top