DEV Community

drewmullen
drewmullen

Posted on

AWS Creds in the CLI via SSO

#aws #sso #credentials

Problem

Do you often need credentials in your AWS CLI?

Are you overly familiar with this screen (AWS SSO start page)?

Image description

If you do not have AWS SSO setup, check out the AWS documentation then come back to this post!

A better credential experience

Yesterday I learned from my colleague @danquack a fun feature built into the AWS CLI. If you already have AWS SSO configured for your Org and are using the GUI to get credentials, follow this post and you can expect an improved AWS CLI credential management experience.

My new, simpler process to get temporary creds from SSO:

Specify which profile I want and login: 

$ export AWS_PROFILE=<>
$ aws sso login
Enter fullscreen mode Exit fullscreen mode

Confirm the authorization request in my browser:

Image description

Boom! Now my CLI has usable temporary credentials!

Setup

This setup is honestly extremely simple. AWS provides a guided CLI wizard and ill show the examples below.

$ aws configure sso
SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.
SSO start URL [https://example.awsapps.com/start#/]:
SSO region [us-east-1]:
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011) 
  ProductionAccount, production-account-admin@example.com (123456789022)
Using the account ID 123456789011
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [us-east-1]: us-east-2
CLI default output format [None]:
CLI profile name [AdministratorAccess-<>]: providerdev
Enter fullscreen mode Exit fullscreen mode
  • There are 2 questions regarding region. The first is the region SSO is setup in. The second is the default region you want your CLI setup to use.
  • Setting a profile name providerdev is now the name ill set for export AWS_PROFILE=providerdev

Once that is complete you can see the configuration:

$ cat -p ~/.aws/config
[profile providerdev]
sso_start_url = https://example.awsapps.com/start#/
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = AdministratorAccess
region = us-east-2
Enter fullscreen mode Exit fullscreen mode

Summary

AWS SSO is a great service for providing temporary credentials to known identities in your organization. The new command aws sso login will help you and your engineers get credentials fast, easy, and securely!

Top comments (1)

Collapse
 
rdarrylr profile image
Darryl Ruggles

So simple but so useful! Thanks!

Read next

walternascimentobarroso profile image

How to Increase Partition Size on an AWS Instance

Walter Nascimento -

rksalo88 profile image

Learning AWS Day by Day — Day 25 — S3 Introduction — Part 3

Saloni Singh -

mbartlet profile image

How to deploy to multiple providers with dynamic credentials at once in Terraform CDK for Python

M B -

anurag_vishwakarma profile image

Ansible vs Terraform

Anurag Vishwakarma -