DEV Community

Rafael Sales
Rafael Sales

Posted on • Updated on

Generating ~/.aws/credentials through AWS SSO via CLI

1. Configure AWS SSO via CLI

$ aws configure sso
SSO start URL [None]:
SSO Region [None]: us-east-1
The only AWS account available to you is: 43294231752
Using the account ID 43294231752
The only role available to you is: DeveloperAccess
Using the role name "DeveloperAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json
CLI profile name [DeveloperAccess-43294231752]: mycompany

2. Find your role ARN

$ aws iam list-roles --profile mycompany
  "Roles": [
      "Path": "/aws-reserved/",
      "RoleName": "AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
      "RoleId": "D67DSAUSNJ3491KM",
      "Arn": "arn:aws:iam::43294231752:role/aws-reserved/",

To find the role in the list, simply look for a role name matching the one you saw in the 1st step, "DeveloperAccess" in this case.

3. Try fetching the credentials using the Arn above

$ aws sts assume-role
  --profile mycompany
  --role-session-name YourNameHere
  --role-arn arn:aws:iam::43294231752:role/aws-reserved/

You should get a response like this

    "Credentials": {
        "AccessKeyId": "...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2020-06-06T16:48:03+00:00"
    "AssumedRoleUser": {
        "AssumedRoleId": "...",
        "Arn": "..."

4. Create a script to generate ~/.aws/credentials

I like to name this script
Also make sure to adjust the variables.


# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
# The Role ARN can be found in the AWS Console -> IAM -> Roles or via AWS CLI -> `aws iam list-roles`

user_name=$(git config | sed 's/[^A-Za-z0-9+=,.@-]/-/g')

request_credentials() {
    aws sts assume-role \
      --profile $profile \
      --role-arn $role_arn \
      --role-session-name $user_name

if [ $? -ne 0 ]; then
  aws sso login --profile "$profile"

  if [ $? -ne 0 ]; then
    exit 1


access_key_id=$(echo $credentials | perl -n -e'/"AccessKeyId": "([^,]+)"/ && print $1')
secret_key_id=$(echo $credentials | perl -n -e'/"SecretAccessKey": "([^,]+)"/ && print $1')
session_token=$(echo $credentials | perl -n -e'/"SessionToken": "([^,]+)"/ && print $1')

aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_key_id"
aws configure set --profile "$profile" aws_session_token "$session_token"

5. Testing

$ ./

$ cat ~/.aws/credentials
aws_access_key_id = ...
aws_secret_access_key = ...
aws_session_token = ...

Top comments (4)

urz9999 profile image
Alessandro Gaggia

Hi, good solution. We did something similar because we wanted to use AWS SSO and third party tools as well as SDKs together. We generate temporary credentials starting from Accounts and Roles retrieved from AWS SSO, then we save these temporary credentials in ~/.aws/credentials. Here is the link to github if you'd like to check it out and give some feedbacks.


rafaelsales profile image
Rafael Sales

Hey Alessandro,
Man, that's a really nice tool - I'll definitely start using it!
Thanks for sharing

larsfronius profile image
Lars Fronius

FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to

remigabillet profile image
Remi Gabillet

Thank you Rafael, this works beautifully!