How to Configure the AWS CLI to use AWS Single Sign-On
If your organization uses AWS Single Sign-On (AWS SSO), your users can sign in to Active Directory, a built-in AWS SSO directory, or another iDP connected to AWS SSO and get mapped to an AWS Identity and Access Management (IAM) role that enables you to run AWS CLI commands.
This topic describes how to configure the AWS CLI to authenticate the user with AWS SSO to get short-term credentials to run AWS CLI commands. It includes the following sections:
Configuring a named profile to use AWS SSO - How to create and configure profiles that use AWS SSO for authentication and mapping to an IAM role for AWS permissions.
Using an AWS SSO enabled named profile - how to login to AWS SSO from the CLI and use the provided AWS temporary credentials to run AWS CLI commands.
Configuring a named profile to use AWS SSO
You can configure one or more of your AWS CLI named profiles to use a role from AWS SSO.
You can configure the profile in the following ways:
Automatically, using the command
aws configure ssoManually, by editing the .aws/config file that stores the named profiles.
Automatic configuration
You can add an AWS SSO enabled profile to your AWS CLI by running the following command, providing your AWS SSO start URL and the AWS Region that hosts the AWS SSO directory.
$ aws configure sso
SSO start URL [None]: [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]:us-east-1The AWS CLI attempts to open your default browser and begin the login process for your AWS SSO account.
SSO authorization page has automatically been opened in your default browser. Follow the instructions in the browser to complete this authorization request.
 |
| AWS SSO Login |
If the AWS CLI cannot open the browser, the following message appears with instructions on how to manually start the login process.
Using a browser, open the following URL:
https://my-sso-portal.awsapps.com/verify
and enter the following code:
QCFK-N451AWS SSO uses the code to associate the AWS SSO session with your current AWS CLI session. The AWS SSO browser page prompts you to sign in with your AWS SSO account credentials. This enables the AWS CLI (through the permissions associated with your AWS SSO account) to retrieve and display the AWS accounts and roles that you are authorized to use with AWS SSO.
Next, the AWS CLI displays the AWS accounts available for you to use. If you are authorized to use only one account, the AWS CLI selects that account for you automatically and skips the prompt. The AWS accounts that are available for you to use are determined by your user configuration in AWS SSO.
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011)
ProductionAccount, production-account-admin@example.com (123456789022)Use the arrow keys to select the account you want to use with this profile. The ">" character on the left points to the current choice. Press ENTER to make your selection.
Next, the AWS CLI confirms your account choice, and displays the IAM roles that are available to you in the selected account. If the selected account lists only one role, the AWS CLI selects that role for you automatically and skips the prompt. The roles that are available for you to use are determined by your user configuration in AWS SSO.
Using the account ID123456789011There are 2 roles available to you. > ReadOnly FullAccess
As before, use the arrow keys to select the IAM role you want to use with this profile. The ">" character on the left points to the current choice. Press <ENTER> to make your selection.
The AWS CLI confirms your role selection.
Using the role name "ReadOnly"
Now you can finish the configuration of your profile, by specifying the default output format, the default AWS Region to send commands to, and providing a name for the profile so you can reference this profile from among all those defined on the local computer. In the following example, the user enters a default Region, default output format, and the name of the profile. You can alternatively press <ENTER> to select any default values that are shown between the square brackets. The suggested profile name is the account ID number followed by an underscore followed by the role name.
CLI default client Region [None]: us-west-2<ENTER>
CLI default output format [None]: json<ENTER>
CLI profile name [123456789011_ReadOnly]: my-dev-profile<ENTER> |
| AWS SSO Access granted |
Test the Access in CLI:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile my-dev-profileThe previous example entries would result in a named profile in ~/.aws/config that looks like the following example.
[profile my-dev-profile] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-east-1 sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2 output = json
Signing out of your AWS SSO sessions
When you are done using your AWS SSO enabled profiles, you can choose to do nothing and let the AWS temporary credentials and your AWS SSO credentials expire. However, you can also choose to run the following command to immediately delete all cached credentials in the SSO credential cache folder and all AWS temporary credentials that were based on the AWS SSO credentials. This makes those credentials unavailable to be used for any future command.
$aws sso logoutSuccessfully signed out of all SSO profiles.
About Manas Ranjan Tripathy
No comments