Using `aws sso` on the cli

aws-sso.md

Setup aws sso

Using cli wizard

• In your browser go to your https://my-sso-portal.awsapps.com AWS Identity Center SSO URL and login
• Open a commandline prompt in your ~/ and either
• go through the aws sso configure cli flow (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#cli-configure-sso-configure) it will open a browser to authenticate you with SSO
• or edit the files directly:

Editing the aws config file

See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#cli-configure-sso-manual

Setup SSO, add to ~/.aws/config:

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start

Setup account access, add to ~/.aws/config:

[profile some-dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole

Using aws sso

To refresh you cli aws credentials:

aws sso login

This does not sign you in to a specific account, you need to do e.g.:

aws sso login --profile some-dev

Or, much easier, using direnv in a project that you are working on:

|- CoolProject
  |- envs
    |- dev
      |- .envrc
      |- main.tf
    |- prod

#.envrc
export AWS_PROFILE=some-dev

So if you run Terraform commands in /CoolProject/envs/dev/ the aws-cli will automatically use the AWS SSO creds for that profile (Terraform uses aws sdk under the hood, which also picks this up)