AWS SSO Setup¶
Set up your aws CLI to authenticate via AWS IAM Identity Center (SSO).
Prerequisites¶
This guide assumes no valid AWS credentials are currently configured:
Configure SSO¶
Open your command line and start the interactive configuration wizard:
You'll be prompted for four pieces of information:
| Prompt | Value | Notes |
|---|---|---|
| SSO Session Name | recro |
Reference name for ~/.aws/config. Use something descriptive if managing multiple sessions. |
| SSO Start URL | https://recrocog.awsapps.com/start |
Recro's SSO endpoint |
| SSO Region | us-east-1 |
Region where Identity Center is configured |
| SSO Session Scope | sso:account:access |
Keep the default |
Note: The CLI will attempt to open your browser for authentication. If it fails, it will display a URL you can manually open. Follow the URL to complete the login.
Sign in with your username and verify with your email address.
Example Session¶
$ aws configure sso
SSO session name (Recommended): recro
SSO start URL [None]: https://recrocog.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]: sso:account:access
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=<snipped>
The only AWS account available to you is: XXXXXXXXXXXX
Using the account ID XXXXXXXXXXXX
The only role available to you is: adminAccess
Using the role name "adminAccess"
Default client Region [None]: us-east-1
CLI default output format (json if not specified) [None]: json
Profile name [adminAccess-XXXXXXXXXXXX]: recrocog-admin
To use this profile, specify the profile name using --profile, as shown:
aws sts get-caller-identity --profile recrocog-admin
Verify Your Identity¶
Confirm the configuration worked:
Expected output:
{
"UserId": "XXXXXXXXXXXX:cwilson",
"Account": "XXXXXXXXXXXX",
"Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/AWSReservedSSO_adminAccess_XXXXXXXXXXXX/cwilson"
}
Set Default Profile¶
The SSO configuration is stored in ~/.aws/config:
[profile recrocog-admin]
sso_session = recro
sso_account_id = XXXXXXXXXXXX
sso_role_name = adminAccess
region = us-east-1
output = json
[sso-session recro]
sso_start_url = https://recrocog.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
To avoid passing --profile with every command, set the AWS_DEFAULT_PROFILE environment variable:
Add this to your shell profile (~/.bashrc, ~/.zshrc, etc.) to persist it.
Before and After¶
# Without default profile set
aws s3 ls
# Unable to locate credentials.
# After setting default profile
export AWS_DEFAULT_PROFILE=recrocog-admin
aws s3 ls
# 2024-09-26 15:11:02 linux-airgap-oracle
# 2024-12-02 07:39:39 backup-tarballs
# ...
Re-authenticate After Expiry¶
When your session expires, re-authenticate with:
See Also¶
- SSO Permissions - Available permission sets and session durations
- Infrastructure Changes - How to modify SSO users and DNS records