๐ Introduction
This guide shows how to configure and use AWS SSO (IAM Identity Center) from your CLI using the aws configure sso command. It includes step-by-step setup, login, validation, and cleanup.
โ Prerequisites
Before you begin, make sure:
- You have AWS IAM Identity Center (formerly AWS SSO) set up in your AWS Organization.
- You have permission to access an assigned AWS account and permission set.
- Youโve installed the AWS CLI v2.
โ
aws configure ssoonly works with AWS CLI v2 and above.
โ๏ธ Step 1: Configure AWS SSO
Run the following command:
aws configure sso
You'll be prompted for:
-
SSO Start URL: The URL to your AWS SSO portal (e.g.,
https://your-sso-portal.awsapps.com/start) -
SSO Region: The region where SSO is configured (e.g.,
ap-southeast-2)
๐ You may see
SSO registration scopes [sso:account:access]โ this is expected and grants access to your assigned accounts.
A browser window will open showing:
A prompt asking to allow botocore-client-... access to your data will appear โ this is expected and part of the AWS SSO login process.
Click Allow access to continue.
If you only have access to one account and role, the CLI will auto-select them:
The only AWS account available to you is: 123456789012
Using the account ID 123456789012
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
Then you'll be prompted to enter:
Default client Region [None]: ap-southeast-2
CLI default output format (json if not specified) [None]:
Profile name [AdministratorAccess-123456789012]: dev-sso
What each means:
- Region โ Match your SSO region.
-
Output format โ Press Enter to accept
json. -
Profile name โ Use a short name like
dev-sso.
๐ Step 2: Log in via AWS SSO
To authenticate:
aws sso login --profile dev-sso
This command starts the login process and caches credentials. A browser may briefly open and complete authentication without further input. Once done, you're ready to use the CLI.
๐งช Step 3: Test the Profile
Run this to confirm setup:
aws sts get-caller-identity --profile dev-sso
This returns your AWS identity and confirms the profile is working.
๐๏ธ Optional: Set the Profile as Default
To make it default:
export AWS_PROFILE=dev-sso
Or add it to your shell config.
๐ Re-login Before Expiry
Sessions expire after 8โ12 hours. To re-login:
aws sso login --profile dev-sso
To check when your SSO credentials expire:
jq -r 'select(.startUrl | contains("dev-sso")) | .expiresAt' ~/.aws/sso/cache/*.json
This prints a timestamp like:
2025-05-26T10:42:21UTC
๐งผ To Remove a Profile
To fully delete a profile:
-
Open your AWS config files:
nano ~/.aws/config nano ~/.aws/credentials Remove the sections related to
[profile dev-sso].
There is no direct CLI command to delete a profile โ editing the files manually is the correct way.
โ Summary
With aws configure sso, you can:
- Avoid long-lived keys
- Log in securely to AWS accounts
- Use profiles easily from the CLI
Top comments (0)