AWS
Security
Tutorials
How to set up AWS CLI with AWS SSO
AWS Single-Sign On (SSO) makes it easy to centrally manage SSO Access to multiple AWS accounts, moves the authentication to the IdP (Identity Provider), and removes the need for managing static, long-lived credentials.
AWS CLI added support for SSO late 2019 so you can use it seamlessly in your developer workflow from the CLI without going to the developers portal every time and paste short-lived credentials to the console.
Prerequisite #
Setup AWS SSO with an IDP #
The first step is to have AWS SSO set up and configured. This should be done by someone with the right admin access permissions to both the IdP and AWS. Check out how to set up AWS SSO with G Suite as IDP.
Install AWS CLI (v2) #
On your local machine, if you don’t already have it, install AWS CLI v2.
Configure an SSO Profile #
Similar to the
aws configure
command that creates a new profile in ~/.aws/config
with long-lived access keys aws configure sso
command creates a new SSO profile.aws configure sso
will prompt you to:ep@macbook-pro-73 aws % aws configure sso
# This is the URL that you defined when you setup the AWS
SSO start URL [None]: [https://your-url.awsapps.com/start](https://your-url.awsapps.com/start)
# This is the region that you enabled AWS SSO in
SSO Region [None]: us-east-1
# This step will take you to the browser and you will have to click login and allow
# This will suggest to choose an account from which are available to you
There are 6 AWS accounts available to you.
Using the account ID xxxxxxxxxxxx
# This will suggest a role available to you for this account
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
# Optional: you can choose a default region
CLI default client Region [None]:
# Optional: you can choose a default output form. You can skip this to use the default
CLI default output format [None]:
# Here pick a name that you will be able to use later as an alias for this account for –profile argument
CLI profile name [AdministratorAccess-345990386405]: cq-dev-admin
That’s it you configured a new profile (in that case named
cq-dev-admin
) and to test it run the following command:aws s3 ls --profile cq-dev-admin
## wil output available s3 buckets
Configure Multiple SSO Profiles #
It is common to have multiple accounts available to you via SSO and the neat thing is that you only need to login once to any of those accounts and you can use any of them in the CLI. The only thing that you will need to do is to add the additional profiles either manually (which will probably be faster) or through the interactive CLI. In either your
~/.aws/config
should look something like the following:[profile profile-name-1]
sso_start_url = https://xxxxxx.awsapps.com/start
sso_region = us-east-1
sso_account_id = yyyyyyy
sso_role_name = AdministratorAccess
[profile profile-name-1]
sso_start_url = https://xxxxxx.awsapps.com/start/
sso_region = us-east-1
sso_account_id = yyyyyyy
sso_role_name = AdministratorAccess
region = eu-central-1
Once you log in with any of those profiles (as long as the
sso_start_url
and sso_region
are the same) with the following command:aws sso login --profile profile-name-1
you can run also without logging in specifically to other profiles!
aws s3 ls --profile profile-name-2
Logging out #
You can also log out and clear the temporary credentials with
aws sso logout
but this will probably not be necessary most of the time as they expire every hour or so (or a maximum of 12 hours depending on what you admin defined as session duration) so most probably you will have to re-run aws sso login --profile profile-name-1
once a day or so.Summary #
If you are using AWS SSO (you probably should :) ) you can definitely enjoy the smooth integration and developer experience with the AWS CLI.
If you want to learn more about improving your Cloud Security, check out our post on how to build your own Open Source CSPM with CloudQuery. CloudQuery allows you to sync any source (Including AWS security data) to any destination (including your own infrastructure). By leveraging CloudQuery, you can take advantage of:
- Centralized Access Management: Easily manage SSO access to multiple AWS accounts with CloudQuery’s intuitive CLI interface.
- Seamless Integration: Connect AWS SSO with CloudQuery for smooth data querying and management without constantly handling short-lived credentials.
- Enhanced Security: Utilize temporary SSO credentials in conjunction with CloudQuery to maintain secure access to your cloud resources.
- Developer-Friendly Tools: Benefit from CloudQuery’s robust set of tools that simplify data extraction, transformation, and loading (ETL) processes directly from your AWS environment.
Ready to elevate your cloud data management? Sign up for a demo with our team to see CloudQuery in action or try CloudQuery today!
If you are a CloudQuery user you can also enjoy using your temporary SSO credentials in conjunction with CloudQuery seamlessly by specifying AWS_PROFILE=your-sso-profile-name.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
Written by Yevgeny Pats
Yevgeny Pats is the Co-Founder & CEO at CloudQuery. Prior to establishing CloudQuery, he successfully founded and exited other startups. He has a background in software engineering and cybersecurity.