Configuring IAM Identity Center authentication with the AWS CLI
This topic provides instructions on how to configure the AWS CLI with AWS IAM Identity Center (IAM Identity Center) to retrieve credentials to run AWS CLI commands. There are primarily two ways to authenticate users with IAM Identity Center to get credentials to run AWS CLI commands through theconfig file:
(Recommended) SSO token provider configuration.
Legacy non-refreshable configuration.
For information on using bearer auth, which uses no account ID and role, seeSetting up to use the AWS CLI with CodeCatalyst in theAmazon CodeCatalyst User Guide.
For a guided process of using IAM Identity Center with AWS CLI commands, seeTutorial: Using IAM Identity Center to run Amazon S3 commands in the AWS CLI.
Topics
Prerequisites
Install the AWS CLI. For more information, seeInstalling or updating to the latest version of the AWS CLI.
You must first have access to SSO authentication within IAM Identity Center. Choose one of the following methods to access your AWS credentials.
Follow the instructions inGetting started in theAWS IAM Identity Center User Guide. This process activates IAM Identity Center, creates an administrative user, and adds an appropriate least-privilege permission set.
Create a permission set that applies least-privilege permissions. We recommend using the predefinedPowerUserAccess permission set, unless your employer has created a custom permission set for this purpose.
Exit the portal and sign in again to see your AWS accounts, programmatic access details, and options forAdministrator orPowerUserAccess. SelectPowerUserAccess when working with the SDK.
Sign in to AWS through your identity provider’s portal. If your Cloud Administrator has granted youPowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set.
Custom implementations might result in different experiences, such as different permission set names. If you're not sure which permission set to use, contact your IT team for help.
Sign in to AWS through your AWS access portal. If your Cloud Administrator has granted youPowerUserAccess (developer) permissions, you see the AWS accounts that you have access to and your permission set. Next to the name of your permission set, you see options to access the accounts manually or programmatically using that permission set.
Contact your IT team for help.
After gaining access to IAM Identity Center, gather your IAM Identity Center information by performing the following:
Gather your
SSO Start URLandSSO Regionvalues that you need to runaws configure ssoIn your AWS access portal, select the permission set you use for development, and select theAccess keys link.
In theGet credentials dialog box, choose the tab that matches your operating system.
Choose theIAM Identity Center credentials method to get the
SSO Start URLandSSO Regionvalues.
Alternatively, starting with version 2.22.0, you can use the Issuer URL instead of the Start URL. The Issuer URL is located in the AWS IAM Identity Center console in one of the following locations:
On theDashboard page, the Issuer URL is in the settings summary.
On theSettings page, the Issuer URL is in theIdentity source settings.
For information on which scopes value to register, seeOAuth 2.0 Access scopes in theIAM Identity Center User Guide.
Configure your profile with theaws configure sso wizard
To configure an IAM Identity Center profile for your AWS CLI:
In your preferred terminal, run the
aws configure ssocommand.- (Recommended) IAM Identity Center
Create a session name, provide your IAM Identity Center start URL or the issuer URL, the AWS Region that hosts the IAM Identity Center directory, and the registration scope.
$aws configure ssoSSO session name (Recommended):my-ssoSSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1SSO registration scopes [None]:sso:account:accessProof Key for Code Exchange (PKCE) authorization is used by default for the AWS CLI starting with version2.22.0 and must be used on devices with a browser. To continue to use Device authorization, append the
--use-device-codeoption.$aws configure sso--use-device-code- Legacy IAM Identity Center
Skip the session name and provide your IAM Identity Center start URL and the AWS Region that hosts the Identity Center directory.
$aws configure ssoSSO session name (Recommended):SSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1
The AWS CLI attempts to open your default browser for the sign in process of your IAM Identity Center account. This process may prompt you to allow the AWS CLI access to your data. Since the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of the
botocorename.If the AWS CLI cannot open the browser, instructions to manually start the sign in process are displayed based on the type of authorization you are using.
- PKCE authorization
Proof Key for Code Exchange (PKCE) authorization is used by default for the AWS CLI starting with version 2.22.0. The URL displayed is a unique URL starting with:
https://oidc.us-east-1.amazonaws.com/authorizePKCE authorization URLs must be opened on the same device you're signing in to and must be used for a device with a browser.
Attempting to automatically open the SSO authorization page in your default browser.If the browser does not open or you wish to use a different device to authorize the request, open the following URL:https://oidc.us-east-1.amazonaws.com/authorize?<abbreviated>- Device authorization
The OAuth 2.0 device authorization is used by the AWS CLI for versions older than 2.22.0. You can enable this method on newer versions by using the
--use-device-codeoption.Device authorization URLs do not need to be opened on the same device you're signing in to and can be used for a device with or without a browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:https://device.sso.us-west-2.amazonaws.com/Then enter the code:QCFK-N451
Select the AWS account to use from the displayed list. If you are authorized to use only one account, the AWS CLI automatically selects that account and skips the prompt.
There are 2 AWS accounts available to you.> DeveloperAccount, developer-account-admin@example.com (123456789011) ProductionAccount, production-account-admin@example.com (123456789022)Select the IAM role to use from the displayed list. If there is only one role available, the AWS CLI automatically selects that role and skips the prompt.
Using the account ID123456789011There are 2 roles available to you.> ReadOnly FullAccessSpecify thedefault output format, thedefault AWS Region to send commands to, and aname for the profile. If you specify
defaultas the profile name, this profile becomes the default profile used. In the following example, the user enters a default Region, default output format, and the name of the profile.Default client Region [None]:us-west-2<ENTER>CLI default output format (json if not specified) [None]:json<ENTER>Profile name [123456789011_ReadOnly]:my-dev-profile<ENTER>A final message describes the completed profile configuration. You can now use this profile to request credentials. Use the
aws sso logincommand to request and retrieve the credentials needed to run commands. For instructions, seeSign in to an IAM Identity Center session.
These steps result in creating thesso-session section and named profile in theconfig file that looks like the following:
- IAM Identity Center
[profilemy-dev-profile]sso_session =my-ssosso_account_id =123456789011sso_role_name =readOnlyregion =us-west-2output =json[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startsso_registration_scopes =sso:account:access- Legacy IAM Identity Center
[profilemy-dev-profile]sso_start_url =https://my-sso-portal.awsapps.com/startsso_region =us-east-1sso_account_id =123456789011sso_role_name =readOnlyregion =us-west-2output =json
Configure only yoursso-session section withaws configure sso-session wizard
This configuration is not compatible with the legacy IAM Identity Center.
Theaws configure sso-session command updates thesso-session sections in the~/.aws/config file. Run theaws configure sso-session command and provide your IAM Identity Center start URL or issuer URL and the AWS Region that hosts the IAM Identity Center directory.
$aws configure sso-sessionSSO session name:my-ssoSSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1SSO registration scopes [None]:sso:account:accessManual configuration using theconfig file
IAM Identity Center configuration information is stored in theconfig file and can be edited using a text editor. To manually add IAM Identity Center support to a named profile, you must add keys and values to theconfig file.
Thesso-session section of theconfig file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used:
(Required)
sso_start_url(Required)
sso_region
You define ansso-session section and associate it to a profile. Thesso_region andsso_start_url settings must be set within thesso-session section. Typically,sso_account_id andsso_role_name must be set in theprofile section so that the SDK can request SSO credentials.
The following example configures the SDK to request SSO credentials and supports automated token refresh:
[profiledev]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startThis also allowssso-session configurations to be reused across multiple profiles:
[profiledev]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole[profileprod]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole2[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startHowever,sso_account_id andsso_role_name aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario,sso_account_id andsso_role_name aren't required. See the individual guide for your AWS service to determine if it supports bearer token authorization.
Additionally, registration scopes can be configured as part of asso-session. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application will be limited to the scopes granted. These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. The following example setssso_registration_scopes to provide access for listing accounts/roles:
[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startsso_registration_scopes =sso:account:accessThe authentication token is cached to disk under thesso/cache directory with a filename based on the session name.
To run commands, you must firstSign in to an IAM Identity Center session to request and retrieve your temporary credentials.
For more information on theconfig andcredentials files, seeConfiguration and credential file settings in the AWS CLI.
Sign in to an IAM Identity Center session
The sign in process may prompt you to allow the AWS CLI access to your data. Since the AWS CLI is built on top of the SDK for Python, permission messages may contain variations of thebotocore name.
To retrieve and cache a set of IAM Identity Center credentials, run the following command for the AWS CLI to open your default browser and verify your IAM Identity Center log in.
$aws sso login --profilemy-dev-profileSSO authorization page has automatically been opened in your default browser. Follow the instructions in the browser to complete this authorization request.Successfully logged into Start URL: https://my-sso-portal.awsapps.com/startYour IAM Identity Center session credentials are cached and the AWS CLI uses them to securely retrieve AWS credentials for the IAM role specified in the profile.
If the AWS CLI cannot automatically open your browser, instructions to manually start the sign in process are displayed based on the type of authorization you are using.
- PKCE authorization
Proof Key for Code Exchange (PKCE) authorization is used by default for the AWS CLI starting with version 2.22.0. The URL displayed is a unique URL starting with:
https://oidc.us-east-1.amazonaws.com/authorizePKCE authorization URLs must be opened on the same device you're signing in to and must be used for a device with a browser.
Attempting to automatically open the SSO authorization page in your default browser.If the browser does not open or you wish to use a different device to authorize the request, open the following URL:https://oidc.us-east-1.amazonaws.com/authorize?<abbreviated>- Device authorization
The OAuth 2.0 device authorization is used by the AWS CLI for versions older than 2.22.0. You can enable this method on newer versions by using the
--use-device-codeoption.Device authorization URLs do not need to be opened on the same device you're signing in to and can be used for a device with or without a browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:https://device.sso.us-west-2.amazonaws.com/Then enter the code:QCFK-N451
You can also specify whichsso-session profile to use when logging in using the--sso-session parameter of theaws sso login command. Thesso-session option is not available for legacy IAM Identity Center.
$aws sso login --sso-sessionmy-dev-sessionStarting with version 2.22.0, PKCE authorization is the default. To use device authorization for signing in, add the--use-device-code option.
$aws sso login --profilemy-dev-profile --use-device-codeThe authentication token is cached to disk under the~/.aws/sso/cache directory with a filename based on thesso_start_url.
Run a command with your IAM Identity Center profile
Once logged in, you can use your credentials to invoke AWS CLI commands with the associated named profile. The following example shows a command using a profile:
$aws sts get-caller-identity --profilemy-dev-profileAs long as you are signed in to IAM Identity Center and those cached credentials are not expired, the AWS CLI automatically renews expired AWS credentials when needed. However, if your IAM Identity Center credentials expire, you must explicitly renew them by logging in to your IAM Identity Center account again.
Sign out of your IAM Identity Center sessions
When you are done using your IAM Identity Center profile, you can let your credentials expire or run the following command to delete your cached credentials.
$aws sso logoutSuccessfully signed out of all SSO profiles.Troubleshooting
If you come across issues using the AWS CLI, seeTroubleshooting errors for the AWS CLI for troubleshooting steps.
Related resources
Additional resources are as follows.
Tutorial: Using IAM Identity Center to run Amazon S3 commands in the AWS CLI
aws configure ssoin theAWS CLI version 2 Referenceaws configure sso-sessionin theAWS CLI version 2 Referenceaws sso loginin theAWS CLI version 2 Referenceaws sso logoutin theAWS CLI version 2 ReferenceSetting up to use the AWS CLI with CodeCatalyst in theAmazon CodeCatalyst User Guide
OAuth 2.0 Access scopes in theIAM Identity Center User Guide
Getting started tutorials in theIAM Identity Center User Guide
