AWS Developer Tools Blog
AWS CLI v2 Preview Now Supports AWS Single Sign-On
We are excited to announce that the AWS CLI v2 preview now supports direct integration with AWS Single Sign-On (SSO). You can now create CLI profiles that are linked to SSO accounts and roles. The CLI will automatically retrieve AWS credentials from SSO and refresh them on your behalf. There are new commands to help manage the CLI SSO profiles. This eliminates the need to copy and paste temporary AWS credentials from the AWS SSO console.
To get started you need to:
- Install the AWS CLI v2 preview.
- Configure the CLI with an SSO profile.
Install AWS CLI v2 Preview
Instructions to install the AWS CLI v2 preview are available in this blog post.
Configure an SSO Profile
After installation, you need to use the aws2 configure sso
command. The new SSO profile will be saved to the AWS shared configuration file. This is similar to the aws configure
command. During this command, you will be prompted to login into your SSO directory with a web browser.
Using an SSO Profile
Using an SSO profile is the same as any other AWS CLI profile. You can specify the SSO profile name using --profile
on the command line, or export the AWS_DEFAULT_PROFILE
environment variable with your SSO profile name.
The CLI will automatically fetch and refresh AWS credentials for your SSO profile. You can validate your SSO profile using aws2 sts get-caller-identity
with your SSO profile.
The SSO profile will eventually expire. When the profile expires you can run the aws2 sso login
command to refresh the session.
At the end of the work day you can clear all temporary AWS credentials and SSO profile sessions by running aws2 sso logout
.
Check the AWS CLI user guide for detailed explanations of all the new commands and configurations.
The AWS CLI v2 is still in developer preview and we’re looking for feedback to improve new features such as this one. To track development of the AWS CLI v2 or provide feedback, reach out to us on our GitHub repository.