💾 Archived View for capsule.adrianhesketh.com › 2021 › 01 › 21 › aws-cli-sso-authentication captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

➡️ Next capture (2022-06-11)

-=-=-=-=-=-=-

capsule.adrianhesketh.com

home

AWS CLI - authenticating with SSO

AWS CLI v1 didn't support AWS SSO, but the new AWS CLI does. Before this, you had to do a complicated dance of configuration, or use a tool to save yourself the trouble.

Prior to AWS CLI v2 being released, I used the SSOFresh tool: [0] which took away the complication of the various command line incantations that were required without it.

[0]

So, how do you migrate if you're using that now that it's built in to the CLI?

First, upgrade your AWS CLI. [1]

[1]

I use a relatively niche package manager call Nix [2], so the instructions don't apply to me. If you happen to use it too, then you'll find that the `awscli` package is V1, while `awscli2` is V2. You can run AWS CLI v2 without affecting your system by using `nix-shell` or you can update your system.

[2]

nix-shell -p awscli2

You can check your version in your shell:

awscli --version
aws-cli/2.1.3 Python/3.8.6 Darwin/19.6.0 source/x86_64

With the latest version installed, I needed to take my SSOFresh configuration (`ssofresh.ini`) and migrate it over to `~/.aws/config`.

My SSOFresh configuration looked like:

[company]
start_url = https://d-xxxxxxxxxx.awsapps.com/start/
region = eu-west-1
profiles = company-dev

[company-dev]
account_id = xxxxxxxxxxxx
region = eu-west-1
role = EngineerNonProduction

Then I used the guide here to configure `~/.aws/config` instead [3]

[3]

[profile company-dev]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/
sso_region = eu-west-1
sso_account_id = xxxxxxxxxxxx
sso_role_name = EngineerNonProduction
region = eu-west-1
output = json

Next, I needed to use the CLI to login.

aws sso login --profile company-dev

A Web browser popped open and asked me to login. Easy! Then, I went back to the shell and tried it out.

aws logs describe-log-groups --profile=company-dev

Great it worked, I saw a list of all my log groups. Of course, it's annoying to have to remember to add the `--profile` parameter, so I ran `export AWS_PROFILE=company-dev` so I could skip it.

aws logs describe-log-groups

Finally, to logout...

aws sso logout

If you get this error, (or logging out) you'll need to login (`aws sso login`) again.

Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.

More

Next

Google OAuth token CLI tool

Previous

Running DynamoDB Local with nix

Home

home