💾 Archived View for capsule.adrianhesketh.com › 2021 › 01 › 21 › aws-cli-sso-authentication captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
AWS CLI v1 didn't support AWS SSO, but the new AWS CLI does. Before this, you had to do a complicated dance of configuration, or use a tool to save yourself the trouble.
Prior to AWS CLI v2 being released, I used the SSOFresh tool: [0] which took away the complication of the various command line incantations that were required without it.
So, how do you migrate if you're using that now that it's built in to the CLI?
First, upgrade your AWS CLI. [1]
I use a relatively niche package manager call Nix [2], so the instructions don't apply to me. If you happen to use it too, then you'll find that the `awscli` package is V1, while `awscli2` is V2. You can run AWS CLI v2 without affecting your system by using `nix-shell` or you can update your system.
nix-shell -p awscli2
You can check your version in your shell:
awscli --version aws-cli/2.1.3 Python/3.8.6 Darwin/19.6.0 source/x86_64
With the latest version installed, I needed to take my SSOFresh configuration (`ssofresh.ini`) and migrate it over to `~/.aws/config`.
My SSOFresh configuration looked like:
[company] start_url = https://d-xxxxxxxxxx.awsapps.com/start/ region = eu-west-1 profiles = company-dev [company-dev] account_id = xxxxxxxxxxxx region = eu-west-1 role = EngineerNonProduction
Then I used the guide here to configure `~/.aws/config` instead [3]
[profile company-dev] sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/ sso_region = eu-west-1 sso_account_id = xxxxxxxxxxxx sso_role_name = EngineerNonProduction region = eu-west-1 output = json
Next, I needed to use the CLI to login.
aws sso login --profile company-dev
A Web browser popped open and asked me to login. Easy! Then, I went back to the shell and tried it out.
aws logs describe-log-groups --profile=company-dev
Great it worked, I saw a list of all my log groups. Of course, it's annoying to have to remember to add the `--profile` parameter, so I ran `export AWS_PROFILE=company-dev` so I could skip it.
aws logs describe-log-groups
Finally, to logout...
aws sso logout
If you get this error, (or logging out) you'll need to login (`aws sso login`) again.
Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.
Running DynamoDB Local with nix