aws-sso

Start SSO session and refresh access tokens. Requires setup using aws configure sso

$ aws sso login

$ aws sso logout

$ aws sso list-accounts

$ aws sso list-account-roles --account-id [account] --access-token [token]

$ aws get-role-credentials --account-id [account] --role-name [role] --access-token [token]

aws sso []

login
    Initiates the SSO login process. Opens a browser window for authentication and retrieves temporary AWS credentials.

--profile profile_name
    Specifies the AWS CLI profile to use. This profile must be configured to use SSO.

--region region_name
    Specifies the AWS region for the SSO service. This is needed if the region isn't specified in the profile.

--debug
    Enables debug logging for troubleshooting.

The `aws-sso` command is a utility provided by the AWS Command Line Interface (CLI) to simplify authentication and authorization against AWS Single Sign-On (SSO) service. It allows users to obtain temporary AWS credentials by authenticating through their organization's SSO provider. This eliminates the need to manually manage AWS credentials or rely on long-term access keys.

By using `aws-sso`, you can interact with AWS services without requiring static credentials in the `~/.aws/credentials` file or environment variables. The command retrieves short-lived credentials based on your assigned roles and permissions within your AWS SSO environment. This approach greatly improves security and streamlines AWS CLI usage.

The authentication process usually involves opening a web browser, logging in through the SSO provider's interface, and then receiving temporary credentials that are configured within the AWS CLI configuration files.

Requires a correctly configured AWS CLI profile that uses the 'sso' credential process.
The SSO provider and Identity Center need to be configured for it to work.

To use `aws-sso`, you must configure an AWS CLI profile with the 'sso' credential process. This involves specifying the SSO start URL, region, and account ID in the `~/.aws/config` file. The SSO login will configure your credentials file afterwards.

The `aws-sso` command improves security by using short-lived credentials obtained through the SSO provider. This reduces the risk of credential compromise and eliminates the need to store static credentials. All credentials retrieved are only available for the period defined in your AWS SSO configuration.

The `aws-sso` command was introduced as part of the AWS CLI version 2 to provide a more streamlined and secure method of authentication using AWS Single Sign-On. It was developed to address the challenges of managing static credentials and to encourage best practices for security and access control.

aws(1), aws configure(1)