aws-sso

Start SSO session and refresh access tokens. Requires setup using aws configure sso

$ aws sso login

$ aws sso logout

$ aws sso list-accounts

$ aws sso list-account-roles --account-id [account] --access-token [token]

$ aws get-role-credentials --account-id [account] --role-name [role] --access-token [token]

aws-sso [options]

login
    Authenticates with AWS SSO and fetches temporary credentials.

configure
    Guides through setting up a new AWS SSO profile.

profiles
    Lists all configured AWS SSO profiles.

assume <profile-name>
    Assumes a specific role associated with an SSO profile, often setting environment variables for CLI access.

refresh
    Refreshes expired AWS SSO credentials without full re-authentication.

env <profile-name>
    Prints export commands for environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.) for a given profile, suitable for eval.

--profile <name>
    Specifies the SSO profile to use for the command.

-h, --help
    Displays help information for the command or subcommand.

aws-sso is commonly a community-driven or custom helper script designed to streamline authentication with AWS Single Sign-On (SSO) and assuming AWS roles directly from the command line.
It typically acts as a wrapper around the official aws configure sso and aws sso login processes, offering a more user-friendly interface.
Its primary goal is to simplify fetching temporary AWS credentials for various AWS accounts and roles configured via SSO, thereby easing the use of the AWS CLI and SDKs without manual credential handling.
It often manages multiple SSO profiles, assists with token refreshing, and automates the process of setting environment variables for CLI access, greatly improving developer experience when working with AWS SSO enabled organizations.

aws-sso is typically a third-party script or personal wrapper, not an official AWS CLI command directly from Amazon.
Its functionality can vary significantly between different implementations, so users should consult the specific script's documentation.
It generally requires aws-cli v2 to be installed and configured for SSO.
Always verify the source and contents of any aws-sso script before execution due to security implications of credential management.

For immediate credential application in the current shell session, aws-sso commands are often used with eval, e.g., eval $(aws-sso env <profile>).
This sets the necessary environment variables (access key, secret key, session token) and expiration, allowing seamless use of the AWS CLI and SDKs until the credentials expire.

A key benefit of aws-sso is its ability to easily manage and switch between different AWS accounts and roles configured under AWS SSO.
This significantly enhances productivity for users working across multiple environments or projects, providing quick access to respective AWS resources.

The emergence of aws-sso scripts stems from the need to simplify AWS SSO integration with the AWS CLI.
While AWS CLI v2 provides native SSO support, the process of configuring and frequently switching roles can be cumbersome for developers.
Community developers and users created these helper scripts to abstract this complexity, offering a more fluid experience for managing temporary credentials and multiple AWS SSO profiles efficiently.

aws(1), aws configure sso(1), aws sso login(1)