aws-sso

Authenticate to AWS using Single Sign-On

TLDR

Start SSO session and refresh access tokens. Requires setup using aws configure sso

$ aws sso login

End SSO session and clear cached access tokens

$ aws sso logout

List all AWS accounts accessible to the user

$ aws sso list-accounts

List all roles accessible to the user for a given AWS account

$ aws sso list-account-roles --account-id [account] --access-token [token]

Retrieve short-term credentials for a specific account

$ aws sso get-role-credentials --account-id [account] --role-name [role] --access-token [token]

--profile, -p PROFILE
    AWS config profile name

--sso-session SESSION
    SSO session name from ~/.aws/config

--sso-start-url URL
    Override SSO start URL

--sso-region REGION
    SSO region (e.g., us-east-1)

--duration-seconds SECONDS
    Credential duration (900-43200)

--no-browser
    Disable browser login (CLI only)

--help, -h
    Show command help

--version
    Print version info

--log-level LEVEL
    Logging level (DEBUG, INFO, etc.)

DESCRIPTION

aws-sso is an open-source command-line tool that simplifies managing AWS Single Sign-On (SSO, now IAM Identity Center) credentials with the AWS CLI. It automates profile discovery, login, and credential retrieval for multi-account environments.

Unlike native AWS CLI v2 SSO (via aws configure sso), which requires per-profile setup, aws-sso scans your ~/.aws/config for SSO sections, lists available accounts/roles, handles browser-based authentication, and caches temporary credentials with automatic renewal. It supports exporting credentials to environment variables for seamless use with aws, terraform, or other tools.

Key use cases include switching roles across accounts without manual exports, scripting deployments, and integrating with session managers like aws-vault. Install via pip install aws-sso-cli or package managers. Requires AWS CLI v2 and Python 3.6+. Works on Linux, macOS, Windows.

Popular for its simplicity: run aws-sso login once, then aws-sso exec --profile my-role aws s3 ls for temporary creds. Profiles expire handling prevents stale sessions.

CAVEATS

Third-party tool (not official AWS); requires AWS CLI v2 and valid ~/.aws/config with SSO sections. Browser login needs GUI/X11 forwarding on headless Linux.

COMMON SUBCOMMANDS

configure: Interactive SSO setup.
list-profiles: List SSO profiles/accounts/roles.
login: Authenticate SSO session.
exec: Run command with temp creds (e.g., aws-sso exec aws sts get-caller-identity).
get-account-id: Fetch account ID for profile.

INSTALLATION

pip install aws-sso-cli
Or brew install aws-sso-cli on macOS.
Man page: man aws-sso after install.

HISTORY

Developed by Justin Barnhill starting 2020 on GitHub (barnhill/aws-sso-cli). Gained popularity post-AWS CLI v2 SSO intro; v2.0+ added IAM Identity Center support. Actively maintained with 1k+ stars.