AWS Command Line Interface (AWS CLI) is a powerful open source tool that enables AWS users to interact with AWS services using the command-line. AWS CLI allows users to implement the same functionality available in the AWS Management console using automated scripts and commands.
Configuring and using AWS CLI became more streamlined for organizations who are using the AWS IAM Identity Center (successor to AWS SSO) service and AWS CLI v2. With the release of AWS CLI v2, AWS CLI profiles can be linked to AWS IAM Identity Center accounts. Using the ºÚÁϺ£½Ç91Èë¿Ú integration with AWS IAM Identity Center, users can securely log in to AWS CLI with their ºÚÁϺ£½Ç91Èë¿Ú account and ºÚÁϺ£½Ç91Èë¿Ú Multi-Factor Authentication (MFA).
- Trigger an AWS SSO login from AWS CLI using a named profile.
- Log in with your ºÚÁϺ£½Ç91Èë¿Ú credentials and MFA in your default browser.
- Run your CLI commands using your named profile.
Considerations
- This functionality is only available with AWS CLI v2 or higher.
- ºÚÁϺ£½Ç91Èë¿Ú must be configured as the external identity provider for the AWS IAM Identity Center service.
- SAML 2.0 must be the Authentication method.
- We recommend using SCIM provisioning to provision/deprovision users and manage groups and group membership.
Configuring AWS CLI to use ºÚÁϺ£½Ç91Èë¿Ú for SSO
Configure ºÚÁϺ£½Ç91Èë¿Ú integration with AWS IAM Identity Center
- Configure the ºÚÁϺ£½Ç91Èë¿Ú SSO integration with the AWS IAM Identity Center service.
- Optionally, configure the ºÚÁϺ£½Ç91Èë¿Ú Identity Management integration with AWS IAM Identity Center to create, manage, and remove users and groups to simplify role, permission, and policy application.
- Associate user groups to the configured AWS IAM Identity Center integration in ºÚÁϺ£½Ç91Èë¿Ú.
Assign permissions and policies within each AWS account in AWS IAM Identity Center
- Login to the AWS management console as an admin.
- Create new permissions under an account (if applicable):
- Navigate to AWS IAM Identity Center > AWS accounts > Permission sets.
- Click Create permission set or click an existing permission set to update it.
- These permission automatically get created as roles in AWS IAM and are available for all your AWS organizations.
- Navigate to AWS IAM Identity Center > AWS accounts > AWS organization.
- Select the account.
- Click Assign users option or click an user or group set to add permission sets.
- Click Groups tab to assign permission sets/roles at the group level or Users to assign them at the user level.
- Check the box next to the group(s) to which you want to add permission.
- Click Next: Permission sets.
- Select the or unselect the permission sets or Create new permission set and save changes.
- Repeat the steps as needed.
- Users associated with the group(s) will inherit the permission set(s) assigned to the group(s) unless excluded by an Account Based Access Control (ABAC) policy.
- Navigate to Settings AWS IAM Identity Center > Settings.
- Note your User portal URL, because you will need it when logging in to AWS CLI.
Create an AWS CLI named profile to use your ºÚÁϺ£½Ç91Èë¿Ú account and ºÚÁϺ£½Ç91Èë¿Ú MFA
- Launch AWS CLI.
- Trigger an AWS IAM Identity Center login by running the following command:
$ aws configure sso
- Enter your AWS IAM Identity Center User portal URL at the SSO start URL prompt:
SSO start URL [None]: [None]: https://<subdomain>.awsapps.com/start
- Enter your AWS IAM Identity Center region:
SSO region [None]:us-east-1
- Your default browser will be launched.
Note: If AWS CLI is unable to launch a browser, instructions will appear on how to initiate the SSO login process manually.
- Enter your ºÚÁϺ£½Ç91Èë¿Ú credentials.
- Enter your ºÚÁϺ£½Ç91Èë¿Ú MFA.
- Select your account.
- Select the role you want to use for that account.
- A confirmation of your role selection will appear.
- Enter your default region:
CLI default client Region [None]: us-east-1<ENTER>
- Enter your default output format:
CLI default output format [None]: json<ENTER>
- Give your profile a name which will be profile name used to sign in and get temporary credentials:
CLI profile name [123456789011_ReadOnly]: 999999_S3Admin<ENTER>
Retrieve and cache temporary AWS credentials using your named profile
Note: Use the named profile you created above to retrieve and cache a set of temporary credentials.
- Run the following command:
$ aws configure sso --profile 999999_S3Admin
- Your default browser will be launched.
Note: If AWS CLI is unable to launch a browser, instructions will appear on how to initiate the SSO login process manually.
- Enter your ºÚÁϺ£½Ç91Èë¿Ú credentials.
- Enter your ºÚÁϺ£½Ç91Èë¿Ú MFA.
- You will receive a sign-in confirmation message.
- AWS temporary credentials are retrieved for the IAM role specified in the named profile and are cached with an expiration timestamp.
Running AWS CLI commands using your named profile temporary credentials
- Use your cached temporary credentials and your named profile to perform CLI commands:
$ aws s3 ls --profile 999999_S3Admin
Sign out and delete cached and temporary credentials
- Run the following command to sign out and delete all cached SSO credentials and all AWS temporary credentials associated with your ºÚÁϺ£½Ç91Èë¿Ú AWS IAM Identity Center credentials:
$ aws sso logout