AWS CLI - authenticating with SSO

AWS CLI v1 didn’t support AWS SSO, but the new AWS CLI does. Before this, you had to do a complicated dance of configuration, or use a tool to save yourself the trouble.

Prior to AWS CLI v2 being released, I used the SSOFresh tool: [0] which took away the complication of the various command line incantations that were required without it.

• https://github.com/awilkins/aws-sso-refresh [0]

So, how do you migrate if you’re using that now that it’s built in to the CLI?

First, upgrade your AWS CLI. [1]

• https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html [1]

I use a relatively niche package manager call Nix [2], so the instructions don’t apply to me. If you happen to use it too, then you’ll find that the awscli package is V1, while awscli2 is V2. You can run AWS CLI v2 without affecting your system by using nix-shell or you can update your system.

• https://en.wikipedia.org/wiki/Nix_package_manager [2]

nix-shell -p awscli2

You can check your version in your shell:

awscli --version
aws-cli/2.1.3 Python/3.8.6 Darwin/19.6.0 source/x86_64

With the latest version installed, I needed to take my SSOFresh configuration (ssofresh.ini) and migrate it over to ~/.aws/config.

My SSOFresh configuration looked like:

[company]
start_url = https://d-xxxxxxxxxx.awsapps.com/start/
region = eu-west-1
profiles = company-dev

[company-dev]
account_id = xxxxxxxxxxxx
region = eu-west-1
role = EngineerNonProduction

Then I used the guide here to configure ~/.aws/config instead [3]

• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html [3]

[profile company-dev]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/
sso_region = eu-west-1
sso_account_id = xxxxxxxxxxxx
sso_role_name = EngineerNonProduction
region = eu-west-1
output = json

Next, I needed to use the CLI to login.

aws sso login --profile company-dev

A Web browser popped open and asked me to login. Easy! Then, I went back to the shell and tried it out.

aws logs describe-log-groups --profile=company-dev

Great it worked, I saw a list of all my log groups. Of course, it’s annoying to have to remember to add the --profile parameter, so I ran export AWS_PROFILE=company-dev so I could skip it.

aws logs describe-log-groups

Finally, to logout…

aws sso logout

If you get this error, (or logging out) you’ll need to login (aws sso login) again.

Error loading SSO Token: The SSO access token has either expired or is otherwise invalid.