Sign in Subscribe
By Javier Carrera in AWS CLI

Run AWS CLI commands with IAM Identity Center federated user credentials

This article explains how to authenticate users with AWS IAM Identity Center credentials to run AWS CLI commands.

Run AWS CLI commands with IAM Identity Center federated user credentials

If you use IAM Identity Center federated users to manage AWS resources using the AWS Management Console, you might also want to manage them using the AWS CLI (Command Line Interface) using the same identities. This article explains how to authenticate users with AWS IAM Identity Center credentials to run AWS CLI commands.

You can configure the AWS CLI manually (editing the config file directly) or use the aws configure sso wizard (which indirectly edits the config file). In this post, I will only explain the wizard-based option (as it is easier, faster and safer), but I'll show you the final contents of the config file.

Prerequisites

  1. Install or update the AWS CLI on your machine. The AWS CLI is compatible with Linux, macOS, and Windows, but please check for any specific requirements for those operating systems.
  2. IAM Identity Center has been configured, and you need at least one federated user.

Configure both an IAM Identity Center profile and sso-session for AWS CLI

We first need to collect some information that the aws configure sso wizard will request. To get it​, open the IAM Identity Center portal. Once logged in, find the AWS Account and permission set you want to use:

Click on Command line or programmatic access. This will open a pop-up window:

Copy the SSO Start URL and SSO Region values.

We can now configure the AWS CLI with a new profile and sso-session. In your terminal, run the aws configure sso command and enter the requested values. In this case, I'm giving the profile the name my-sso-profile:

aws configure sso --profile my-sso-profile
SSO session name (Recommended): my-sso-session-name
SSO start URL [None]: https://d-9XXXXXXXX8.awsapps.com/start#
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:

After entering the last value (I typed enter to use the default), the AWS CLI will open your default browser and begin the process in your IAM Identity Center account.

Back in the terminal, as this user can log into multiple accounts, I choose the one I'm interested in.

Then, the wizard prompts for the role I want to assume (if there's only one, it will be selected automatically, otherwise you'll see a prompt similar to the one used to choose the AWS Account).

Finally, you enter the CLI commands' default region and output format.

So, the final output of the aws configure sso --profile my-sso-profile command will look similar to this:

SSO session name (Recommended): my-sso-profile-name
SSO start URL [None]: https://d-9XXXXXXXX8.awsapps.com/start#
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-west-1.amazonaws.com/

Then enter the code:

JMCM-TVWQ
There are 3 AWS accounts available to you.
Using the account ID 05XXXXXXXX22
The only role available to you is: AWSPowerUserAccess
Using the role name "AWSPowerUserAccess"
CLI default client Region [None]: eu-west-1
CLI default output format [None]: json

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile my-sso-profile

If we inspect the config file, available at ~/.aws/config (on Linux or macOS) or %USERPROFILE%/.aws/config (on Windows), we can see this new content:

[profile my-sso-profile]
sso_session = my-sso-profile-name
sso_account_id = 05XXXXXXXX22
sso_role_name = AWSPowerUserAccess
region = eu-west-1
output = json
[sso-session my-sso-profile-name]
sso_start_url = https://d-9XXXXXXXX8.awsapps.com/start#
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

Using an IAM Identity Center profile with AWS CLI

Before you can run an AWS CLI command using an IAM Identity Center profile, the tool has to retrieve and cache a set of credentials (unless they are already cached). To do that, run the following command:

aws sso login --profile my-sso-profile

This will open your default browser and trigger the sign in process for your IAM Identity Center account. Once done, we can check our identity:

aws sts get-caller-identity  --profile my-sso-profile
{
    "UserId": "AROAQXWJINCBI321D5Q2Z:testuser@example.com",
    "Account": "05XXXXXXXX22",
    "Arn": "arn:aws:sts::05XXXXXXXX22:assumed-role/AWSReservedSSO_AWSPowerUserAccess_66bf52dee07107d7/testuser@example.com"
}
Note: You can temporarily disable the credentials by logging out with aws sso logout --profile my-sso-profile You can also sign back in with aws sso login --profile my-sso-profile

From now on, we can use that profile to run any AWS CLI command using the permissions of the IAM Identity Center federated user, e.g.:

aws s3 ls --profile my-sso-profile

Subscribe to Javier in the Cloud

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe