Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions

For some time now, configuring Single Sign-On (SSO) profiles in AWS CLI has been simplified thanks to the introduction of SSO sessions. Traditionally, setting up SSO profiles required specifying the SSO endpoint for each profile individually. The new approach uses the sso-session section in the configuration file to group SSO endpoint variables, which profiles can reference. This avoids redundant information and makes the configuration process easier.

Benefits of Using SSO Sessions

SSO sessions offer several advantages over previous methods:

• Simplified configuration: Defining the sso-session section and linking it to a profile is easier than manually setting all the parameters.
• Automatic token refreshing: SSO sessions automatically renew access tokens, eliminating the need to manually refresh credentials. AWS CLI manages the token renewal process in the background using a "refresh token." When the access token expires (typically after an hour), AWS CLI uses the refresh token to obtain a new access token without user intervention. This allows uninterrupted work and removes the need to repeatedly log in, which is especially useful for long-running operations or background scripts.
• Reusable configuration: SSO session configurations can be shared across multiple profiles, making it easier to manage multiple accounts and roles.

Why Choose SSO Sessions Over IAM Users?

Using SSO sessions (IAM Identity Center) in AWS CLI offers significant advantages over traditional IAM users:

• Enhanced security: Authentication via IAM Identity Center eliminates the need to manage long-term access keys, commonly used with IAM users. With SSO sessions, credentials are short-lived and automatically renewed, significantly reducing the risk of leaks or misuse.
• Centralized access management: IAM Identity Center allows centralized management of user permissions through integration with existing identity providers (IdP), such as Microsoft Azure AD, or by creating your own user directory (I chose this option). Organizations can easily control access to multiple AWS accounts from a single place, facilitating audits and compliance with security policies.
• One login, multiple accounts: SSO sessions enable users to access all accounts within an AWS Organizations structure using a single set of credentials. This means users log in once to access multiple AWS accounts without needing to create separate IAM users for each account or assign multiple roles to individual users. This simplifies identity management and enhances user convenience by eliminating the need to remember multiple passwords.

Configuring a Profile Using the aws configure sso Wizard

The easiest way to configure an SSO profile using SSO sessions is with the aws configure sso wizard. This command guides users through the setup process, including:

1. Creating a session name, e.g., myorg.
2. Providing the IAM Identity Center start URL, e.g., https://myorg.awsapps.com/start.
3. Specifying the AWS region where the IAM Identity Center directory is located.
4. Defining the registration scope (optional).
5. Selecting the target account from a dropdown menu in the terminal (as shown in the image below).

After completing the process, a new entry will appear in the ~/.aws/config file with the following structure. Notice how the profile references the session.

[profile my-new-profile]
sso-session = myorg
sso-account-id = 123456789012
sso-role-name = AdministratorAccess

[sso-session myorg]
sso-start-url = https://myorg.awsapps.com/start
sso-region = us-east-1
sso-registration-scopes = sso:account:access

In practice, the new configuration differs from the old one in that sso-session can be reused across multiple profiles. Previously, everything had to be defined together, duplicating information across profiles in the same organization.

Here’s how the old configuration looked:

; old config, don't use it
[profile my-old-profile]
sso_start_url = https://myorg.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
credential_process = aws-sso-util credential-process --profile my-old-profile

Logging In and Using an SSO Profile

After configuring an SSO profile, users can log in using the aws sso login command. This command opens the default browser to authenticate the user. Once logged in, the credentials are cached, enabling AWS CLI to securely fetch AWS credentials for the specified IAM role.

Example usage of an SSO profile:

aws s3 ls --profile my-new-profile

If you use environment variables, you can still set the profile as the default:

export AWS_PROFILE=my-new-profile

BTW: I manage this setup with the direnv tool, allowing me to use different profiles in different directories.

Configuring Additional SSO Profiles

If you noticed in the screenshot, I have access to nine AWS accounts. To configure a profile for another account, I simply run the aws configure sso command again.

Then, I type the previously created SSO session name. This allows me to select another account from the list without re-entering the SSO URL or other session details. No manual edits or copying AWS account numbers from the web console to the config file are needed.

Logging Out of an SSO Session

After finishing with an SSO profile, users can log out using the aws sso logout command. This clears cached credentials.

My Experience with IAM Identity Center

In my AWS organization, I decided to enable IAM Identity Center specifically to use SSO sessions instead of IAM users with static access keys. I must admit, for many years, out of convenience and habit, I didn’t regularly rotate my access keys 😱 (see the image below). However, security concerns pushed me to change my approach. The new authentication method via SSO sessions is significantly more secure, eliminating risks associated with long-term access keys. I now sleep easier knowing my AWS accounts are better protected.

Gradual Transition to SSO and Temporary IAM Key Deactivation

When transitioning from IAM users with static access keys to SSO sessions, you can temporarily deactivate your access keys (Access Key and Secret Access Key) associated with the IAM user. Deactivation prevents the keys from being used for AWS operations but allows later reactivation without generating new keys. This approach provides flexibility during migration—you can configure SSO sessions on your system while disabling IAM keys as a security measure. If needed, you can quickly revert to traditional keys by reactivating them with one click in the AWS console. This makes the SSO migration process safer and less risky, allowing an emergency fallback to the old setup if required.

CloudPouch Supports the New SSO Profile Configuration

CloudPouch is an application for viewing costs and automatically identifying savings on AWS accounts. I’m excited to announce that starting with version 1.36.0, I’ve added support for the new SSO profiles, making it 100% compatible with configurations created by aws configure sso.

Summary

SSO sessions simplify the configuration and management of profiles in AWS CLI. Users can leverage the aws configure sso wizard to quickly and easily set up SSO sessions. This makes managing access to AWS resources more efficient, secure, and user-friendly.