IAM Identity Center (formerly AWS Single Sign-On, or AWS SSO) enables you to centrally manage workforce access to multiple AWS accounts and applications via single sign-on.
IAM Identity Center setup
(1) Confirm your identity source
The identity source is where you administer users and groups, and it is the service that authenticates your users. By default, IAM Identity Center creates an Identity Center directory.
(2) Manage permissions for multiple AWS accounts
Give users and groups access to specific AWS accounts in your organization.
(3) Set up application user and group assignments
Give users and groups access to specific applications configured to work with IAM Identity Center.
(4) Register a delegated administrator
Delegate the ability to manage IAM Identity Center to a member account in your AWS organization.
AWS SSO Authentication
When you run aws sso login, it initiates an authentication flow that communicates with your organization's configured IAM Identity Center instance to obtain temporary AWS credentials for CLI use. This command does not interact with the legacy AWS SSO service, but with the current IAM Identity Center (the new, official name as of July 2022). The authentication process exchanges your SSO credentials for tokens that allow you to use other AWS CLI commands with the associated permissions.
aws sso login --profile my_profile
The profile named in aws sso login --profile my_profile must be defined in your AWS CLI configuration file, specifically in ~/.aws/config (on Linux/macOS) or %USERPROFILE%.aws\config (on Windows).
To define or create an SSO profile, use the interactive command:
aws configure sso --profile my_profile
This command will prompt you for required details such as the SSO start URL, AWS region, account ID, and role name, and then write them into your ~/.aws/config file.
A typical SSO profile configuration in ~/.aws/config might look like:
[profile my_profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
[sso-session my-sso]
sso_start_url = https://myorg.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
Never define the profile in ~/.aws/credentials; SSO profiles rely on ~/.aws/config.
After defining it, aws sso login --profile my_profile will use the details in ~/.aws/config to initiate login.
The most straightforward method is using aws configure sso with your desired profile name as shown above.
If you already have an SSO session defined, you can reuse it across multiple profiles by referencing the same sso_session.
...
