Skip to content

Authentication

Create new AWS SSO profile

Profiles

A profile is a set of credentials that you can use to access AWS. You can have multiple profiles on your computer, each representing a set of credentials for a different AWS account or levels of access to the same account.

Access keys

If you can't login with SSO, you can create a new set of access keys for your AWS account and configure these by following the instructions in the AWS documentation.

Creating an SSO profile through the command line allows you to set up a new login for an AWS account and role. This setup only needs to be done once for each account and role you need to access.

Because our login will expire after a while, we only need to re-authenticate when the login expires, without having to re-enter necessary information each time.

We have previously installed the awscli package. This package provides a command line tool command called aws configure that we can use to create the new SSO profile.

Creating the profile

Ensure that any default AWS_PROFILE environment variables are unset:

unset AWS_PROFILE
unset AWS_DEFAULT_PROFILE

Run the following command to start the creation of a new SSO profile:

aws configure sso

You will be prompted to enter the following information:

Prompt Description Value
SSO session name (Recommended) The name of the SSO session. You can set this to something useful. Leave blank.
SSO start URL [None] The URL of the AWS SSO portal. https://osloorigo.awsapps.com/start
SSO region [None] The AWS region where the AWS SSO portal is hosted. eu-west-1

When you have filled in the four arguments, the AWS CLI attempts to open your default browser and begin the login process for your IAM Identity Center account:

Example output
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.

If the AWS CLI cannot open the browser, the following message appears with instructions on how to manually start the login process.

Invalid_grant error message

If you fail to set eu-west-1 as the SSO region, you will get an invalid_grant error message. If this happens, you will have to run the command again and set the correct region.

Example output
Using a browser, open the following URL:

https://my-sso-portal.awsapps.com/verify

and enter the following code:
QCFK-N451-3J3C

Once logged in from the browser, switch back to the terminal. It should ask which AWS account you want to use. Use the arrow keys to select the account and press Enter.

Example output
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011)
  ProductionAccount, production-account-admin@example.com (123456789022)

Next it will ask which role you want to use. Use the arrow keys to select the role and press enter.

For the sake of this guide, select AWSAdministratorAccess:

Example output
Using the account ID 123456789011
There are 2 roles available to you.
> AWSAdministratorAccess
  OrigoReadOnlyAccess

Next it will ask for the default CLI client region. You set this once for the convenience of not having to specify which AWS region you want to use each time you run a command.

Select eu-west-1 and press Enter:

CLI default client Region [None]: eu-west-1

Next it will ask for the default output format for results from the AWS CLI. This usually is either json or text.

Select json and press Enter:

CLI default output format [None]: json

Finally it will ask you to name the profile. You can name it whatever you want, but we recommend using the following naming convention:

your_team_name-environment-aws_role_name-aws_account_id
Example profile name
barnehageplass-dev-AWSAdministratorAccess-123456789011

Type in the profile name and press Enter:

CLI profile name [...]: barnehageplass-dev-AWSAdministratorAccess-123456789011

The final output will be something like this:

Example output
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile barnehageplass-dev-AWSAdministratorAccess-123456789011

You have now completed the creation of a new SSO profile! ✨

To confirm that the profile was created, run the following command with the name of the profile you created:

Example command
aws configure list --profile barnehageplass-dev-AWSAdministratorAccess-123456789011

The output should look something like this:

Example output
        Name                    Value             Type    Location
        ----                    -----             ----    --------
    profile barnehageplass--dev-AWSAdministratorAccess-123456789011           manual    --profile
access_key     ****************GNEL              sso
secret_key     ****************uY7i              sso
    region                eu-west-1      config-file    ~/.aws/config

Setting the default profile

If we don't set the profile as the default profile, we will have to specify the profile each time we run a command:

export AWS_PROFILE=barnehageplass-dev-AWSAdministratorAccess-123456789011

If you rather want to specify the profile each time you run a command, you will have to add the --profile argument to each command.

Example command
aws s3 ls --profile barnehageplass-dev-AWSAdministratorAccess-123456789011

Default profile

It's not advisable to set a default profile in your shell configuration as it can impede the ability to switch between profiles and increase the risk of inadvertently running commands on the wrong account, potentially causing severe issues.

Check out aws-profile-setter to make it easier to switch between profiles.

Log in to AWS

When we create a new SSO profile we are automatically logged in to AWS. However, the login will expire after a while. When the login expires, we need to re-authenticate.

This is simply done by running the following command:

Example command
aws sso login --profile barnehageplass-dev-AWSAdministratorAccess-123456789011