Authentication
Create new AWS SSO profile
Profiles
A profile is a set of credentials that you can use to access AWS. You can have multiple profiles on your computer, each representing a set of credentials for a different AWS account or levels of access to the same account.
Access keys
If you can't login with SSO, you can create a new set of access keys for your AWS account and configure these by following the instructions in the AWS documentation.
Creating an SSO profile through the command line allows you to set up a new login for an AWS account and role. This setup only needs to be done once for each account and role you need to access.
Because our login will expire after a while, we only need to re-authenticate when the login expires, without having to re-enter necessary information each time.
We have previously installed the awscli
package. This package provides a command line tool command called
aws configure
that we can use to create the new SSO profile.
Creating the profile
Ensure that any default AWS_PROFILE
environment variables are unset:
Run the following command to start the creation of a new SSO profile:
You will be prompted to enter the following information:
Prompt | Description | Value |
---|---|---|
SSO session name (Recommended) | The name of the SSO session. You can set this to something useful. | Leave blank. |
SSO start URL [None] | The URL of the AWS SSO portal. | https://osloorigo.awsapps.com/start |
SSO region [None] | The AWS region where the AWS SSO portal is hosted. | eu-west-1 |
When you have filled in the four arguments, the AWS CLI attempts to open your default browser and begin the login process for your IAM Identity Center account:
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.
If the AWS CLI cannot open the browser, the following message appears with instructions on how to manually start the login process.
Invalid_grant
error message
If you fail to set eu-west-1
as the SSO region, you will get an invalid_grant
error message. If this happens, you
will have to run the command again and set the correct region.
Using a browser, open the following URL:
https://my-sso-portal.awsapps.com/verify
and enter the following code:
QCFK-N451-3J3C
Once logged in from the browser, switch back to the terminal. It should ask which AWS account you want to use. Use the arrow keys to select the account and press Enter.
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011)
ProductionAccount, production-account-admin@example.com (123456789022)
Next it will ask which role you want to use. Use the arrow keys to select the role and press enter.
For the sake of this guide, select AWSAdministratorAccess
:
Using the account ID 123456789011
There are 2 roles available to you.
> AWSAdministratorAccess
OrigoReadOnlyAccess
Next it will ask for the default CLI client region. You set this once for the convenience of not having to specify which AWS region you want to use each time you run a command.
Select eu-west-1
and press Enter:
Next it will ask for the default output format for results from the AWS CLI. This usually is either json
or text
.
Select json
and press Enter:
Finally it will ask you to name the profile. You can name it whatever you want, but we recommend using the following naming convention:
Type in the profile name and press Enter:
The final output will be something like this:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile barnehageplass-dev-AWSAdministratorAccess-123456789011
You have now completed the creation of a new SSO profile!
To confirm that the profile was created, run the following command with the name of the profile you created:
The output should look something like this:
Name Value Type Location
---- ----- ---- --------
profile barnehageplass--dev-AWSAdministratorAccess-123456789011 manual --profile
access_key ****************GNEL sso
secret_key ****************uY7i sso
region eu-west-1 config-file ~/.aws/config
Setting the default profile
If we don't set the profile as the default profile, we will have to specify the profile each time we run a command:
If you rather want to specify the profile each time you run a command, you will have to add the --profile
argument to each command.
Default profile
It's not advisable to set a default profile in your shell configuration as it can impede the ability to switch between profiles and increase the risk of inadvertently running commands on the wrong account, potentially causing severe issues.
Check out aws-profile-setter
to
make it easier to switch between profiles.
Log in to AWS
When we create a new SSO profile we are automatically logged in to AWS. However, the login will expire after a while. When the login expires, we need to re-authenticate.
This is simply done by running the following command: