How to configure AWS CLI with AWS Identity Center authentication
In this tutorial, we will install AWS CLI on a Linux virtual machine created with Multipass on our laptop.
You can use Multipass alternatives like VitualBox or WSL also to create the virtual machine.
Why a Linux virtual machine
You can install AWS CLI on Mac or Windows directly. But you can get these benefits by installing on a Linux virtual machine.
- Get access to all the Linux tools and utilities.
- Can delete the virtual machine and start from the beginning if something goes wrong.
- Can keep different versions of the CLI in different virtual machines.
Why install AWS CLI
We can use the AWS CLI without installing anything on your computer via the AWS CloudShell service.
But a locally installed CLI is useful for:
- Developing and running AWS CDK scripts.
- Easily accessing the CLI without opening a browser tab.
- Sync file to S3 buckets from the local computer
Prerequisites
To complete this tutorial you need:
- IAM Identity Center user account.
- A Linux virtual machine.
- The
unzip
utility installed on the virtual machine
Install AWS CLI
Log in to the virtual machine.
Download the AWS CLI binary.
Replace arch
with aarch64
for ARM CPUs and with x86_64
for X86 CPUs.
curl "https://awscli.amazonaws.com/awscli-exe-linux-<arch>.zip" -o "awscliv2.zip"
Unzip and install.
unzip awscliv2.zip
sudo ./aws/install
Verify the CLI is installed.
aws --version
If it’s properly installed, you will get the CLI version.
Configure AWS CLI
There are several authentication mechanisms that the CLI can use to authenticate with AWS. We will use the AWS Identity Center authentication method.
Run aws configure sso
to configure the authentication parameters.
$ aws configure sso
SSO session name (Recommended): dev
SSO start URL [None]: https://xxxxxxx.awsapps.com/start
SSO region [None]: us-west-2
SSO registration scopes [sso:account:access]:
aws configure sso
is an interactive command and will prompt for four parameters.
SSO session name - Enter a name for the SSO session. I have used the name dev
.
SSO Start URL - Enter your AWS Identity Center login URL.
SSO region - Enter the region where your AWS Identity Center is configured,
SSO registration scopes - Leave as default.
The AWS CLI will try to open a browser with the URL below. Since we are on a headless virtual machine (no GUI), the AWS CLI will not be able to open a browser window.
Copy this URL and open it in a browser on your laptop.
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
ABCD-EFGH
The browser will redirect to your AWS Identity Center login page if you are not already signed in. Log in with your AWS Identity Center user account.
When prompted enter the code ABCD-EFGH
. (You will get a unique code each time you run aws configure sso
.)
Then, the browser will prompt you to allow botocore-client
.
Click on the Allow
button.
Go back to the terminal and respond to the prompts as described below.
The only AWS account available to you is: xxxxxxxxxxxxx
Using the account ID xxxxxxxxxxxxx
There are 2 roles available to you.
> ViewOnlyAccess
AdministratorAccess
CLI default client Region [None]: us-west-2
CLI default output format [None]:
CLI profile name [AdministratorAccess-xxxxxxxxxxxxx]: admin
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile admin
AWS Account - If multiple AWS accounts are associated with your AWS Identity Center user, the CLI will prompt you to choose one account. If you have only one AWS account, it will be selected by default.
IAM Identity Center role - If you have more than one role, the CLI will prompt you to select one.
CLI default client Region - Enter the region that you wish to set as the default region for running the CLI commands. This could be different from the region in that your AWS Identity Center is configured.
CLI default output format - By default, the CLI output format is in json
. You can select text
, table
, or yaml
as alternatives.
CLI profile name - Give a name for this authentication profile.
AWS CLI stores the configuration parameters in ~/.aws/config
.
After the configure sso
command is completed, check the contents of the config
file.
$ cat .aws/config
[profile admin]
sso_session = dev
sso_account_id = xxxxxxxxxxxxx
sso_role_name = AdministratorAccess
region = us-west-2
[sso-session dev]
sso_start_url = https://xxxxxxxx.awsapps.com/start
sso_region = us-west-2
sso_registration_scopes = sso:account:access
We have the admin
profile and the dev
sso-session configured.
Log into AWS via CLI
Log into your AWS Identity Center user account from the CLI.
$ aws sso login --sso-session dev
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
ABCD-EFGH
Open the prompted URL in a browser window and enter the code.
In the next screen click on Allow
to allow access to the botocore-client
.
If authentication is successful, you’ll get this output in the terminal.
Successfully logged into Start URL: https://xxxxxxxx.awsapps.com/start
Run CLI command
Run a CLI command.
aws ec2 describe-vpcs --profile admin
This command will print the VPC details in the default region us-west-2
according to the configuration in our profile
.
Command execution may fail if the time in the virtual machine is incorrect. Adjust time or configure NTP synchronization if you are getting
RequestTimeTooSkewed
error.
We can use the region
parameter to run a command in a different region.
aws ec2 describe-vpcs --profile admin --region us-east-1
Create a second profile
You can create multiple profiles in the ~/.aws/config
by running aws configure sso
command.
This is how I created a user
profile for the same AWS account using the ViewOnlyAccess
role.
$ aws configure sso
SSO session name (Recommended): dev
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-west-2.amazonaws.com/
Then enter the code:
ABCD-EFGH
The only AWS account available to you is: 152575339345
Using the account ID 152575339345
There are 2 roles available to you.
Using the role name "ViewOnlyAccess"
CLI default client Region [None]: us-west-2
CLI default output format [None]:
CLI profile name [ViewOnlyAccess-152575339345]: user
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile user
I have used the same session-name
dev
as input to the SSO session name
.
If you have more than one AWS account associated with your AWS Identity Center user, you can create a profile for each account by running the aws configure sso
command.
Wrapping up
In this tutorial, we installed the AWS CLI on a Linux virtual machine running on our laptop. Then, we configured AWS Identity Center credentials for authentication with AWS.
In an upcoming tutorial, we’ll use this setup for writing CDK scripts for managing AWS infrastructure.