Content outline

Mar 11, 2024
6 Min read

How to configure AWS CLI with AWS Identity Center authentication

In this tutorial, we will install AWS CLI on a Linux virtual machine created with Multipass on our laptop.

You can use Multipass alternatives like VitualBox or WSL also to create the virtual machine.

Why a Linux virtual machine

You can install AWS CLI on Mac or Windows directly. But you can get these benefits by installing on a Linux virtual machine.

  1. Get access to all the Linux tools and utilities.
  2. Can delete the virtual machine and start from the beginning if something goes wrong.
  3. Can keep different versions of the CLI in different virtual machines.

Why install AWS CLI

We can use the AWS CLI without installing anything on your computer via the AWS CloudShell service.

But a locally installed CLI is useful for:

  1. Developing and running AWS CDK scripts.
  2. Easily accessing the CLI without opening a browser tab.
  3. Sync file to S3 buckets from the local computer

Prerequisites

To complete this tutorial you need:

  1. IAM Identity Center user account.
  2. A Linux virtual machine.
  3. The unzip utility installed on the virtual machine

Install AWS CLI

Log in to the virtual machine.

Download the AWS CLI binary. Replace arch with aarch64 for ARM CPUs and with x86_64 for X86 CPUs.

curl "https://awscli.amazonaws.com/awscli-exe-linux-<arch>.zip" -o "awscliv2.zip"

Unzip and install.

unzip awscliv2.zip
sudo ./aws/install

Verify the CLI is installed.

aws --version

If it’s properly installed, you will get the CLI version.

Configure AWS CLI

There are several authentication mechanisms that the CLI can use to authenticate with AWS. We will use the AWS Identity Center authentication method.

Run aws configure sso to configure the authentication parameters.

$ aws configure sso
SSO session name (Recommended): dev
SSO start URL [None]: https://xxxxxxx.awsapps.com/start
SSO region [None]: us-west-2
SSO registration scopes [sso:account:access]:

aws configure sso is an interactive command and will prompt for four parameters.

SSO session name - Enter a name for the SSO session. I have used the name dev.

SSO Start URL - Enter your AWS Identity Center login URL.

SSO region - Enter the region where your AWS Identity Center is configured,

SSO registration scopes - Leave as default.

The AWS CLI will try to open a browser with the URL below. Since we are on a headless virtual machine (no GUI), the AWS CLI will not be able to open a browser window.

Copy this URL and open it in a browser on your laptop.

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

ABCD-EFGH

The browser will redirect to your AWS Identity Center login page if you are not already signed in. Log in with your AWS Identity Center user account.

When prompted enter the code ABCD-EFGH. (You will get a unique code each time you run aws configure sso.)

Then, the browser will prompt you to allow botocore-client. Click on the Allow button.

Go back to the terminal and respond to the prompts as described below.

The only AWS account available to you is: xxxxxxxxxxxxx
Using the account ID xxxxxxxxxxxxx
There are 2 roles available to you.
> ViewOnlyAccess        
  AdministratorAccess  
CLI default client Region [None]: us-west-2
CLI default output format [None]:
CLI profile name [AdministratorAccess-xxxxxxxxxxxxx]: admin

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile admin 

AWS Account - If multiple AWS accounts are associated with your AWS Identity Center user, the CLI will prompt you to choose one account. If you have only one AWS account, it will be selected by default.

IAM Identity Center role - If you have more than one role, the CLI will prompt you to select one.

CLI default client Region - Enter the region that you wish to set as the default region for running the CLI commands. This could be different from the region in that your AWS Identity Center is configured.

CLI default output format - By default, the CLI output format is in json. You can select text, table, or yaml as alternatives.

CLI profile name - Give a name for this authentication profile.

AWS CLI stores the configuration parameters in ~/.aws/config.

After the configure sso command is completed, check the contents of the config file.

$ cat .aws/config 
[profile admin]
sso_session = dev
sso_account_id = xxxxxxxxxxxxx
sso_role_name = AdministratorAccess
region = us-west-2
[sso-session dev]
sso_start_url = https://xxxxxxxx.awsapps.com/start
sso_region = us-west-2
sso_registration_scopes = sso:account:access

We have the admin profile and the dev sso-session configured.

Log into AWS via CLI

Log into your AWS Identity Center user account from the CLI.

$ aws sso login --sso-session dev
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

ABCD-EFGH

Open the prompted URL in a browser window and enter the code. In the next screen click on Allow to allow access to the botocore-client.

If authentication is successful, you’ll get this output in the terminal.

Successfully logged into Start URL: https://xxxxxxxx.awsapps.com/start

Run CLI command

Run a CLI command.

aws ec2 describe-vpcs --profile admin

This command will print the VPC details in the default region us-west-2 according to the configuration in our profile.

Command execution may fail if the time in the virtual machine is incorrect. Adjust time or configure NTP synchronization if you are getting RequestTimeTooSkewed error.

We can use the region parameter to run a command in a different region.

aws ec2 describe-vpcs --profile admin --region us-east-1

Create a second profile

You can create multiple profiles in the ~/.aws/config by running aws configure sso command.

This is how I created a user profile for the same AWS account using the ViewOnlyAccess role.

$ aws configure sso
SSO session name (Recommended): dev
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

ABCD-EFGH

The only AWS account available to you is: 152575339345
Using the account ID 152575339345
There are 2 roles available to you.
Using the role name "ViewOnlyAccess"
CLI default client Region [None]: us-west-2
CLI default output format [None]:
CLI profile name [ViewOnlyAccess-152575339345]: user

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile user

I have used the same session-name dev as input to the SSO session name.

If you have more than one AWS account associated with your AWS Identity Center user, you can create a profile for each account by running the aws configure sso command.

Wrapping up

In this tutorial, we installed the AWS CLI on a Linux virtual machine running on our laptop. Then, we configured AWS Identity Center credentials for authentication with AWS.

In an upcoming tutorial, we’ll use this setup for writing CDK scripts for managing AWS infrastructure.