FG
☁️ Cloud & DevOpsAmazon

Add support for AWS Single Sign-On

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score95%
95%

Problem

AWS recently released a SSO service that integrates with Organizations and the AWS Directory Service: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html Currently, the only way to consume this service is via a browser. Shortcuts are provided to copy and paste shell commands to export the appropriate environment variables, but this is unacceptable. Users should not need to use a web browser to authenticate with CLI tools. Other tools such as aws-adfs exist to do this for ADFS, Octa, etc, but there are not currently any for AWS SSO. Since this is a first-party AWS service, aws-cli should support it.

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Implement AWS CLI Support for AWS Single Sign-On Authentication

Medium Risk

AWS Single Sign-On (SSO) requires browser-based authentication, which is not suitable for CLI users. The current AWS CLI does not support direct authentication methods for AWS SSO, forcing users to manually copy environment variables after logging in through a web browser. This limits usability and efficiency for users who rely on CLI tools for automation and scripting.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Update AWS CLI to Support AWS SSO

    Modify the AWS CLI codebase to include a new authentication method for AWS SSO. This will involve creating a new command that allows users to authenticate directly from the CLI without needing a browser.

    bash
    aws sso login --profile <profile_name>
  2. 2

    Create Configuration for AWS SSO Profiles

    Update the AWS CLI configuration files to allow users to define profiles that include AWS SSO settings. This will enable users to specify their SSO start URL, region, and account information directly in the config file.

    ini
    [profile <profile_name>]
 sso_start_url = https://<your-sso-portal>
 sso_region = <region>
 sso_account_id = <account_id>
 sso_role_name = <role_name>
  3. 3

    Implement Token Caching Mechanism

    Develop a caching mechanism for the SSO tokens to avoid frequent logins. This will store the tokens securely and refresh them as needed, improving the user experience by reducing the number of times users need to authenticate.

    bash
    aws sso login --cache
  4. 4

    Add Documentation for AWS SSO CLI Usage

    Create comprehensive documentation that guides users on how to set up and use AWS SSO with the AWS CLI. This should include examples and troubleshooting tips to assist users in transitioning from browser-based authentication.

    markdown
    Refer to the AWS CLI User Guide for detailed instructions on configuring and using AWS SSO.

Validation

To confirm the fix worked, users should be able to run 'aws sso login --profile <profile_name>' and authenticate successfully without needing to open a web browser. Additionally, users should be able to execute AWS CLI commands using the authenticated profile without re-authenticating until the token expires.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

awsclicloudfeature-request