By Konstantinos Patronas — 30 Oct 2024

Managing AWS CLI SSO Accounts: Adding, Listing, and Deleting

With AWS Single Sign-On (SSO), managing multiple AWS accounts becomes more efficient, especially in an environment where access to multiple…

Photo by Alex Kulikov on Unsplash

With AWS Single Sign-On (SSO), managing multiple AWS accounts becomes more efficient, especially in an environment where access to multiple AWS accounts or roles is required. This article provides a step-by-step guide to adding, listing, and deleting AWS CLI SSO accounts.

1. Adding an AWS CLI SSO Account

To configure an SSO account for AWS CLI, you’ll need the following from your administrator:

SSO Start URL: The SSO portal URL for your organization.
SSO Region: The region where your SSO instance is hosted.
Account ID: The AWS account ID you want to access.
Role Name: The specific role assigned to you within the account.

Steps to Add an SSO Account

Install or Update the AWS CLI
Ensure that you have AWS CLI version 2.0 or later, which supports SSO configuration.

aws --version

If you don’t have AWS CLI installed or need to update, you can download the latest version from AWS CLI Documentation.

2. Run the SSO Configuration Command

To configure a new SSO profile, use:

aws configure sso

3. Enter SSO Details
The CLI will prompt you for several details:

SSO Session name: Assign a name to the profile (e.g., sso-dev or sso-prod).
SSO Start URL: Enter the URL for your organization’s SSO portal.
SSO Region: Specify the AWS region where SSO is configured (e.g., us-east-1).
SSO Registration Scope: The Scope of the account.

The CLI will prompt you to open a browser to authenticate through your SSO provider. Follow the link and authorize the CLI. After this step, your credentials are automatically stored, and the profile is created.

Back in the CLI you will have to select one of the available accounts to be binded with the aws cli, followed again by questions

SSO Role Name: Specify the role assigned to you (provided by your admin).
CLI Default Region: Enter the region for AWS CLI commands using this profile.
CLI Profile Name: Assign a name to the profile (e.g., sso-dev or sso-prod).
CLI default output format

2. Listing AWS CLI SSO Accounts

Listing SSO profiles helps you see all available configurations for easy management and verification.

Steps to List AWS CLI Profiles

AWS CLI doesn’t have a dedicated command to list profiles, but you can use:

aws configure list-profiles

This command will output all profiles configured in your ~/.aws/config file, including SSO and standard profiles.

Alternatively, you can view profiles directly in the ~/.aws/config file:

cat ~/.aws/config | grep '\[profile' | sed 's/\[profile //g;s/\]//g'

This command will print all profiles, showing both SSO and non-SSO configurations.

3. Deleting an AWS CLI SSO Account

To delete an AWS CLI SSO account, you’ll need to remove its entry from the AWS configuration file (~/.aws/config), as SSO profiles are stored here rather than in ~/.aws/credentials.

Steps to Delete an SSO Profile

Open the Configuration File
Open ~/.aws/config in a text editor:

vim ~/.aws/config

Locate the SSO Profile Section
Find the profile section you want to delete. It will look something like this:

[profile sso-dev] 
sso_start_url = https://your-sso-url.awsapps.com/start 
sso_region = us-west-2 
sso_account_id = 123456789012 
sso_role_name = SSOReadOnlyRole 
region = us-west-2 
output = json

Delete the Profile Section
Remove the entire section, including the [profile sso-dev] header and all settings under it.
Save and Close the File
Save the file and exit the editor.
Verify Profile Deletion
To confirm that the profile was deleted, list profiles again with:

aws configure list-profiles

The deleted profile should no longer appear.

Additional Tips

Set a Default Profile: If you use one profile most frequently, you can set it as the default in ~/.aws/config under [default].

[default] 
sso_start_url = https://your-sso-url.awsapps.com/start 
sso_region = us-west-2 
sso_account_id = 123456789012 
sso_role_name = SSOReadOnlyRole 
region = us-west-2 
output = json

Re-authenticate for Expired SSO Profiles: If you see “expired token” errors, re-authenticate by running aws sso login --profile <profile_name>.
Switch Between Profiles: You can set the AWS_PROFILE environment variable to use different profiles temporarily:

export AWS_PROFILE=<profile_name>

Summary

Managing AWS CLI SSO profiles makes it easier to handle multiple AWS accounts and roles. With the steps outlined above, you can add, list, and delete SSO profiles as needed, enabling smoother access and maintenance across your AWS environments.

In Plain English 🚀

Thank you for being a part of the In Plain English community! Before you go:

Be sure to clap and follow the writer ️👏️️
Follow us: X | LinkedIn | YouTube | Discord | Newsletter | Podcast
Create a free AI-powered blog on Differ.
More content at PlainEnglish.io