docs
AWS SSO
AWS Configure SSO

Configuring AWS SSO 🔐

In this section, we'll guide you through configuring AWS Single Sign-On (SSO) so you can securely access your AWS accounts using the AWS CLI with your SSO credentials.

In simple terms, with the User account we created earlier (i.e., jimmy.carter), we can access both the Production and Staging accounts because the account was granted AdministratorAccess.

1. Configure SSO for Production.

Run the following command to start the SSO configuration process:

aws configure sso

You'll be prompted to provide information about your AWS SSO configuration.

Create Permission Set

  1. SSO session name (Recommended): Enter the session name for prod. i.e. awslaunchgoat-prod
  2. SSO start URL: Enter the URL for your AWS SSO user portal. This can be found in the IAM Identity Center. It should look something like https://d-XXXXXXXXXX.awsapps.com/start. Copy and paste it.

Create Permission Set

  1. SSO region: Enter the AWS region where your AWS SSO is configured. i.e. us-east-1

  2. SSO registration scopes: Hit enter and skip.

  3. The AWS CLI will launch your default web browser for authorization. Click Confirm and continue.

Create Permission Set

  1. Sign in to your User account. i.e. jimmy.carter

Create Permission Set

  1. Allow access to Applications and AWS accounts.

Create Permission Set

  1. Close the window and go back to the terminal.
  2. Select the Production in the prompt and hit enter.

Create Permission Set

  1. CLI default client Region [None]: Enter your region again. i.e. us-east-1
  2. CLI default output format [None]: Enter json
  3. CLI profile name [AdministratorAccess-account#]: Enter the profile name for prod. i.e. awslaunchgoat-prod

Congrats! Your AWS SSO profile is now configured. You can verify it by listing your configured profiles:

aws configure list-profiles

You should see awslaunchgoat-prod (or the name you provided) in the list. You can now use your SSO profile to run AWS CLI commands!

2. Configure SSO for Staging.

Repeat above steps to create a new profile and sso-session for staging. i.e. awslaunchgoat-staging

Make sure to choose Staging in the prompt, not Production! (Refer to #8)

⚠️ FYI..

When you are done with configuring SSO for both Production and Staging, a new Config file will be created in the hidden .aws folder.

Create Permission Set

When you open this file, you will find that profiles and sso-sessions for prod & staging are created.

Create Permission Set

  • By configuring AWS SSO with the AWS CLI, you enhance the security of your AWS operations and simplify credential management across multiple AWS accounts and environments. 🎉

Now we are ready to bootstrap and deploy our cdk backend!

IAM Identity CenterSSO Expired