The AWS CLI and most AWS SDKs support Identity Center configuration in ~/.aws/config
; each profile specifies the Identity Center account and role (the Identity Center role, also known as a Permission Set, which is distinct from the corresponding IAM role within the given account) to use.
A profile configured for Identity Center looks like this:
[profile my-sso-profile]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1 # the region Identity Center is configured in
sso_account_id = 123456789012
sso_role_name = MyRoleName
region = us-east-2 # the region to use for AWS API calls
You can view the roles you have available to you with aws-sso-util roles
, which you can use to configure your profiles in ~/.aws/config
, but aws-sso-util
also provides functionality to directly configure profiles for you.
aws-sso-util configure
has two subcommands, aws-sso-util configure profile
for configuring a single profile, and aws-sso-util configure populate
to add all your permissions as profiles, in whatever region(s) you want (with highly configurable profile names).
You probably want to set the environment variables AWS_DEFAULT_SSO_START_URL
and AWS_DEFAULT_SSO_REGION
, which will inform these commands of your Identity Center start url and region (that is, the region that you've configured Identity Center in), so that you don't have to pass them in as parameters every time.
aws-sso-util configure profile
takes a profile name and prompts you with the accounts and roles you have access to, to configure that profile.
aws-sso-util configure populate
takes one or more regions, and generates a profile for each account+role+region combination.
The profile names are completely customizable.
aws-sso-util roles
prints out a table of the accounts and roles you have access to.
This table contains the following columns: account ID, account name, role name.
An Identity Center instance must be specified when using aws-sso-util roles
.
If you're working with a single Identity Center instance, and you've already got a profile configured for it, it should just work.
You should consider setting the environment variables AWS_DEFAULT_SSO_START_URL
and AWS_DEFAULT_SSO_REGION
in your environment (e.g., your .bashrc
or .profile
), which will make it explicit.
Otherwise, see below for the full resolution algorithm.
aws-sso-util roles
has the following options:
--account-id
/-a
: either an explicit 12-digit account ID (which will speed up the process) or a patterns to match, either the account ID prefix or suffix, or a regex to match against the account name.- This option can be provided multiple times.
- If explicit account IDs are provided, the account name will always be
UNKNOWN
.
--role-name
/-r
: a regex to match against the role name--separator
/--sep
: the field separator.- If
--separator
is provided and not--sort-by
(see below), the rows will be printed as they are received, rather than all at once at the end. This can be useful if you have access to a large number of accounts and roles.
- If
--header
/--no-header
: print a header row (default) or suppress it.--sort-by
: sort the output (and order the columns) according to the specification. The input must be two comma-separated values:id
is the account ID.name
is the account name.role
is the role name.- The default used if
--separator
is not provided isname,role
, that is, sort first by account name, then by role name.
--force-refresh
: log in again.
For both commands, an Identity Center instance must be specified.
This consists of a start URL and the region the Identity Center instance is in (which is separate from whatever region you might be accessing).
However, aws-sso-util configure
tries to be smart about finding this value.
If you're working with a single Identity Center instance, and you've already got a profile configured for it, it should just work.
You should consider setting the environment variables AWS_DEFAULT_SSO_START_URL
and AWS_DEFAULT_SSO_REGION
in your environment (e.g., your .bashrc
or .profile
), which will make it explicit.
aws-sso-util configure
uses the following algorithm to determine these values:
- The start URL and regions are looked for in the following CLI parameters and environment variables, stopping if either are found:
--sso-start-url
/-u
and--sso-region
AWS_CONFIGURE_SSO_DEFAULT_SSO_START_URL
andAWS_CONFIGURE_DEFAULT_SSO_REGION
AWS_DEFAULT_SSO_START_URL
andAWS_DEFAULT_SSO_REGION
- If both the start URL and region are found, and the start URL is a full URL beginning wth
http
, these values are used. - If not, all the profiles containing Identity Center config are loaded. All Identity Center instances found in the config are then filtered:
- If a start URL was found in step 1 and it begins with
http
, it will ignore all other instances. - If a start URL was found in step 1 and it does not begin with
http
, it is treated as a regex pattern that instance start URLs must match. - If a region was found in step 1, instances must match this region.
- If a start URL was found in step 1 and it begins with
- The resulting filtered list of instances must contain exactly one entry.
In general: if you've got multiple Identity Center instances you're using, you should set the environment variables listed above with your most-used instance, and then use a substring with --sso-start-url
/-u
to select among them.
For example, if you're using https://foo.awsapps.com/start
(region us-east-2
) and https://bar.awsapps.com/start
(ap-northeast-1
), and the first is your more used one, you'd set:
AWS_DEFAULT_SSO_START_URL=https://foo.awsapps.com/start
AWS_DEFAULT_SSO_REGION=us-east-2
and you'd configure profiles for that with aws-sso-util configure profile my-foo-profile
and for the other with aws-sso-util configure profile my-bar-profile --sso-start-url https://bar.awsapps.com/start --sso-region ap-northeast-1
the first time, and then aws-sso-util configure profile my-other-bar-profile --sso-start-url bar
afterwards, as the region would get found from the my-bar-profile
profile.
If you're finding that it's not correctly selecting the right instance, you can see the details with --verbose
.
You can provide additional entries to include in profiles with the --config-default
/-c
parameter.
You can provide multiple entries, each of the form --config-default key=value
, e.g. -c output=yaml
These defaults will not overwrite any existing values you have put in your config file.
To change this, use the --existing-config-action
parameter.
There are three options:
keep
(the default): for each profile, don't add provided default entries when they conflict with a defaultoverwrite
: for each profile, provided default entries will overwrite existing entriesdiscard
: for each profile, all existing entries will be discarded
By default, a credential_process
entry is created in profiles, see the docs for aws-sso-util credential-process
for details.
To disable this, set --no-credential-process
or the environment variable AWS_CONFIGURE_SSO_DISABLE_CREDENTIAL_PROCESS=true
.
aws-sso-util configure profile
allows you to configure a single profile for use with Identity Center.
You can set all the options for a profile, or let it prompt you interactively to select from available accounts and roles.
A complete profile has the following required information, and you can set them with the listed parameters/environment variables:
- Identity Center start URL
- See above for how to set this
--sso-start-url
AWS_CONFIGURE_DEFAULT_SSO_START_URL
AWS_DEFAULT_SSO_START_URL
- Identity Center region
--sso-region
AWS_CONFIGURE_DEFAULT_SSO_REGION
AWS_DEFAULT_SSO_REGION
- Account
--account-id
/-a
- Role name
--role-name
/-r
- Region
--region
AWS_CONFIGURE_DEFAULT_REGION
environment variableAWS_DEFAULT_REGION
You can additionally set the output
field with --output
/-o
, and as mentioned above, you can provide additional fields with --config-default
/-c
.
If not all of the required fields are provided, the interactive prompts appear, unless the --non-interactive
flag is set.
The interactive prompts come from the AWS CLI v2's aws configure sso
command.
If you do not have the AWS CLI v2, you'll receive a message about installing it.
Get ahead of the game with these installation instructions.
It will look something like this:
$ aws-sso-util configure profile my-sso-profile
SSO start URL [https://something.awsapps.com/start]:
SSO Region [us-east-2]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.us-east-2.amazonaws.com/
Then enter the code:
ABCD-WXYZ
There are N AWS accounts available to you.
Using the account ID 123456789012
The only role available to you is: MyLeastPrivilegeRole
Using the role name "MyLeastPrivilegeRole"
CLI default client Region [None]: us-east-2
CLI default output format [None]: yaml
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile my-sso-profile
aws-sso-util configure populate
allows you to configure profiles for all the access you have through Identity Center.
You specify one or more regions, and a profile is created for every account, role, and region you have access to through Identity Center (note that if access to a region is prohibited by an IAM policy, this does not suppress creation of the profile).
You can provide regions through the --region
/-r
flag (multiple regions like -r REGION1 -r REGION2
), or by setting the AWS_CONFIGURE_DEFAULT_REGION
environment variable (this is ignored if any regions are specified on the command line).
You can view the profiles without writing them using the --dry-run
flag.
The generated profile names are highly configurable.
By default, the profile name is {account_name}.{role_name}
for the first region given, and {account_name}.{role_name}.{short_region}
for additional regions.
The account name has any sequences of whitespace replaced by single -
characters.
The "short region" is a five-character abbreviation of the region: the country code followed by either the first two letters of the location or the abbreviation for locations like "northwest" ("nw") followed by the number.
For example, this results in "usea1" for "us-east-1", "apne1" for "ap-northeast-1", and "cace1" for "ca-central-1".
The default profile name is generated based a list of components. The components are:
account_name
account_id
account_number
(an alias foraccount_id
)role_name
region
short_region
(as defined above)default_style_region
(use the region style from--region-style
, which isshort_region
by default)
By default, any sequences of whitespace in account names are replaced by single -
characters.
This is because AWS SDKs are inconsistent in the way they parse profile names in .aws/config
, and there isn't a format for profile names with whitespace that works for all of them.
You can opt out of this behavior with --raw-account-names
.
You can provide a comma separated list of components to the --components
parameter.
Any value that doesn't match the list above is included as a literal.
The values are joined with .
by default, which can be changed with --separator
.
Whether a region component (any of the three in the list) is included in the profile name is controlled by the --include-region
parameter.
--include-region default
(the default, obviously) only includes the region component if it is not the first region listed, on the basis that it is your most-used region and therefore you shouldn't have to explicitly specify it.
--include-region always
will always include the region component.
The default region component is default_style_region
, which uses the value of --region-style
, which is short
by default.
If you only want to change the profile names to use the long region, you can set --region-style long
instead of having to set --components
yourself.
There are often boilerplate parts of account and role names.
To trim this out of your profile names, you can provide Python regular expressions to --trim-account-name
and --trim-role-name
; matched substrings will be removed.
You can provide these parameters multiple times.
A useful piece of syntax for this is lookahead/lookbehind assertions.
(?<=Admin)Role
would turn"AdminRole"
into"Admin"
but leave"UserRole"
and"MyRole"
as is.(?<!My)Role
would turn"AdminRole"
into"Admin"
and"UserRole"
into"User"
but leave"MyRole"
as is.RoleFor(?=Admin)
andRoleFor(?!My)
work similarly for suffixes.
You can alter the case of your profile names with --account-name-case
and
--role-name-case
. Use these to change the generated profile names after
assembly and trimming.
The values for these options are as follows, and correspond to the Python string methods of the same names:
For example, to lowercase both the account name and role name, add these options:
--account-name-case lower --role-name-case lower
Finally, if you want total control over the generated profile names, you can provide a shell command with --profile-name-process
and it will be executed with the following positional arguments:
- Account name
- Account id
- Role name
- Region name
- Short region name (see above)
- Region index (zero-based index of what position the region is in the provided list of regions)
- Number of regions
This must output a profile name to stdout and return an exit code of 0.
If the output is the string SKIP
, no profile will be created for that configuration.
The default formatting is roughly equivalent to the following code:
import sys
sep = "."
(
account_name,
account_id,
role_name,
region_name,
short_region_name,
region_index_str
) = sys.argv[1:7]
region_index = int(region_index_str)
region_str = "" if region_index == 0 else sep + short_region_name
print(account_name + sep + role_name + region_str)
If this was stored as profile_formatter.py
, it could be used as --profile-name-process "python profile_formatter.py"