Configuring the Amazon CLI to use Amazon IAM Identity Center (successor to Amazon Single Sign-On)

This section describes how to configure the Amazon CLI to authenticate users with Amazon IAM Identity Center (successor to Amazon Single Sign-On) (IAM Identity Center) to get credentials to run Amazon CLI commands. There are primarily two ways to configure SSO through the config file:

(Recommended) SSO token provider configuration. The SSO token provider configuration, your Amazon SDK or tool can automatically retrieve refreshed authentication tokens
Legacy non-refreshable configuration. When using the legacy non-refreshable configuration, you need to manually refresh the token as it periodically expires.

When using IAM Identity Center, you can login to Active Directory, a built-in IAM Identity Center directory, or another IdP connected to IAM Identity Center. You can map these credentials to an Amazon Identity and Access Management (IAM) role that enables you to run Amazon CLI commands.

Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you can connect Microsoft Azure AD as described in the blog article The Next Evolution in IAM Identity Center.

Note

For information on using bearer auth, which uses no account ID and role, see Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Named profiles

Configure automatic token refresh