Configuring the Amazon CLI to use Amazon IAM Identity Center (successor to Amazon Single Sign-On)
This section describes how to configure the Amazon CLI to authenticate users with Amazon IAM Identity Center (successor to Amazon Single Sign-On)
(IAM Identity Center) to get credentials to run Amazon CLI commands. There are primarily two ways to configure
SSO through the config
file:
-
(Recommended) SSO token provider configuration. The SSO token provider configuration, your Amazon SDK or tool can automatically retrieve refreshed authentication tokens
-
Legacy non-refreshable configuration. When using the legacy non-refreshable configuration, you need to manually refresh the token as it periodically expires.
When using IAM Identity Center, you can login to Active Directory, a built-in IAM Identity Center directory, or another IdP connected to IAM Identity Center. You can map these credentials to an Amazon Identity and Access Management (IAM) role that enables you to run Amazon CLI commands.
Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you
can connect Microsoft Azure AD as described in the blog article The Next Evolution
in IAM Identity Center
For information on using bearer auth, which uses no account ID and role, see Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.
Topics