Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On)

This section describes how to configure the AWS CLI to authenticate users with AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to get credentials to run AWS CLI commands. There are primarily two ways to configure SSO through the config file:

• (Recommended) SSO token provider configuration. The SSO token provider configuration, your AWS SDK or tool can automatically retrieve refreshed authentication tokens

• Legacy non-refreshable configuration. When using the legacy non-refreshable configuration, you need to manually refresh the token as it periodically expires.

When using IAM Identity Center, you can login to Active Directory, a built-in IAM Identity Center directory, or another IdP connected to IAM Identity Center. You can map these credentials to an AWS Identity and Access Management (IAM) role for you to run AWS CLI commands.

Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you can connect Microsoft Azure AD as described in the blog article The Next Evolution in IAM Identity Center.

Note

For information on using bearer auth, which uses no account ID and role, see Setting up to use the AWS CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.

Topics in this section

• Token provider configuration with automatic authentication refresh for AWS IAM Identity Center (successor to AWS Single Sign-On)
• Legacy non-refreshable configuration for AWS IAM Identity Center (successor to AWS Single Sign-On)
• Using an IAM Identity Center named profile