We announced the upcoming end-of-support for AWS SDK for JavaScript v2.
We recommend that you migrate to AWS SDK for JavaScript v3. For dates, additional details, and information on how to migrate, please refer to the linked announcement.

Class: AWS.SsoCredentials

AWS.Credentials show all
Defined in:



This feature is not supported in the browser environment of the SDK.

Represents credentials from sso.getRoleCredentials API for sso_* values defined in shared credentials file.

Using SSO credentials

The credentials file must specify the information below to use sso:

[profile sso-profile]
sso_account_id = 012345678901
sso_region = **-****-*
sso_role_name = SampleRole
sso_start_url = https://d-******.awsapps.com/start

or using the session format:

[profile sso-token]
sso_session = prod
sso_account_id = 012345678901
sso_role_name = SampleRole

[sso-session prod]
sso_region = **-****-*
sso_start_url = https://d-******.awsapps.com/start

This information will be automatically added to your shared credentials file by running aws configure sso.

Using custom profiles

The SDK supports loading credentials for separate profiles. This can be done in two ways:

  1. Set the AWS_PROFILE environment variable in your process prior to loading the SDK.
  2. Directly load the AWS.SsoCredentials provider:
var creds = new AWS.SsoCredentials({profile: 'myprofile'});
AWS.config.credentials = creds;

Constructor Summary collapse

Property Summary

Properties inherited from AWS.Credentials

expired, expireTime, accessKeyId, secretAccessKey, sessionToken, expiryWindow

Method Summary collapse

Methods inherited from AWS.Credentials

needsRefresh, get, getPromise, refreshPromise

Constructor Details

new AWS.SsoCredentials(options) ⇒ void

Creates a new SsoCredentials object.


  • options (map)

    a set of options

Options Hash (options):

  • profile (String) — default: AWS_PROFILE env var or 'default'

    the name of the profile to load.

  • filename (String) — default: '~/.aws/credentials' or defined by AWS_SHARED_CREDENTIALS_FILE process env var

    the filename to use when loading credentials.

  • callback (Function) — default: err

    Credentials are eagerly loaded by the constructor. When the callback is called with no error, the credentials have been loaded successfully.

Method Details

getToken(profileName, profile, callback) ⇒ void

Uses legacy file system retrieval or if sso-session is set, use the SSOTokenProvider.


  • profileName (string)
    • name of the profile.
  • profile (object)
    • profile data containing sso_session or sso_start_url etc.
  • callback (function)
    • called with (err, (string) token).

refresh(callback) ⇒ void

Loads the credentials from the AWS SSO process

Callback (callback):

  • function(err) { ... }

    Called after the AWS SSO process has been executed. When this callback is called with no error, it means that the credentials information has been loaded into the object (as the accessKeyId, secretAccessKey, and sessionToken properties).


    • err (Error)

      if an error occurred, this value will be filled

See Also:

  • AWS.SsoCredentials.get