Using IAM Identity Center credentials - AWS Toolkit for VS Code

Using IAM Identity Center credentials

To connect with AWS IAM Identity Center (successor to AWS Single Sign-On), you must complete the following prerequisites:

  1. Enable IAM Identity Center – This includes choosing your identity source and setting up IAM Identity Center access to your AWS accounts. For more information, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.

  2. Add an IAM Identity Center profile – With IAM Identity Center, you define a named profile in the credentials file or config that you use to retrieve temporary credentials for your AWS account. The profile definition specifies the AWS access portal as well as the AWS account and IAM role associated with the user requesting access.

To add an IAM Identity Center profile

The following procedure outlines how to add an IAM Identity Center profile to your credentials or config file.

Adding an IAM Identity Center profile to your credentials file in VS Code
  1. Open VS Code.

  2. To open the Command Palette, on the menu bar, choose View, Command Palette. Or use the following shortcut keys:

    • Windows and Linux – Press Ctrl+Shift+P.

    • macOS – Press Shift+Command+P.

  3. Search for AWS and choose AWS Toolkit Create Credentials Profile. This will open the credentials file.

  4. In the either the credentials or config file, under [default], add a template for a named IAM Identity Center profile. An example profile follows:

    ... Named profile in credentials file ... [profile sso-user-1] sso_start_url = sso_region = us-east-2 sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2

    Do not use the word profile when creating an entry in the credentials file. This is because the credentials file uses a different naming format than the config file. Include the prefix word profile only when configuring a named profile in the config file.

When assigning values for your profile, keep the following in mind:

  • sso_start_url – The URL that points to your organization's AWS access portal.

  • sso_region – The AWS Region that contains your AWS access portal host. This can be different from the AWS Region specified later in the default region parameter.

  • sso_account_id – The AWS account ID that contains the IAM role with the permission that you want to grant to this IAM Identity Center user.

  • sso_role_name – The name of the IAM role that defines the user's permissions when using this profile to get credentials through IAM Identity Center.

  • region – The default AWS Region that this IAM Identity Center user will sign into.

Signing in with IAM Identity Center

When signing in with an IAM Identity Center profile, the default browser is launched to the specified portal. You must verify your IAM Identity Center login before you can access your AWS resources in VS Code. Note that if your credentials expire, you'll have to repeat the connection process to obtain new temporary credentials.