Using AWS SSO credentials - AWS Toolkit for VS Code

Using AWS SSO credentials

To connect with AWS Single Sign-On (AWS SSO), you must complete the following prerequisites:

  1. Enable AWS SSO – This includes choosing your identity source and setting up AWS SSO access to your AWS accounts. For more information, see Getting started in the AWS Single Sign-On User Guide.

  2. Add an AWS SSO profile – With AWS SSO, you define a named profile in the credentials file or config that you use to retrieve temporary credentials for your AWS account. The profile definition specifies the AWS SSO user portal as well as the AWS account and IAM role associated with the user requesting access.

To add an AWS SSO profile

The following procedure outlines how to add an AWS SSO profile to your credentials or config file.

Adding an AWS SSO profile to your credentials file in VS Code

  1. Open VS Code.

  2. To open the Command Palette, on the menu bar, choose View, Command Palette. Or use the following shortcut keys:

    • Windows and Linux – Press Ctrl+Shift+P.

    • macOS – Press Shift+Command+P.

  3. Search for AWS and choose AWS: Create Credentials Profile. This will open the credentials file.

  4. In the either the credentials or config file, under [default], add a template for a named AWS SSO profile. An example profile follows:

    ... Named profile in credentials file ... [profile sso-user-1] sso_start_url = sso_region = us-east-2 sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2

    Do not use the word profile when creating an entry in the credentials file. This is because the credentials file uses a different naming format than the config file. Include the prefix word profile only when configuring a named profile in the config file.

When assigning values for your profile, keep the following in mind:

  • sso_start_url – The URL that points to your organization's AWS SSO user portal.

  • sso_region – The AWS Region that contains your AWS SSO portal host. This can be different from the AWS Region specified later in the default region parameter.

  • sso_account_id – The AWS account ID that contains the IAM role with the permission that you want to grant to this AWS SSO user.

  • sso_role_name – The name of the IAM role that defines the user's permissions when using this profile to get credentials through AWS SSO.

  • region – The default AWS Region that this AWS SSO user will sign into.

Signing in with AWS SSO

When signing in with an AWS SSO profile, the default browser is launched to the specified portal. You must verify your AWS SSO login before you can access your AWS resources in VS Code. Note that if your credentials expire, you'll have to repeat the connection process to obtain new temporary credentials.