>_

aws-sso-auth-guide

AWS SSO discovery, configuration, and terminal usage

$ Installer

git clone https://github.com/stakpak/community-paks /tmp/community-paks && cp -r /tmp/community-paks/aws-sso-auth-guide ~/.claude/skills/community-paks

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: aws-sso-auth-guide description: AWS SSO discovery, configuration, and terminal usage license: MIT tags:

  • aws
  • sso
  • authentication
  • iam-identity-center metadata: author: Stakpak team@stakpak.dev version: "1.0.2"

AWS SSO Terminal Guide

Discovery: Finding SSO Configuration

Get SSO Instance & Portal URL

# From management account
aws sso-admin list-instances --profile <mgmt-profile>
# Returns: InstanceArn, IdentityStoreId (d-xxxxxxxxxx), OwnerAccountId

# Portal URL format: https://d-xxxxxxxxxx.awsapps.com/start

List Accounts & Permission Sets

# List organization accounts
aws organizations list-accounts --profile <mgmt-profile>

# List permission sets
aws sso-admin list-permission-sets \
  --instance-arn <instance-arn> \
  --profile <mgmt-profile>

# Get permission set name
aws sso-admin describe-permission-set \
  --instance-arn <instance-arn> \
  --permission-set-arn <ps-arn> \
  --profile <mgmt-profile>

# Check account assignments
aws sso-admin list-account-assignments \
  --instance-arn <instance-arn> \
  --account-id <account-id> \
  --permission-set-arn <ps-arn> \
  --profile <mgmt-profile>

Configuration

Profile Structure (Recommended)

# ~/.aws/config

[profile my-profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1

[sso-session my-sso]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Benefits: Token reuse across profiles, automatic refresh (CLI v2.22.0+)

Interactive Configuration

aws configure sso

Authentication

Login Flow

# Login (PKCE auth - default in CLI v2.22.0+)
aws sso login --profile my-profile

# Login with device code (for headless/remote)
aws sso login --profile my-profile --use-device-code

# Verify
aws sts get-caller-identity --profile my-profile

Token Cache: ~/.aws/sso/cache/

Key Endpoints & Flow

  • oidc.{region}.amazonaws.com - OIDC authentication
  • portal.sso.{region}.amazonaws.com - SSO portal
  • Auth flow: RegisterClientStartDeviceAuthorizationCreateToken

Troubleshooting

Missing SSO Configuration:

# Error: Missing sso_start_url, sso_region
# Fix: aws configure sso

Expired Token:

# Error: Token is expired
# Fix: aws sso login --profile my-profile

Proxy SSL Issues:

# Error: SSL certificate verification failed
# Fix: Set AWS_CA_BUNDLE to proxy CA certificate
export AWS_CA_BUNDLE=/path/to/proxy-ca.crt

Access Denied:

# Check permission set assignments
aws sso-admin list-account-assignments \
  --instance-arn <arn> \
  --account-id <id> \
  --permission-set-arn <ps-arn>

Quick Reference

CLI Versions:

  • v2.22.0+: PKCE auth (default), auto-refresh
  • < v2.22.0: Device code auth

Authorization Types:

  • PKCE: Same-device, browser required
  • Device Code: Cross-device, browser optional

Repository

stakpak
stakpak
Author
stakpak/community-paks/aws-sso-auth-guide
3
Stars
0
Forks
Updated2d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
add-uint-support
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
skill-installer
openai/codex
54.7k
Command Development
anthropics/claude-code
47.9k