aws-sso-auth-guide

📁 stakpak/community-paks 📅 Jan 27, 2026

总安装量

周安装量

#59137

全站排名

安装命令

npx skills add https://github.com/stakpak/community-paks --skill aws-sso-auth-guide

Agent 安装分布

opencode 3

claude-code 3

github-copilot 3

codex 3

gemini-cli 3

cursor 3

Skill 文档

AWS SSO Terminal Guide

Discovery: Finding SSO Configuration

Get SSO Instance & Portal URL

# From management account
aws sso-admin list-instances --profile <mgmt-profile>
# Returns: InstanceArn, IdentityStoreId (d-xxxxxxxxxx), OwnerAccountId

# Portal URL format: https://d-xxxxxxxxxx.awsapps.com/start

List Accounts & Permission Sets

# List organization accounts
aws organizations list-accounts --profile <mgmt-profile>

# List permission sets
aws sso-admin list-permission-sets \
  --instance-arn <instance-arn> \
  --profile <mgmt-profile>

# Get permission set name
aws sso-admin describe-permission-set \
  --instance-arn <instance-arn> \
  --permission-set-arn <ps-arn> \
  --profile <mgmt-profile>

# Check account assignments
aws sso-admin list-account-assignments \
  --instance-arn <instance-arn> \
  --account-id <account-id> \
  --permission-set-arn <ps-arn> \
  --profile <mgmt-profile>

Configuration

Profile Structure (Recommended)

# ~/.aws/config

[profile my-profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1

[sso-session my-sso]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Benefits: Token reuse across profiles, automatic refresh (CLI v2.22.0+)

Interactive Configuration

aws configure sso

Authentication

Login Flow

# Login (PKCE auth - default in CLI v2.22.0+)
aws sso login --profile my-profile

# Login with device code (for headless/remote)
aws sso login --profile my-profile --use-device-code

# Verify
aws sts get-caller-identity --profile my-profile

Token Cache: ~/.aws/sso/cache/

Key Endpoints & Flow

oidc.{region}.amazonaws.com – OIDC authentication
portal.sso.{region}.amazonaws.com – SSO portal
Auth flow: RegisterClient â StartDeviceAuthorization â CreateToken

Troubleshooting

Missing SSO Configuration:

# Error: Missing sso_start_url, sso_region
# Fix: aws configure sso

Expired Token:

# Error: Token is expired
# Fix: aws sso login --profile my-profile

Proxy SSL Issues:

# Error: SSL certificate verification failed
# Fix: Set AWS_CA_BUNDLE to proxy CA certificate
export AWS_CA_BUNDLE=/path/to/proxy-ca.crt

Access Denied:

# Check permission set assignments
aws sso-admin list-account-assignments \
  --instance-arn <arn> \
  --account-id <id> \
  --permission-set-arn <ps-arn>

Quick Reference

CLI Versions:

v2.22.0+: PKCE auth (default), auto-refresh
< v2.22.0: Device code auth

Authorization Types:

PKCE: Same-device, browser required
Device Code: Cross-device, browser optional

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台