Differences

This shows you the differences between two versions of the page.

--- aws:sso [23/05/2025 13:32] – created andrew
+++ aws:sso [18/09/2025 15:27] (current) – [Automating SSO] andrew
@@ Line 1: / Line 1: @@
 ====== Automating SSO ======
+AWS sso has changed, so if you are running this on a headless system over ssh for example, use ''aws configure sso –-use-device-code''. This will produce an option to open a browser and approve access there.
+<code>
+SSO session name (Recommended): test123
+SSO start URL [None]: https://d-1a2345ab23.awsapps.com/start/#
+SSO region [None]: eu-west-1
+SSO registration scopes [sso:account:access]:
+Attempting to automatically open the SSO authorization page in your default browser.
+If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
+https://d-1a2345ab23.awsapps.com/start/#/device
+Then enter the code:
+ABCD-EFGH
+</code>
+{{:aws:use-device-code.png?200}}
+Click Allow Access, you can then close your tab / browser session.
+<code>
+There are 8 AWS accounts available to you.
+Using the account ID 123412341234
+There are 3 roles available to you.
+Using the role name "AdministratorAccess"
+Default client Region [None]: eu-west-1
+CLI default output format (json if not specified) [None]: json
+Profile name [AdministratorAccess-123412341234]: MyDeploymentRole
+To use this profile, specify the profile name using --profile, as shown:
+aws sts get-caller-identity --profile MyDeploymentRole
+</code>
+===== Deriving SSO URL =====
+The URL for the SSO sign in can be derived programatically:-
 <code>
 SSO uses the URL:-
-https://d-1a2345da26.awsapps.com/start/#
+https://d-1a2345ab23.awsapps.com/start/#
 The d-xxxx is the Identity Store Directory id
 $ aws sso-admin list-instances | jq -r .Instances[]."IdentityStoreId"
-a2345da26
+d-1a2345da26
 </code>