AWS sso has changed, so if you are running this on a headless system over ssh for example, use aws configure sso –-use-device-code. This will produce an option to open a browser and approve access there.

SSO session name (Recommended): test123
SSO start URL [None]: https://d-1a2345ab23.awsapps.com/start/#
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://d-1a2345ab23.awsapps.com/start/#/device

Then enter the code:

ABCD-EFGH

100 </code> There are 8 AWS accounts available to you. Using the account ID 123412341234 There are 3 roles available to you. Using the role name “AdministratorAccess” Default client Region [None]: eu-west-1 CLI default output format (json if not specified) [None]: json Profile name [AdministratorAccess-123412341234]: MyDeploymentRole To use this profile, specify the profile name using –profile, as shown:

aws sts get-caller-identity –profile MyDeploymentRole </code>

SSO uses the URL:-
https://d-1a2345ab23.awsapps.com/start/#

The d-xxxx is the Identity Store Directory id

$ aws sso-admin list-instances | jq -r .Instances[]."IdentityStoreId"
d-1a2345da26