How can I get temporary credentials for an IAM Identity Center user using the AWS CLI?

Short description

Configuring a named profile to use IAM Identity Center creates a JSON file in the $ cd ~/.aws/sso/cache directory. The JSON file contains a JSON Web Token (JWT) used to get the temporary security credentials with the get-role-credentials API call. The access token is valid for 8 hours as noted in the expiresAt timestamp in the JSON file. Expired tokens must re-authenticate using the get-role-credentials API call.

Resolution

You can use the AWS Command Line Interface (AWS CLI) to get the temporary credentials for an IAM Identity Center user.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Open the JSON file and copy the access token:

$ cat 535a8450b05870c9045c8a7b95870.json

{"startUrl": "https://my-sso-portal.awsapps.com/start", "region": "us-east-1", "accessToken": "eyJlbmMiOiJBM….”, "expiresAt": "2020-06-17T10:02:08UTC"}

Run the AWS CLI command get-role-credentials to get the credentials for the IAM Identity Center user similar to the following:

$ aws sso get-role-credentials --account-id 123456789012 --role-name <permission-set-name> --access-token eyJlbmMiOiJBM…. --region <enter_the_same_sso_region_same_in_the_JSON_file>

Example output:

{
    "roleCredentials": {
        "accessKeyId": "ASIA*************”,
        "secretAccessKey": “**********************************”,
        "sessionToken": “****************************************”,
        "expiration": 1592362463000
    }
}

Then, follow the instructions to configure the credentials as environment variables.

Related information

How do I use IAM Identity Center permission sets?