Access External AWS Account via CLI SSO

Question

We have set up an External AWS Account as an application in AWS IAM Identity Center, and can access the Console via the SSO start page fine. 
However we can't see how to set up CLI access to the external AWS account via SSO (as we can with accounts under our Organization).

We are trying to move an account that is currently under our Organization to its own Organization, as we need to pay the account via a different payment method. However we still want SSO access (via the Console and CLI). 
We have followed these instructions for setting up an External AWS Account for SSO: https://static.global.sso.amazonaws.com/app-4a24b6fe5e450fa2/instructions/index.htm

Answer

Based on what you have written, you are able to successfully setup an External aws account to be accessed via SSO setup for your organization. If you have finished the process, setting up CLI should not be any different.

For example you can add an IAM Identity Center enabled profile to your AWS CLI by running the following command, providing your IAM Identity Center start URL and the AWS Region that hosts the Identity Center directory.

```
$ aws configure sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]:us-east-1
```

The IAM Identity Center browser page prompts you to sign in with your IAM Identity Center credentials. This enables the AWS CLI (through the permissions associated with your IAM Identity Center) to retrieve and display the AWS accounts and roles that you are authorized to use with IAM Identity Center.

This will report the accounts as shown below which you can pick to enable access to the account. 
```
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (123456789011) 
  ExternalAccount, external-account-admin@example.com (123456789022)
```
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#sso-configure-profile

Access External AWS Account via CLI SSO

関連するコンテンツ