Access External AWS GovCloud and AWS China accounts via SSO CLI

Question

I have setup 2 external AWS accounts to be accessed via SSO. One is GovCloud and the other one is AWS-CN China. They are not showing up when I log in using the CLI. If I log in using the SSO Dashboard, I can get to them via the Management Console but I'm not presented with the temporary STS credentials. Is there a way to make this work for China and GovCloud AWS accounts?

Answer

In regard to your use-case of external accounts, it is an expected behaviour.  One can access AWS accounts outside their organization by configuring an application to access the 'External Account' (through IAM federation to the external account AWS console).

Although there are options to configure AWS SSO-authenticated CLI sessions and retrieve programmatic credentials for accounts within the organization, there is no option to programmatically access the 'External Account' provided by the SSO user portal as Applications.

As an alternative, you can either utilize the Chrome extension "[SAML to AWS STS Keys Conversion](https://chrome.google.com/webstore/detail/saml-to-aws-sts-keys-conv/ekniobabpcnfjgfbphhcolcinmnbehde?hl=en )" to obtain the temporary credentials via AWS STS service.

Alternatively, you can use "[assume-role-with-saml](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html )" AWS CLI command to obtain the temporary credentials.

Further, obtained credentials can either be fed to the [credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html ) or could be set as [environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-set ).

Hope above shared information was useful. Thank you.

Access External AWS GovCloud and AWS China accounts via SSO CLI

관련 콘텐츠