Access External AWS GovCloud and AWS China accounts via SSO CLI

1

I have setup 2 external AWS accounts to be accessed via SSO. One is GovCloud and the other one is AWS-CN China. They are not showing up when I log in using the CLI. If I log in using the SSO Dashboard, I can get to them via the Management Console but I'm not presented with the temporary STS credentials. Is there a way to make this work for China and GovCloud AWS accounts?

1 Answer
0

In regard to your use-case of external accounts, it is an expected behaviour. One can access AWS accounts outside their organization by configuring an application to access the 'External Account' (through IAM federation to the external account AWS console).

Although there are options to configure AWS SSO-authenticated CLI sessions and retrieve programmatic credentials for accounts within the organization, there is no option to programmatically access the 'External Account' provided by the SSO user portal as Applications.

As an alternative, you can either utilize the Chrome extension "SAML to AWS STS Keys Conversion" to obtain the temporary credentials via AWS STS service.

Alternatively, you can use "assume-role-with-saml" AWS CLI command to obtain the temporary credentials.

Further, obtained credentials can either be fed to the credentials file or could be set as environment variables.

Hope above shared information was useful. Thank you.

profile pictureAWS
SUPPORT ENGINEER
Varun
answered 2 years ago
  • Is still the case?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions