How do I use the AWS CLI to get temporary credentials for an IAM Identity Center user?
I want to get temporary credentials for an AWS IAM Identity Center user.
Short description
To generate temporary credentials, you must run the get-role-credentials command. When you configure a named profile to use IAM Identity Center, the AWS Command Line Interface (AWS CLI) creates a JSON file in the cd ~/.aws/sso/cache directory. The JSON file contains a JSON web token (JWT) that's used to get the temporary security credentials with the get-role-credentials command. The access token is valid for 8 hours. The expiresAt timestamp in the JSON file shows the expiration time.
Resolution
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Get the temporary credentials
Complete the following steps:
-
Open the following JSON file, and then locate the access token:
cat 535a8450b05870c9045c8a7b95870.json {"startUrl": "https://my-sso-portal.awsapps.com/start", "region": "us-east-1", "accessToken": "eyJlbmMiOiJBM….", "expiresAt": "2020-06-17T10:02:08UTC"} -
Copy the accessToken value.
-
Run the following get-role-credentials command to get credentials for the Identity Center user:
aws sso get-role-credentials --account-id 123456789012 --role-name permission-set-name --access-token eyJlbmMiOiJBM…. --region enter_the_same_sso_region_same_in_the_JSON_fileNote: Replace enter_the_same_sso_region_same_in_the_JSON_file with the AWS Region from your JSON file and permission-set-name with your role name. If you use the incorrect role name, then you receive the error "An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access." If the session token or Region doesn't match the JSON file output, then you receive the error "An error occurred (UnauthorizedException) when calling the GetRoleCredentials operation: Session token not found or invalid."
Example output:{ "roleCredentials": { "accessKeyId": "ASIA*************", "secretAccessKey": "**********************************", "sessionToken": "****************************************", "expiration": 1592362463000 } }
Related information
- Language
- English
The bit that is missing here is how to tie the files in the ~/.aws/sso/cache to the profiles that were authenticated.
I cleared out the cache folder and once I authenticate it creates two files for the profile in that folder. One appears to have a clientId and clientSecret, while the other also includes the startUrl, region, etc - they both have the same clientId, so probably will work for the command mentioned.
After some testing, it appears that the first file gets created on login, the other gets updated/recreated each time a new login request is done.
The second file is the only one with the accessToken in it (the file name is different than in this article for me:
Robs-Mac-Studio:cache robweaver$ ls -la
total 16
drwxr-xr-x 4 robweaver staff 128 Dec 31 10:13 .
drwxr-xr-x 3 robweaver staff 96 Jan 16 2023 ..
-rw------- 1 robweaver staff 1591 Dec 31 10:13 0985762d83913a2168995f8d4708edd8576ac6fa.json
-rw------- 1 robweaver staff 1966 Dec 31 10:13 b457e1ad9779b6f14b1438fe4d9fb53c97acd78d.json
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
All you need is:
aws configure export-credentials --profile profile-name
If you want them as environment variables and make them available in your terminal:
eval "$(aws configure export-credentials --profile profile-name --format env)"
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 2 months ago
