How do I use the AWS CLI to get temporary credentials for an IAM Identity Center user?

2 minute read
0

I want to get temporary credentials for an AWS IAM Identity Center user.

Short description

When you configure a named profile to use IAM Identity Center, a JSON file in the $ cd ~/.aws/sso/cache directory is created. The JSON file contains a JSON Web Token (JWT) that's used to get the temporary security credentials with the get-role-credentials API-equivalent command. The access token is valid for 8 hours. You can see the expiration time in the expiresAt timestamp in the JSON file. You must use the get-role-credentials command to reauthenticate expired tokens.

Resolution

Use the AWS Command Line Interface (AWS CLI) to get the temporary credentials for an IAM Identity Center user.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Get the temporary credentials

In the AWS CLI, complete the following steps:

  1. Open the JSON file, and then copy the access token:

    $ cat 535a8450b05870c9045c8a7b95870.json
    {"startUrl": "https://my-sso-portal.awsapps.com/start", "region": "us-east-1", "accessToken": "eyJlbmMiOiJBM….", "expiresAt": "2020-06-17T10:02:08UTC"}
  2. Run the get-role-credentials AWS CLI command to get the credentials for the IAM Identity Center user:

    $ aws sso get-role-credentials --account-id 123456789012 --role-name permission-set-name --access-token eyJlbmMiOiJBM…. --region enter_the_same_sso_region_same_in_the_JSON_file

    Example output:

    {    "roleCredentials": {
            "accessKeyId": "ASIA*************",
            "secretAccessKey": "**********************************",
            "sessionToken": "****************************************",
            "expiration": 1592362463000
        }
    }
  3. Configure the credentials as environment variables.

Troubleshoot error messages

"An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access."

This error might occur because of an incorrect role name in the AWS CLI. Check the role name to confirm that it's correct.

"An error occurred (UnauthorizedException) when calling the GetRoleCredentials operation: Session token not found or invalid."

This error occurs because the session token or AWS Region is incorrect. Make sure that the Region in the AWS CLI command is the same as the Region in the JSON file output.

Related information

How do I use IAM Identity Center permission sets?

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago
3 Comments

The bit that is missing here is how to tie the files in the ~/.aws/sso/cache to the profiles that were authenticated.

I cleared out the cache folder and once I authenticate it creates two files for the profile in that folder. One appears to have a clientId and clientSecret, while the other also includes the startUrl, region, etc - they both have the same clientId, so probably will work for the command mentioned.

After some testing, it appears that the first file gets created on login, the other gets updated/recreated each time a new login request is done.

The second file is the only one with the accessToken in it (the file name is different than in this article for me:

Robs-Mac-Studio:cache robweaver$ ls -la
total 16
drwxr-xr-x  4 robweaver  staff   128 Dec 31 10:13 .
drwxr-xr-x  3 robweaver  staff    96 Jan 16  2023 ..
-rw-------  1 robweaver  staff  1591 Dec 31 10:13 0985762d83913a2168995f8d4708edd8576ac6fa.json
-rw-------  1 robweaver  staff  1966 Dec 31 10:13 b457e1ad9779b6f14b1438fe4d9fb53c97acd78d.json
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago

All you need is:

aws configure export-credentials --profile profile-name

If you want them as environment variables and make them available in your terminal:

eval "$(aws configure export-credentials --profile profile-name --format env)"

Khalid
replied 7 months ago