AWS SSO integrated programattic access


Programmatic access allows to invoke actions on your AWS resources either through an application  or through a third-party tool. Following lab shows how to integrate it with AWS SSO, Azure SSO using AWS CLI version 2.

Lab Schema


Another configuration must be prepared before you will continue. Click button on the right to jump into AWS SSO and Azure SSO integration


1. Install AWS CLI version 2

Use following link to download awscliv2 package: Installing the AWS CLI v2.

Check installing version using aws2 –version command

2. AWS CLI v2 SSO config (1)

To configure SSO, execute following command: aws2 configure sso

Then enter SSO Start URL ans SSO Region.

If browser will not open automaticaly, open browser and copy displayed URL, manually

3. AWS CLI v2  SSO config (2)

Go to previoulsy open page and copy Verification code from the terminal. Click Next to continue

4. SSO Sign in (1)

You will be redirected into MIcrosoft page. Enter your user name/email and password

5. SSO Sign in (2)

To proceed, click Sign in to AWS CLI

6. SSO Sign in (3)

Once process will be finished, yo can close browser and come back to terminal

7. Account selection

Use arrows to select AWS account you want to sign in. Once ready, confirm using Enter

8. Role selection

CLI will list all roles assigned to your user for previously selected AWS account. Confirm/enter CLI client Region, output format and profile name

Test Area

9. Check access (1)

To check, if configuration is working as expected, we will try to list all active EC2 instances.

Using terminal, execute following command:

aws2 ec2 describe-instances --output table --profile <profile name>

10. Check access (2)

To logout, execute following command

aws2 sso logout

Please bear in mind, that if you now try to repeat aws2 ec2 describe-instances (…) command, you wil get an error: SSO token has either expired or is otherwise invalid.

11. Check access (3)

To login, use login command with proper profile switch

aws2 sso login --profile <profile_name>

You should now repeat procedure described in steps #3-#6. After that you should get information: Succesfully logged into start URL