How to Access AWS Accounts with SSO via Console and Local CLI

Disclaimer: Please use CloudShell as a first option for CLI access. You can find that KB article here, https://helpcenter.mines.edu/TDClient/1946/Portal/KB/ArticleDet?ID=146299

Login Instructions

1. Sign into https://portal.office.com.
2. Click on the App Launcher Waffle icon on the top left.
   
3. Click on All apps.
   
4. Scroll to the bottom of the list and click on AWS SSO.
   
5. Click on AWS Account to expand the accounts you are allowed to access.
   
6. Click on the account you wish to access to expand the connection options. Choose either Management Console or Command line or programmatic access.
   
7. An alternative faster method to access your AWS account list is to use this URL https://d-9a67206884.awsapps.com/start#/.
8. A third option for accessing My Apps quicker, is following the instruction from the link below to download the Azure My Apps Extension. It can be installed on Edge, Safari, & Chrome. The extension is called, My Apps Secure Sign-in Extension. https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510

Configuring the AWS CLI profile

• install AWS CLI version 2 or greater
• run "aws configure sso"
  • SSO session name (Recommended): [Name the profile]
  • start URL: https://d-9a67206884.awsapps.com/start#/
  • region: us-east-2 (Ohio)
    • Note, East is where SSO is setup, not where you should be putting resources.
  • SSO registration scopes [sso:account:access]: Default, hit enter.
  • it will open a browser window for authentication
  • if successful, a prompt should show up in the shell window asking which account and role to assume
  • Back on the cmd, it will show a list of AWS Accounts you have access to. Choose the account. 
  • CLI default client Region [None]: US-West-2 (This is the closet region to Mines.)
  • CLI default output format [None]: [defaults to json]
  • CLI profile name [AdministratorAccess-242796985320]: Hit enter for default.
  • this will modify the default AWS config file at ~user\.aws\config
    • edit this to modify the profile name or add additional profiles
  • for future sessions, start with 

• Note that every command must also reference the profile name or set the AWS_PROFILE variable appropriately
  • PS: $env:AWS_PROFILE = "profilename"
  • bash: export AWS_PROFILE=user2
• When you inevitably forget what you named the profiles: 
  • aws configure list-profiles

Configure multiple AWS CLI profiles

1. Type the following command replacing the profile_name with your desired profile name. You will be prompted for the following fields.

2. Access Key ID
   Secret Access Key
   Default region name (us-west-2 recommended) See https://awsregion.info/ for a list of regions.
   Default output format (json recommended) See https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html for output formats.
3. List the profiles you have configured.

4. Profiles are stored in plain text under C:\Users\username\.aws\config. Access keys and secrets are also stored as plain text under C:\Users\username\.aws\credentials.
5. Verify you are using the correct credentials by running a simple get-user command.

6. Confirm the account number matches the account you want to make changes to.
   
7. (Optional) set the default profile environment variable for Windows. This will switch your default AWS profile to the one you specify.

8. Close PowerShell. This is required as the open PowerShell window retains the old environment variable until it is closed and reopened.

Note: AWS SSO has a current session duration of 8 hours which will require you to sign back into the console or CLI when this time is reached.