How does it work

• AWS SSO is a service provided by AWS that simplifies the management of user access to multiple AWS accounts and applications.

• By providing a single set of credentials for accessing multiple AWS accounts and services, users can log in once using their organization's identity provider (IdP) credentials and then access multiple AWS accounts without the need to enter separate credentials each time.

• The SDK uses the profile's SSO token provider configuration to acquire credentials before sending requests to AWS. The sso_role_name value, which is an IAM role connected to an IAM Identity Center permission set, allows access to the AWS services used in your application.

• A session is linked to a start URL and the region where the start URL is hosted. Then for one session, you can have multiple profiles i.e., you can have a single session for your project start URL, and different profiles linked to this session (only have to configure the session details once). The credentials are now stored at the session level, instead of having one set of credentials per profile.

Example

[profile dev-profile]
sso_session = dev-account
sso_account_id = 987654321
sso_role_name = FullAccess
region = eu-west-1
output = json

[sso-session dev-profile]
sso_region = eu-west-1
sso_start_url = https://sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access