From 1ce6f7f515c8cd6f4d37d10cb1e1fd9cbe595c6a Mon Sep 17 00:00:00 2001 From: Sam Weaver Date: Wed, 28 Feb 2024 14:34:38 -0500 Subject: [PATCH] Add documentation on assuming a role with SSO This was non-obvious, until I found aws/aws-cli#5933. --- USAGE.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/USAGE.md b/USAGE.md index 298cf0cc6..593da5231 100644 --- a/USAGE.md +++ b/USAGE.md @@ -34,6 +34,7 @@ - [MFA](#mfa) - [Gotchas with MFA config](#gotchas-with-mfa-config) - [Single Sign On (SSO)](#single-sign-on-sso) + - [Assuming a role with SSO](#assuming-a-role-with-sso) - [Assuming roles with web identities](#assuming-roles-with-web-identities) - [Using `credential_process`](#using-credential_process) - [Invoking `aws-vault` via `credential_process`](#invoking-aws-vault-via-credential_process) @@ -584,6 +585,22 @@ sso_account_id=123456789012 sso_role_name=Administrator ``` +### Assuming a role with SSO + +If your SSO permission set permits you to assume another IAM role, (other than the IAM role autogenerated by your permission set,) you can do that by using the `source_profile` option. Here's an example: + +```ini +[profile Administrator-123456789012] +sso_start_url=https://aws-sso-portal.awsapps.com/start +sso_region=eu-west-1 +sso_account_id=123456789012 +sso_role_name=Administrator + +[profile Role-abc] +role_arn=arn:aws:iam::123456789012:role/Role-abc +source_profile=Administrator-123456789012] +``` + ## Assuming roles with web identities AWS supports assuming roles using [web identity federation and OpenID Connect](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc), including login using Amazon, Google, Facebook or any other OpenID Connect server. The configuration options are as follows: