If your team uses AWS SSO with the AWS CLI across multiple AWS accounts, you already know the pain: profile sprawl, role confusion, and repetitive setup.
aws-sso-util solves that by automating profile generation and making daily login simpler for everyone—from non-technical users to platform engineers.
The Problem It Solves
Most teams running multi-account AWS environments (dev, QA, staging, production, shared services) run into these issues:
- Manual profile setup repeated for every account-role combination.
- Inconsistent profile naming across users and environments.
- Repeated login friction when SSO tokens expire.
- Confusing profile selection when the same role exists in many accounts.
As organizations grow, this becomes expensive in engineering time and error-prone for day-to-day operations.
Why It’s Needed
aws-sso-util is needed because it turns multi-account AWS SSO setup from a manual process into a repeatable standard.
Instead of managing dozens (or hundreds) of account/role profile blocks by hand, one command can discover and configure what a user is allowed to access.
That gives teams three big wins:
- Speed: New users can be productive faster.
- Consistency: Standard profile naming across machines and teams.
- Reliability: Fewer login and profile mistakes during real work.
Key Use Cases
1) Onboarding New Team Members
A new developer or analyst can install the tool, run one populate command, and immediately get all authorized accounts/roles configured.
Outcome: Less support overhead, faster onboarding.
2) Multi-Account Environments (Primary Use Case)
In organizations with separate dev, QA, staging, prod, and shared service accounts, manual profile management becomes hard to maintain.
aws-sso-util automatically creates profiles for all permitted accounts.
Outcome: No more hunting for missing profile entries.
3) Standardized Naming for Automation
With naming options (lowercase, trimming role suffixes, separators), teams can enforce predictable profile names such as dev-platform.admin.
Outcome: Cleaner scripts, fewer broken CI or local runbooks.
4) Daily Re-Authentication
SSO sessions expire regularly. Instead of logging in profile by profile, users run:
aws-sso-util login
Outcome: One command refreshes access across configured profiles.
5) Reducing Human Error Across Accounts
Clear naming and centralized setup reduce mistakes like selecting the wrong account-role pair during sensitive operations.
Outcome: Safer operational workflows.
Who Benefits Most in Multi-Account Setups?
- Non-technical users who need CLI access without understanding profile internals.
- Developers working across multiple AWS accounts.
- DevOps/SRE teams maintaining repeatable environment standards.
- Platform teams trying to scale access patterns without ticket noise.
Quick Path (Non-Technical)
If you only want a working setup, do these steps in order.
1) Install pipx
Linux:
python3 -m pip install --user pipx python3 -m pipx ensurepath
macOS (Homebrew):
brew install pipx pipx ensurepath
2) Install aws-sso-util
pipx install aws-sso-util
3) Configure your AWS profiles
aws-sso-util configure populate \ --sso-start-url https://<company-control-tower>.awsapps.com/start/# \ --sso-region us-east-1 \ --region us-east-1
4) Login
aws-sso-util login
5) Verify
aws configure list-profiles aws s3 ls --profile dev-platform.admin
If you see buckets or no auth error, setup is complete.
Full Path (Technical / Power Users)
Use this if you want clean, predictable profile names.
Recommended command (Unix/Linux/macOS)
aws-sso-util configure populate \ --sso-start-url https://<company-control-tower>.awsapps.com/start/# \ --sso-region us-east-1 \ --account-name-case lower \ --role-name-case lower \ --trim-role-name "(?<=admin)istratoraccess" \ --trim-role-name "^aws" \ --trim-role-name "(?<=readonly)access" \ --trim-role-name "(?<=poweruser)access" \ --region us-east-1
Recommended command (PowerShell)
aws-sso-util configure populate ` --sso-start-url https://<company-control-tower>.awsapps.com/start/# ` --sso-region us-east-1 ` --account-name-case lower ` --role-name-case lower ` --trim-role-name "(?<=admin)istratoraccess" ` --trim-role-name "^aws" ` --trim-role-name "(?<=readonly)access" ` --trim-role-name "(?<=poweruser)access" ` --region us-east-1
What this naming config does
- Forces account and role names to lowercase.
- Trims common role suffixes/prefixes:
administratoraccess→adminawsreadonlyaccess→readonlypoweruseraccess→poweruser
Example profile result:
dev-platform.admin
AWS CLI profile config looks like
After you run aws-sso-util configure populate, AWS CLI profile config is written to your AWS config file.
- Linux/macOS:
~/.aws/config - Windows:
C:\Users\<your-user>\.aws\config
During login, SSO token cache files are stored here:
- Linux/macOS:
~/.aws/sso/cache/ - Windows:
C:\Users\<your-user>\.aws\sso\cache\
In most SSO-only setups, ~/.aws/credentials is not the main file you manage; the important profile definitions live in config.
Example of what a generated profile can look like:
[profile dev-platform.admin] sso_start_url = https://<company-control-tower>.awsapps.com/start/# sso_region = us-east-1 sso_account_id = 123456789012 sso_role_name = AdministratorAccess region = us-east-1 output = json
Tip: You can open your config file and search for [profile dev-platform.admin] to confirm the profile was created correctly.
Daily Usage
AWS SSO sessions expire (typically every day). Re-login with:
aws-sso-util login
Common day-to-day checks:
aws configure list-profiles aws sts get-caller-identity --profile dev-platform.admin
Conclusion
Managing AWS CLI access in one account is manageable. Managing it across many accounts is where teams lose time and confidence.
aws-sso-util gives non-technical users a straightforward path, gives technical teams consistent account-role profile naming, and removes repetitive login overhead from daily work. If your organization operates in a multi-account AWS model, this is one of the simplest improvements you can make to reduce friction and improve operational safety.