This guide shows you how to configure AWS SSO CLI access (now called AWS IAM Identity Center) on Ubuntu so you can authenticate and run AWS commands from the terminal. If your organization uses SSO for AWS, this replaces the old access-key-and-secret-key approach with temporary, rotating credentials.
The examples in this guide are run on WSL2 Ubuntu in Windows, but they work the same on any Ubuntu system.
Prerequisites
- Ubuntu 20.04, 22.04, or 24.04 LTS
- AWS CLI v2 installed — see How to Install AWS CLI v2 on Ubuntu 22.04 if you need it
- Your organization’s SSO start URL (something like
https://your-org.awsapps.com/start) - The SSO region (usually
us-east-1)
Configure an SSO Profile
There are two ways to set up a profile: interactive or manual. The interactive method is easier for a first-time setup.
Option A: Interactive setup
aws configure ssoThe CLI will prompt you for:
- SSO session name — a label for this session (e.g.,
my-org) - SSO start URL — your organization’s SSO portal URL
- SSO region — the region where IAM Identity Center is configured
- Account ID — the AWS account you want to access
- Role name — the permission set/role assigned to you in that account
It will open a browser for you to authorize the CLI. Once you approve, the profile is saved to ~/.aws/config.
Option B: Manual configuration
Edit ~/.aws/config directly:
[profile dev-account]
sso_start_url = https://your-org.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1
output = jsonsso_start_url— your SSO portal URL.sso_region— the region where Identity Center is set up (not necessarily where your resources are).sso_account_id— the AWS account ID to authenticate against.sso_role_name— the permission set assigned to you in this account.region— the default region for AWS commands using this profile.
Log In and Verify Access
aws sso login --profile dev-accountThis opens a browser where you confirm the login. Once approved, the CLI caches temporary credentials locally.
Verify it worked:
aws sts get-caller-identity --profile dev-accountYou should see your account ID, user ARN, and assumed role. If you get a credentials error, run aws sso login again — SSO tokens expire after 8-12 hours depending on your org’s configuration.
Set a Default Profile
If you don’t want to pass --profile on every command, set the AWS_PROFILE environment variable:
export AWS_PROFILE="dev-account"To make it permanent, add that line to your ~/.bashrc or ~/.zshrc.
A handy shell function for switching profiles quickly:
awsp() {
export AWS_PROFILE="$1"
echo "Switched to: $AWS_PROFILE"
aws sts get-caller-identity
}Add this to your ~/.bashrc, then switch profiles with awsp dev-account or awsp production-admin.
Managing Multiple Accounts with aws-sso-util
If your organization has lots of AWS accounts, setting up profiles one by one gets tedious. aws-sso-util, created by Ben Kehoe, can auto-discover all accounts and roles you have access to and generate profiles for all of them.
Install it with pipx:
python3 -m pip install --user pipx
pipx install aws-sso-utilThen auto-populate your ~/.aws/config with profiles for every account and role you have access to:
aws-sso-util configure populate \
--sso-start-url https://your-org.awsapps.com/start \
--sso-region us-east-1 \
--region us-east-1configure populate— discovers all accounts/roles and writes profile entries to your config.--sso-start-url— your organization’s SSO portal URL.--region— the default region to set for each generated profile.
Log in to all profiles at once:
aws-sso-util loginList all available profiles:
aws configure list-profilesCustomize Profile Naming (Recommend to use)
Use these options help you to populate all of the AWS accounts with cleaner profile names:
aws-sso-util configure populate \
--sso-start-url https://my-company.awsapps.com/start \
--sso-region us-east-1 \
--account-name-case lower \
--role-name-case lower \
--trim-role-name "(?<=admin)istratoraccess" \
--trim-role-name "^aws" \
--trim-role-name "(?<=readonly)access" \
--trim-role-name "(?<=poweruser)access" \
--region us-east-1This creates profiles like dev-account.admin instead of Dev-Account.AdministratorAccess.
Common Use Cases
S3 Bucket List
aws s3 ls --profile dev-accountTerraform
Set the profile before running Terraform. If you’re setting up Terraform on WSL Ubuntu for AWS, this is how you authenticate.
export AWS_PROFILE="infrastructure-admin"
terraform planPython boto3
import boto3
session = boto3.Session(profile_name="dev-account")
s3 = session.client("s3")Session Management
SSO tokens are cached in ~/.aws/sso/cache/ and expire after 8-12 hours. When they expire, re-authenticate:
aws sso login --profile dev-accountTo log out and clear cached tokens:
aws sso logoutSecurity Tips
- Add
.aws/to your.gitignoreso credentials and config don’t get committed. - Set proper permissions on your config:
chmod 600 ~/.aws/config - Run
aws sso logouton shared or public machines. - Avoid creating long-term access keys if SSO is available — temporary credentials are safer.
Headless / Remote Servers
On servers without a browser, the CLI displays a URL and a code. Open the URL on any device, enter the code, and the server-side CLI picks up the authentication. This works fine for SSH sessions and remote dev environments.
Conclusion
Once SSO is configured, you authenticate with aws sso login instead of managing static access keys. For organizations with many accounts, aws-sso-util saves a lot of manual profile setup.
If you also need SSO access from Windows, see the companion guide: How to Configure AWS SSO CLI Access for Windows PowerShell.
