AWS SSO (now officially called AWS IAM Identity Center) lets you log into multiple AWS accounts from the CLI without managing static access keys. This guide walks you through configuring AWS SSO CLI access on Windows PowerShell — from installing the CLI to switching between accounts.
Prerequisites
- Windows 10 or 11 with PowerShell 5.1 or later
- Your organization’s SSO start URL (format:
https://your-company.awsapps.com/start) - The SSO region your organization uses (check with your admin — typically
us-east-1)
Install AWS CLI v2
Install the AWS CLI using Windows Package Manager:
winget install -e --id Amazon.AWSCLI2After the install finishes, reload your PATH so the current session picks it up:
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")Verify it’s installed:
aws --versionYou should see output like aws-cli/2.x.x Python/3.x.x Windows/11 exe/AMD64. If you also work in WSL Ubuntu, see How to Install AWS CLI v2 on Ubuntu 22.04 for the Linux installation steps.
Configure an SSO Profile
Option A: Interactive Setup (Recommended)
Run the interactive wizard:
aws configure ssoThe CLI walks you through the setup. Enter your SSO details when prompted:
SSO session name (Recommended): my-sso
SSO start URL [None]: https://your-company.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [sso:account:access]:A browser window opens for you to authorize the CLI. After approving, the CLI lists your available accounts and roles:
There are 2 AWS accounts available to you.
> DeveloperAccount, dev-admin@example.com (111122223333)
ProductionAccount, prod-admin@example.com (444455556666)
Using the account ID 111122223333
There are 2 roles available to you.
> ReadOnly
AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json
CLI profile name [AdministratorAccess-111122223333]: my-dev-accountPick a short, memorable profile name — you’ll type it often.
Option B: Manual Configuration
You can also create the profile by editing the config file directly:
notepad $env:USERPROFILE\.aws\configAdd a profile block and an SSO session block:
[profile my-dev-account]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1
output = json
[sso-session my-sso]
sso_start_url = https://your-company.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:accessThis uses the SSO session format (introduced in AWS CLI v2.10). Multiple profiles can reference the same [sso-session] block, so you only need to log in once and all profiles sharing that session are authenticated.
To add another account, add another [profile] block pointing to the same sso_session:
[profile my-prod-account]
sso_session = my-sso
sso_account_id = 444455556666
sso_role_name = ReadOnly
region = us-east-1
output = jsonLog In and Verify
Authenticate against your SSO portal:
aws sso login --profile my-dev-accountThe browser opens for you to approve. Once done, verify you’re authenticated:
aws sts get-caller-identity --profile my-dev-accountExpected output:
{
"UserId": "AROA...:you@example.com",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_.../you@example.com"
}Set a Default Profile
To avoid typing --profile on every command, set a default.
For the current PowerShell session only:
$env:AWS_PROFILE = "my-dev-account"To make it permanent, add the line to your PowerShell profile:
notepad $PROFILEAdd this line to the file and save:
$env:AWS_PROFILE = "my-dev-account"Or set it as a persistent environment variable (applies to all new sessions without editing your profile):
[System.Environment]::SetEnvironmentVariable("AWS_PROFILE", "my-dev-account", "User")Working with Multiple Profiles
If you have access to several AWS accounts, repeat the profile configuration for each one (all pointing to the same sso-session). List all configured profiles with:
aws configure list-profilesSwitch between profiles by changing the environment variable:
$env:AWS_PROFILE = "my-prod-account"Or pass --profile on individual commands:
aws s3 ls --profile my-prod-accountIf your organization has dozens of accounts and you want to auto-generate profiles for all of them, check out snippet code below created by Ben Kehoe. It can populate your config file with a custom profile naming for every account and role you have access to.
Customize Profile Naming
Use these options for cleaner profile names:
aws-sso-util configure populate `
--sso-start-url https://my-company.awsapps.com/start `
--sso-region us-east-1 `
--account-name-case lower `
--role-name-case lower `
--trim-role-name "(?<=admin)istratoraccess" `
--trim-role-name "^aws" `
--trim-role-name "(?<=readonly)access" `
--trim-role-name "(?<=poweruser)access" `
--region us-east-1This creates profiles like dev-account.admin instead of Dev-Account.AdministratorAccess.
Session Management
SSO tokens typically expire after 8-12 hours depending on your organization’s settings. When a token expires, you’ll see:
The SSO session associated with this profile has expired or is otherwise invalid.Re-authenticate with:
aws sso login --profile my-dev-accountIf you used the SSO session format (recommended), logging in once refreshes the token for all profiles that share the same session.
To log out explicitly:
aws sso logoutTroubleshooting
- “The SSO session has expired or is invalid” — run
aws sso login --profile your-profileto re-authenticate - “Unable to locate credentials” — make sure the profile exists in
~\.aws\configand that you’ve runaws sso login - Browser doesn’t open automatically — the CLI prints a URL and a verification code in the terminal. Open the URL manually and enter the code
awscommand not found after install — reload your PATH with the$env:Pathcommand from the install step, or restart PowerShell- Profile not found — verify your profile name with
aws configure list-profilesand check for typos in the config file
Conclusion
You now have AWS SSO configured on Windows PowerShell. No more static access keys — just run aws sso login when your session expires and you’re back in.
If you also work in Linux or WSL, check out the companion guide: How to Configure AWS SSO CLI Access for Linux Ubuntu. For managing resources across multiple AWS accounts, see How to Set Up Cross-Account Access in AWS with AssumeRole.
