AWS IAM Identity Center Made Easy: Automating Credential Management with aws-sso-creds

AWS IAM Identity Center Made Easy: Automating Credential Management with aws-sso-creds

As more organizations adopt cloud-based services and multi-account strategies, managing access to these resources becomes a complex task. AWS IAM Identity Center simplifies this by enabling administrators to manage SSO access to multiple AWS accounts and business applications. With AWS IAM Identity Center users sign in to a central portal to access all their authorized AWS accounts and applications. However, even with SSO, it is essential to have necessary credentials populated in the AWS credentials file for seamless integration with AWS services and applications.

Today, most organizations work with AWS IAM Identity Center and prefer centralized access to accounts. However, despite having SSO, some applications and services still require access to the AWS account using the access key ID, secret access key, and session token. While SSO provides temporary credentials to users, they have a limited lifespan and must be renewed periodically. It becomes crucial to manage these credentials and ensure continued access to resources.

In this article, I will guide you through setting up the aws-sso-creds utility to retrieve temporary credentials and update the AWS credentials file.

Set up AWS IAM Identity Center and configure it to use the command-line utility to retrieve temporary credentials.

  1. Install the AWS CLI version 2, which is required for AWS SSO.

  2. Run the aws configure sso command, which will prompt you for the SSO start URL and region and follow the prompts along with granting access to the client device.

Install aws-sso-creds utility

aws-sso-creds is a helper utility to retrieve temporary credentials when using AWS SSO. This project is licensed under MIT.

You can read through the README in the referenced github link. However, below are the steps that you would be more interested in.

wget https://github.com/jaxxstorm/aws-sso-creds/releases/download/v1.4.1/aws-sso-creds-v1.4.1-linux-amd64.tar.gz
tar -xvf aws-sso-creds-v1.4.1-linux-amd64.tar.gz
chmod +x aws-sso-creds

Note: (Recommended) You can move the aws-sso-creds binary to your PATH so that it’s accessible from anywhere.

Retrieve Temporary Credentials using aws-sso-creds

aws-sso-creds get [ — profile <profileName>]

Get command will return the temporary credentials on the console.

[ec2-user@ip-172-31-32-71 ~]$ ./aws-sso-creds get
Your temporary credentials for account xxxxx are:

AWS_ACCESS_KEY_ID        ASIAQPBWJUF6TBxxxx
AWS_SECRET_ACCESS_KEY    Co/HY9xxqEfRDIfZgdAnB34BoCQxxxxx
AWS_SESSION_TOKEN        IQoJb3JpZ2luX2VxxxMEUCIQC7tLyUegu8ZEqSo16QxxCub92/dBiH8FzDVZ26rwIgXh4PDXjM8SkuE+ks832/65wJYQzY+NT/xMPwVhcn47Iq+wIIGBAAGgwwMzIzMjYxMzIwOTMiDGMI+iq0hOdbm0q7fyrYAteCSkWs+dTK6hl1PFPCCz7XMANTF0Y7x6BhlagAw4WsmsZWGpH3n2Y2IH783Al49VmFJV4/NN0P3oVm3EhiVzsg0ocLgHDEa8kaFFF1rhBDWib9WMoRcbyo+b2bAtXjlSdI3YCxFHFYp4EPLad9MuaOVoOjo9/62ZX13Edz5NRqHj1uNleJROS39CoiXYk14A9LyXTzfdnonTA+wJPBBgWdF5xeyPIn53At1grwFh1DKYM//oDrIKpYQL9VAwm2ycWEeVqcer6WVqEiu34Al7nmEshpmG0eGeUR5YGAmF4UOHpKe1BvCcO8eiF78+01BzWIk0i/MvJQREcHwMRGglhXOAI6nDQJUGvxoKa/QMz6QPq2/AAEa8leowxlj6S8gWcZzghW5qEouuVrEzJDREPNgkjkY+sRnVp4uoS9LPTxgohIRbjOrDEA/BuJEXRrHzJIyIPvInyNMMW41KIGOqcBaryJn1TkeWlflokeHzVK7i4NDL8WC6FUtMOP03hZ1599jHq/cK4rDw2ZUaHO4231+PGbmuYlE//exagVwqwsQqD+U/0BXTp5OTTxpp9yP/aeSCGfXRdXkJCVuKlQngPVxKXwWtJpXzABvm7F/KBy/WUGeeT7/zeZ5AYGbmsFJIjWX+JDFXVnBpWAa6g6tPSPNLOV1H54FwAe7H59HLOTsNaGqHalWWQ=

These credentials will expire at: 2023-05-05 16:09:56 +0000 UTC

The returned credentials can be exported using the aws-sso-creds export command.

At this point, you can use the temporary credentials to access AWS resources, but it’s not a permanent solution. The next step is to update the AWS credentials file with these temporary credentials so that they are readily available for future use. Most of the clients, applications work with above credentials being present in .aws/credentials file.

Let’s build a script that would get the temporary credentials from the utility and then write it to the .aws/credentials file.

Let’s create generateCredentials.sh with the below content.

The above script ensures that even if you have other profiles within your credentials file, it will only update the section for whom the profile matches the input.

Ensure you provide execute permission to the above script using chmod +x generateCredentials.sh

You can run the script using ./generateCredentials <profileName>

[ec2-user@ip-172-31-32-71 ~]$ ./generateCredentials.sh aws-cb
AWS credentials file updated with credentials for profile 'aws-cb'

Setup Cron

Finally, we can set up a cron job to renew the credentials periodically.

  1. Run the following command to open the crontab file in edit mode:
crontab -e

2. Add the following line to the crontab file to run the script every 30 mins:

*/30 * * * * /home/ec2-user/generateCredentials.sh aws-cb

3. Save the changes to the crontab file and exit the editor.

That’s it! The cron job is now set up to renew the credentials periodically and will run your script at the specified interval.


If you liked this article, please consider following, liking, and sharing it with your friends and colleagues. Your support helps me create more valuable content for you.

Did you find this article valuable?

Support Durgadas Kamath by becoming a sponsor. Any amount is appreciated!