Setup AWS SSO CLI & API Access

In my last article, I discussed the steps to setup AWS SSO  through Azure AD. By using Azure AD app roles, we are able to use our Azure AD accounts to access AWS Console. But with this measure, you will find there is no option in AWS IAM to generate Access Key and Secrete for CLI and API access.

Fortunately, we are not the only ones out there have this problem. David T Johnson faced the same issue and he is kind and smart enough (unlike me) to create a tool to address this issue. The tool source code can be found on Github

The tool is written in Node.Js. So if you don’t have Node, the first thing will be to install Node from After that simply follow the installation instructions to get the tool going. 

The example show here is tested from Windows 10. 

Before start, log into Azure portal to get Azure Tenant ID and the AWS SSO App ID.

The tenant ID can be found in Properties section of Azure AD. The Directory ID is basically your Tenant ID.

In Azure AD, go to App Registrations and select the AWS SSO app, if you don’t see the AWS SSO app, change the scope to “All Apps”.

Click Settings -> Properties, copy the App ID URI.

In the Properties section, copy the App ID URI.

Open Node.js command prompt

Setup the authentication profile


 Sign in with the profile, select the role in each accounts. It will be a lot easier to tell which account the roles belong to, if you named your roles with the AWS Account name. E.g. ContosoDev-Admins-SAML -AzureAD.

The session duration needs to be changed in your AWS role definition first. By default it is set to 1 hour only. So if you keep getting errors when setting duration longer than 1 hour, please follow this article to change the API duration.

After finish the sign-in process, go to .aws subfolder and you should see a credentials file there. The file contains all the existing profiles and the STS keys and tokens. 

You can then use the keys to access AWS resources via CLI and API calls. Below is an example from AWS Toolkit for Visual Studio.

AWS Toolkit for Visual Studio can be downloaded from

Create a new AWS template project in Visual Studio, and open AWS Explorer. Choose “contosoaws” as the profile.

With the STS credential, you should see all the instances in the region.