I'm trying to login using awscli in console with a IAM user I created Steps I followed
Created the IAM user using the root user with AdministratorAccess
, let's call the user james
Created access keys for james
and downloaded/copy them
Configured awscli in local machine with
[default]
aws_access_key_id = XXX
aws_secret_access_key = YYY
sso_start_url = https://zzz.awsapps.com/start
sso_account_id = 999888
sso_region = eu-north-1
Logged in as james
in https://999888.signin.aws.amazon.com/console and then went to https://console.aws.amazon.com/singlesignon/ and enabled sso login
Finally tried to connect from local machine using aws sso login
It successfully opens the browser and redirects with the code it shows a login page where it asks for a username
(and then a password) I'm using the username james
and trying with its password but it fails with We couldn't verify your sign-in credentials. Please try again.
Could you help me clear what am I missing? Thanks for the help in advance. Hope it's clear enough
If you want users to authenticate via an external service such as Active Directory, do not create an IAM User. Instead, users will authenticate themselves against the external identity store.
Instead, configure AWS IAM Identity Center.
From What is IAM Identity Center? (successor to AWS Single Sign-On):
With AWS IAM Identity Center (successor to AWS Single Sign-On), you can manage sign-in security for your workforce identities, also known as workforce users. IAM Identity Center provides one place where you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications. You can use multi-account permissions to assign your workforce users access to AWS accounts. You can use application assignments to assign your users access to IAM Identity Center enabled applications, cloud applications, and customer Security Assertion Markup Language (SAML 2.0) applications.
The basic configuration steps are: