I set up a user in AWS IAM Identity Center. When I run aws configure sso, I enter the session name, start url, region, and registration scope (it defaulted to sso:account:access so I just use that) and then I log in the browser with my user login, and after login success, I get No AWS accounts are available to you.
I notice after login, a file is created at /Users/[user]/.aws/sso/cache
I am trying to authenticate so that I can use aws ecr get-login-password to push a docker file to aws container registry.
UPDATE: Watching this video cleared up how to manage accounts in IAM Identity Center: https://www.youtube.com/watch?v=_KhrGFV_Npw
Now I can successfully log in using aws configure sso from the command line.
However, after logging in, when I try to run this command to push a container to the AWS container registry:
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin [id].dkr.ecr.us-east-1.amazonaws.com
I am getting this error:
Unable to locate credentials. You can configure credentials by running aws configure.
When you setup your aws cli sso profile aws configure sso, it will ask you the following details:
▶ aws configure sso
SSO session name (Recommended): mysso
SSO start URL [None]: <start_url>
SSO region [None]: <aws_region>
SSO registration scopes [sso:account:access]: <>
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.eu-central-1.amazonaws.com/
Then enter the code: xxxxxxxx
Once you login, it will ask the the account and role to use:
There are # AWS accounts available to you.
<Select account>
Using the account ID 1234567890
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
CLI default client Region [<aws_region>]:
CLI default output format [json]:
CLI profile name [AdministratorAccess-123456789]:
And it will tell you how to use the profile created:
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile AdministratorAccess-123456789
So in your case:
# .aws/config
[sso-session my-sso]
sso_start_url = xxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
[profile AdministratorAccess-xxxxxxxxx]
sso_session = my-sso
sso_account_id = xxxxxxxxx
sso_role_name = AdministratorAccess
You need to run your aws command with --profile AdministratorAccess-xxxxxxxxx
aws ecr get-login-password --region us-east-1 --profile AdministratorAccess-xxxxxxxxx | docker login --username AWS --password-stdin [id].dkr.ecr.us-east-1.amazonaws.com