or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

cognito-credentials.mdconfiguration-file-credentials.mdcustom-credential-chains.mddefault-provider-chain.mdenvironment-credentials.mdhttp-credentials.mdindex.mdmetadata-service-credentials.mdprocess-credentials.mdsso-credentials.mdtemporary-credentials.mdweb-identity-credentials.md
tile.json

sso-credentials.mddocs/

AWS Single Sign-On (SSO) Credentials

SSO credential provider integrates with AWS SSO to provide temporary credentials from cached SSO sessions, requiring AWS CLI SSO configuration and active login sessions.

Capabilities

SSO Provider

Creates credentials from AWS SSO token cache.

/**
 * Creates a credential provider function that reads from resolved SSO access token cache
 * @param init - SSO configuration parameters
 * @returns SSO credential provider function
 */
function fromSSO(init?: FromSSOInit): AwsCredentialIdentityProvider;

interface FromSSOInit {
  /** Configuration profile name (defaults to AWS_PROFILE or 'default') */
  profile?: string;
  /** Path to shared credentials file (defaults to ~/.aws/credentials) */
  filepath?: string;
  /** Path to shared config file (defaults to ~/.aws/config) */
  configFilepath?: string;
  /** SSO start URL (required if using inline parameters) */
  ssoStartUrl?: string;
  /** SSO account ID (required if using inline parameters) */
  ssoAccountId?: string;
  /** SSO region (required if using inline parameters) */
  ssoRegion?: string;
  /** SSO role name (required if using inline parameters) */
  ssoRoleName?: string;
  /** Optional custom SSO client configuration */
  clientConfig?: SSOClientConfig;
}

Usage Examples:

import { S3Client } from "@aws-sdk/client-s3";
import { fromSSO } from "@aws-sdk/credential-providers";

// Using profile from configuration files
const client = new S3Client({
  region: "us-east-1",
  credentials: fromSSO({
    profile: "sso-profile"
  })
});

// Using inline SSO parameters
const inlineClient = new S3Client({
  region: "us-east-1",
  credentials: fromSSO({
    ssoStartUrl: "https://d-1234567890.awsapps.com/start",
    ssoAccountId: "123456789012",
    ssoRegion: "us-east-1", 
    ssoRoleName: "DeveloperAccess"
  })
});

Profile Configuration

Configure SSO profiles in AWS configuration files:

~/.aws/config:

[profile sso-dev]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = DeveloperAccess
region = us-east-1

[profile sso-prod]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = us-east-1
sso_account_id = 987654321098
sso_role_name = ProductionReadOnly
region = us-west-2

AWS CLI SSO Setup

Initial SSO Configuration

# Configure SSO profile
aws configure sso

# Example prompts and responses:
# SSO start URL [None]: https://d-1234567890.awsapps.com/start
# SSO Region [None]: us-east-1
# The only AWS account available to you is: 123456789012
# Using the account ID 123456789012
# The only role available to you is: DeveloperAccess
# Using the role name "DeveloperAccess"
# CLI default client Region [None]: us-east-1
# CLI default output format [None]: json
# CLI profile name [DeveloperAccess-123456789012]: my-sso-profile

# Login to SSO (required for credential access)
aws sso login --profile my-sso-profile

SSO Session Management

# Login to SSO session
aws sso login --profile my-sso-profile

# Check SSO session status
aws sts get-caller-identity --profile my-sso-profile

# Logout from SSO session
aws sso logout

Credential Resolution Process

  1. Profile Resolution: Load SSO configuration from profile
  2. Token Cache: Check for valid cached SSO token
  3. Token Validation: Verify token hasn't expired
  4. Credential Request: Request temporary credentials using SSO token
  5. Credential Return: Return temporary AWS credentials
import { fromSSO } from "@aws-sdk/credential-providers";

// This process happens automatically
const credentials = await fromSSO({
  profile: "sso-profile"
})();

console.log({
  accessKeyId: credentials.accessKeyId,
  // secretAccessKey is present but shouldn't be logged
  sessionToken: credentials.sessionToken,
  expiration: credentials.expiration
});

Token Cache Location

SSO tokens are cached in the user's home directory:

  • Linux/macOS: ~/.aws/sso/cache/
  • Windows: %USERPROFILE%\.aws\sso\cache\

Token files are named with SHA1 hash of the SSO start URL.

Error Handling

Common SSO credential errors:

import { fromSSO } from "@aws-sdk/credential-providers";

try {
  const credentials = await fromSSO({
    profile: "sso-profile"
  })();
} catch (error) {
  if (error.message.includes('SSO token is missing or expired')) {
    console.error('Run: aws sso login --profile sso-profile');
  } else if (error.message.includes('Profile not found')) {
    console.error('SSO profile does not exist in configuration files');
  } else if (error.message.includes('Invalid SSO configuration')) {
    console.error('SSO profile missing required parameters');
  } else {
    console.error('SSO credentials failed:', error.message);
  }
}

Multiple SSO Profiles

Manage multiple SSO configurations:

import { fromSSO } from "@aws-sdk/credential-providers";

const devClient = new S3Client({
  region: "us-east-1",
  credentials: fromSSO({ profile: "sso-dev" })
});

const prodClient = new S3Client({
  region: "us-west-2", 
  credentials: fromSSO({ profile: "sso-prod" })
});

SSO with Role Assumption

Combine SSO with additional role assumption:

~/.aws/config:

[profile sso-base]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = DeveloperAccess

[profile sso-assume-role]
source_profile = sso-base
role_arn = arn:aws:iam::123456789012:role/AssumedRole
region = us-east-1
import { fromIni } from "@aws-sdk/credential-providers";

// Use fromIni which handles SSO + role assumption
const assumedRoleClient = new S3Client({
  region: "us-east-1",
  credentials: fromIni({ profile: "sso-assume-role" })
});

Custom Client Configuration

Configure the underlying SSO client:

import { fromSSO } from "@aws-sdk/credential-providers";

const customClient = new S3Client({
  region: "us-east-1",
  credentials: fromSSO({
    profile: "sso-profile",
    clientConfig: {
      region: "us-east-1",
      maxAttempts: 3,
      requestTimeout: 10000
    }
  })
});

Integration with CI/CD

SSO credentials are not suitable for automated environments:

// Good for local development
const devCredentials = process.env.NODE_ENV === 'development' 
  ? fromSSO({ profile: "sso-dev" })
  : fromEnv(); // Use environment variables in CI/CD

const client = new S3Client({
  region: "us-east-1",
  credentials: devCredentials
});

SSO Token Refresh

SSO tokens automatically refresh when needed, but login session must be active:

import { fromSSO } from "@aws-sdk/credential-providers";

const provider = fromSSO({ profile: "sso-profile" });

// First call may succeed
const credentials1 = await provider();

// Later calls will work as long as SSO session is active
// If session expires, will throw error requiring re-login
const credentials2 = await provider();

Troubleshooting SSO Issues

Check SSO Configuration

# View SSO configuration
aws configure list-profiles
aws configure get sso_start_url --profile sso-profile

Verify SSO Login Status

# Test SSO credentials
aws sts get-caller-identity --profile sso-profile

Clear SSO Cache

# Remove cached tokens (requires re-login)
rm -rf ~/.aws/sso/cache/
aws sso login --profile sso-profile

Availability

  • Node.js: ✅ Available
  • Browser: ❌ Not available (requires filesystem access and AWS CLI)
  • React Native: ❌ Not available