AWS SSO Login
A skill to authenticate to AWS using Single Sign-On (SSO) for a specified profile.
Purpose
Perform SSO authentication before executing AWS CLI operations. SSO sessions typically expire after 8-12 hours, requiring re-authentication.
Input Parameters
- •
profile: AWS CLI profile name configured for SSO (default: defined by project, e.g.,web-hosting)- •If the profile name is not known/available from project docs or prior context, ask the user which AWS CLI profile to use before running this skill.
Execution Steps
- •Execute
aws sso logincommand with the specified profile - •Open browser automatically (or provide a URL to open manually)
- •Complete authentication in the browser
- •Confirm successful authentication
Command Example
bash
# Login with SSO using specified profile aws sso login --profile <profile-name>
Project Configuration
- •Document the default profile name (e.g.,
web-hosting) in a separate project guide such as.github/skills/README.mdor a skill configuration file. - •Refer to that document when invoking this Skill so the same definition can be reused across repositories without editing the Skill itself.
Output
After successful authentication:
- •SSO session is established and cached locally
- •AWS CLI commands can be executed using the specified profile
- •Session remains valid for the configured duration (typically 8-12 hours)
Usage Examples
After executing this skill, AWS CLI commands with the profile become available:
bash
# Verify authentication aws sts get-caller-identity --profile <profile-name> # Assume a role (often used after SSO login) aws sts assume-role --role-arn <role-arn> --role-session-name <session-name> --profile <profile-name>
Prerequisites
- •AWS CLI v2 installed (SSO support requires v2 or later)
- •SSO configuration set up in
~/.aws/configfor the specified profile - •Web browser available for authentication
- •Network access to the SSO authentication endpoint
Notes
- •SSO sessions expire after a configured duration (typically 8-12 hours)
- •When the session expires, re-execute this skill to re-authenticate
- •Browser-based authentication is required; this cannot be fully automated
- •For headless environments, consider using
--no-browserflag and manually opening the provided URL - •This skill should be executed before the
assume-cloudformation-roleskill if role assumption requires SSO authentication