Skip to content

Commit

Permalink
Add user guide for SSO provider usage
Browse files Browse the repository at this point in the history
  • Loading branch information
@joguSD
joguSD committed Aug 17, 2021
1 parent 1b1065c commit 85b975a
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions docs/source/guide/credentials.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,38 @@ This provider can also be configured via environment variables:

These environment variables currently only apply to the assume role with web identity provider and do not apply to the general assume role provider configuration.

AWS Single Sign-On Provider (SSO)
-----------------------------------

Support for the AWS Single Sign-On (SSO) credential provider was added in 1.14.0.

To begin using the SSO credential provider, start by using the AWS CLI V2 to configure and manage your SSO profiles and login sessions.
For detailed instructions on the configuration and login process see the `AWS CLI User Guide for SSO <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html>`_.
Once completed you will have one or many profiles in the shared configuration file with the following settings:

.. code-block:: ini
# In ~/.aws/config
[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
* ``sso_start_url`` - The URL that points to the organization's AWS SSO user portal.
* ``sso_region`` - The AWS Region that contains the AWS SSO portal host. This is separate from, and can be a different region than the default CLI region parameter.
* ``sso_account_id`` - The AWS account ID that contains the IAM role that you want to use with this profile.
* ``sso_role_name`` - The name of the IAM role that defines the user's permissions when using this profile.

You can then specify the profile name via the ``AWS_PROFILE`` environment variable or the ``profile_name`` argument when creating a ``Session``.
For example, we can create a Session using the ``my-sso-profile`` profile and any clients created from this session will use the ``my-sso-profile`` credentials:

.. code-block:: python
import boto3
session = boto3.Session(profile_name='my-sso-profile')
s3_client = session.client('s3')
Boto 2 config
---------------
Expand Down

0 comments on commit 85b975a

Please sign in to comment.