You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Login Workflow

There will be a single URL to access all Science Cloud AWS accounts via SSO (Single-Sign-On). NASA users automatically use PIV authentication via Launchpad to login. However, non-NASA users will use a combination of their native login workflow and a Science Cloud specific Microsoft Authenticator.

Activating the AWS access portal for first-time IAM Identity Center users

​You should receive an email with the subject Invitation to join AWS IAM Identity Center, open it and choose Accept invitation. On the New user sign up page, enter and confirm a password, and then choose Set new password. You will use that password each time you sign in to the portal. After you activate your user credentials by providing a new password, the AWS access portal signs you in automatically. 

AWS Access Portal

Logging in through the AWS Access Portal will provide you access to all your assigned Science Cloud AWS Accounts​. You can choose permissions needed for session​ and generate short term access keys via the portal.


AWS SSO login directly via the AWS CLI

Configure your sso-session section with aws configure sso-session wizard

Important: Delete or comment out the existing aws_access_key_id and aws_secret_access_key from ~/.aws/credentials.

Example SSO session & named profile usage

1. Configure the SSO Session:

$ aws configure sso-session

Enter the details:

SSO session name: my-sciencecloud-sso 

SSO start URL [None]: https://my-sciencecloud-sso-portal-exampleURL.awsapps.com/start

SSO region [None]: us-east-1

SSO registration scopes [None]: sso:account:access

2. Set Up a Named Profile: - CHECK HOW PROFILE NAMES ARE DETERMINED (IF AT ALL)

$ aws configure sso

Provide the information:

SSO session name: my-sciencecloud-sso

SSO start URL [None]: https://my-sciencecloud-sso-portal-exampleURL.awsapps.com/start

SSO region [None]: us-east-1

SSO account ID [None]: 123456789012

SSO role name [None]: ReadOnlyAccess

CLI default client Region [None]: us-east-1

CLI default output format [None]: json

3. Example: How to Use a Profile:

$ aws s3 ls --profile ScienceCloudProject-devAccount

The CLI will authenticate via SSO and list your S3 buckets (example use case)




Manually configure the config file to create additional profiles

If you access multiple AWS accounts or roles through AWS IAM Identity Center (SSO), you don’t want to repeat the same sso_start_url and sso_region in every profile. Instead, define the SSO session once and reference it. This will allow your to use multiple profiles on the same session, specify environment roles, region and output settings. The sso-session section of the config file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used:

(Required) sso_start_url
(Required) sso_region
sso_account_id
sso_role_name
sso_registration_scopes

You define an sso-session section and associate it to a profile. The sso_region and sso_start_url settings must be set within the sso-session section. Typically, sso_account_id and sso_role_name must be set in the profile section so that the SDK can request SSO credentials.

The following example configures the SDK to request SSO credentials and supports automated token refresh:

[profile ScienceCloudProject-devAccount]
sso_session = my-sciencecloud-sso
sso_account_id = 111122223333
sso_role_name = PowerUser

[sso-session ScienceCloudProject-AdminAccount]
sso_region = us-east-1
sso_start_url = https://my-sciencecloud-sso-portal-exampleURL.awsapps.com/start

Sign in to an IAM Identity Center session

Once your profiles are set up, in order to run commands, you will first need to Sign in to an IAM Identity Center session to request and retrieve your temporary credentials.

To retrieve and cache a set of IAM Identity Center credentials, run the following command for the AWS CLI to open your default browser and verify your IAM Identity Center log in.

$ aws sso login --profile ScienceCloudProject-devAccount

SSO authorization page has automatically been opened in your default browser.

Follow the instructions in the browser to complete this authorization request.

Successfully logged into Start URL: https://my-sciencecloud-sso-portal-exampleURL.awsapps.com/start 

Your IAM Identity Center session credentials are cached and the AWS CLI uses them to securely retrieve AWS credentials for the IAM role specified in the profile.

Sign out of your IAM Identity Center sessions

When you are done using your IAM Identity Center profile, you can let your credentials expire or run the following command to delete your cached credentials.

$ aws sso logout

Successfully signed out of all SSO profiles.


External Resources

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html#cli-configure-sso-configure


Contact us!

Please provide feedback on these instructions, questions, concerns, or issues via email to support@sciencecloud.nasa.gov

Any feedback is deeply appreciated. It helps the Science Cloud Team continuously improve this process.


  • No labels