ReddRadar
Agent skill
aws-sso-auth-guide
AWS SSO discovery, configuration, and terminal usage
Install this agent skill to your Project
npx add-skill https://github.com/stakpak/community-paks/tree/main/aws-sso-auth-guide
Metadata
Additional technical details for this skill
- author
- Stakpak <team@stakpak.dev>
- version
- 1.0.2
SKILL.md
AWS SSO Terminal Guide
Discovery: Finding SSO Configuration
Get SSO Instance & Portal URL
# From management account
aws sso-admin list-instances --profile <mgmt-profile>
# Returns: InstanceArn, IdentityStoreId (d-xxxxxxxxxx), OwnerAccountId
# Portal URL format: https://d-xxxxxxxxxx.awsapps.com/start
List Accounts & Permission Sets
# List organization accounts
aws organizations list-accounts --profile <mgmt-profile>
# List permission sets
aws sso-admin list-permission-sets \
--instance-arn <instance-arn> \
--profile <mgmt-profile>
# Get permission set name
aws sso-admin describe-permission-set \
--instance-arn <instance-arn> \
--permission-set-arn <ps-arn> \
--profile <mgmt-profile>
# Check account assignments
aws sso-admin list-account-assignments \
--instance-arn <instance-arn> \
--account-id <account-id> \
--permission-set-arn <ps-arn> \
--profile <mgmt-profile>
Configuration
Profile Structure (Recommended)
# ~/.aws/config
[profile my-profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1
[sso-session my-sso]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
Benefits: Token reuse across profiles, automatic refresh (CLI v2.22.0+)
Interactive Configuration
aws configure sso
Authentication
Login Flow
# Login (PKCE auth - default in CLI v2.22.0+)
aws sso login --profile my-profile
# Login with device code (for headless/remote)
aws sso login --profile my-profile --use-device-code
# Verify
aws sts get-caller-identity --profile my-profile
Token Cache: ~/.aws/sso/cache/
Key Endpoints & Flow
oidc.{region}.amazonaws.com- OIDC authenticationportal.sso.{region}.amazonaws.com- SSO portal- Auth flow:
RegisterClient→StartDeviceAuthorization→CreateToken
Troubleshooting
Missing SSO Configuration:
# Error: Missing sso_start_url, sso_region
# Fix: aws configure sso
Expired Token:
# Error: Token is expired
# Fix: aws sso login --profile my-profile
Proxy SSL Issues:
# Error: SSL certificate verification failed
# Fix: Set AWS_CA_BUNDLE to proxy CA certificate
export AWS_CA_BUNDLE=/path/to/proxy-ca.crt
Access Denied:
# Check permission set assignments
aws sso-admin list-account-assignments \
--instance-arn <arn> \
--account-id <id> \
--permission-set-arn <ps-arn>
Quick Reference
CLI Versions:
- v2.22.0+: PKCE auth (default), auto-refresh
- < v2.22.0: Device code auth
Authorization Types:
- PKCE: Same-device, browser required
- Device Code: Cross-device, browser optional
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
stakpak/community-paks
how-to-publish-paks
A practical guide for creating and publishing high-quality Agent Skills (paks) to the Paks registry. Covers SKILL.md format, frontmatter structure, content writing best practices, validation, versioning, and publishing workflow.
stakpak/community-paks
beads-issue-tracker
Guide for using Beads (bd), a dependency-aware issue tracker for AI agents. Issues chained together like beads.
stakpak/community-paks
vllm-deployment
Deploy vLLM for high-performance LLM inference. Covers Docker CPU/GPU deployments and cloud VM provisioning with OpenAI-compatible API endpoints.
stakpak/community-paks
dockerization
Official Stakpak application containerization standard operating procedure, a step-by-step guidline to properly dockerize applications. This is a rule book curated by the Stakpak Team.
stakpak/community-paks
simple-deployment-on-vm
How to do simple but secure deployments using virtual machines on different cloud providers
stakpak/community-paks
migrating-bitnami-to-bitnami-legacy
This rule book helps you migrate Bitnami Helm charts and container images from the bitnami repository to the bitnamilegacy repository. This migration is necessary due to Bitnami's transition, effective August 28th, 2025, where existing images will be moved to the legacy repo
Didn't find tool you were looking for?