I Was Logging Into AWS Twice a Day Like a Caveman. Here’s What Fixed It.

For the time my morning had a very specific routine. I would make coffee sit down open my terminal run something and then get hit with an error message that said my token had expired. I would sigh, open my browser click through the AWS access portal pick the account click on “Access keys” copy three values paste them into my AWS credentials file save it and then re-run the command.

I had to do this over again around 8 PM. If you have used AWS with an access page you know exactly what I am talking about. The keys expire every 12 hours. You copy them you paste them you save them. You swear under your breath. It is not hard it is just stupid.. It adds up. Two times a day maybe a minute or two each time. The time it takes to leave your terminal and click around a browser.

It is the kind of annoyance that quietly drains your attention all day. I assumed for a time that this was just how it worked. That this was the price of doing business with lived credentials.. It is not. The AWS CLI can do all of this for you. I just did not know.

Here is the thing that finally made it click for me and the steps to set it up so you never have to paste another key

Whats Actually Going On

The page you log into the one called “AWS access portal” with a list of accounts is AWS IAM Identity Center. When you click an account and grab the keys AWS is generating credentials for you on the spot. They expire fast on purpose because short-lived credentials are way safer than lived ones.

The part nobody tells you clearly is that the AWS CLI knows how to do that key-fetching itself. You log in once through the browser and from on the CLI quietly refreshes credentials in the background as you work. You stop touching the credentials file entirely.

The magic command is aws configure sso. That is it.

Let me walk through it properly because the prompts can be a little confusing the first time.

Step 1: Run the Setup Command

Open a terminal and run:


aws configure sso

It is going to ask you a series of questions. Do not panic. Most of the answers are obvious once you know where to look.

Step 2: Pick a Session Name

prompt:


SSO session name (Recommended):

This is just a label for your own use. It does not matter to AWS. Type something like mycompany or your team name. I used stepsecurity because that is where I work. Anything works. Press Enter.

Step 3: Paste the Start URL


SSO start URL:

Go to your browser open the AWS access page you usually log into and look at the address bar. It will look something like https://yourcompany.awsapps.com/start. Copy that URL paste it here press Enter.

Step 4: Pick the Region


SSO region:

This is the region where your company set up Identity Center. If you do not know it try us-east-1 first. If that fails try us-west-2. One of them is certainly right. If you are really stuck ask whoever set up AWS at your company.

Step 5: Skip the Scopes


SSO registration scopes:

press Enter. The default is fine.

Step 6: Approve in the Browser

A browser window pops open asking you to approve the device. Click yes. Confirm the code matches what your terminal showed you. Done. Go back to the terminal.

Step 7: Pick an Account and Role

The CLI will now show you the accounts you have access to. Pick one. Then pick the role you want to use in that account.

Step 8: Set Defaults and Name the Profile

It will ask:


Default client Region:

CLI default output format:

Profile name:

For region pick whatever region you actually work in for that account. For output format I would type json because it is more useful for scripts. Text is fine too. For profile name pick something. This is what you will type after --profile whenever you run AWS commands.

Step 9: Test It


aws sts get-caller-identity --profile yourprofilename

If you see your account ID and role ARN printed out congratulations. You are done. No keys were copied. No files were edited. The CLI did everything.

Step 10: Add Profiles (Optional)

If you have AWS accounts just run aws configure sso again for each one. When it asks for the session name type the one you used the first time. It will reuse the login. Skip straight to picking the next account.

What Daily Life Looks Like Now

When my AWS credentials expire here is the ritual:


aws sso login --sso-session stepsecurity

Browser pops up. I click approve. Back to work. The CLI handles AWS credentials for individual commands silently from that point on.

No more copying keys. No more editing the credentials file. No more cursing at the terminal at 8 PM because the token expired right as I was about to deploy something.

A Few Honest Notes

The old entries in your AWS credentials file? You can leave them there. They get ignored because the profiles in your AWS config file take priority. If you want to clean up back up the file first. Then delete the stale entries.

Some older tools do not speak SSO natively. Most modern tools handle it fine. If you hit a tool that complains you can run aws configure export-credentials --profile --format env to dump temporary keys as environment variables.

If you are someone who hops between five AWS accounts in browser tabs all day tools like granted and aws.vault build on top of this with extra features.. Honestly plain aws configure sso covers 90 percent of people.

The Real Lesson

The fix took me ten minutes to set up. I had been doing the dance for months. Maybe years if I am being honest with myself.

The takeaway I think, is that whenever you find yourself doing something slightly annoying as part of your job especially something with computers it is worth spending fifteen minutes searching whether someone already solved it. Usually they have. Usually the solution ships, with the tool you are already using. Usually you just did not know it existed.

Anyway. Go run aws configure sso. Future you will thank you.