How to log in to AWS CLI with IAM Identity Center

An AWS CLI profile that uses IAM Identity Center needs a fresh browser-approved sign-in before account-sensitive commands run. aws sso login refreshes the cached session for a saved profile so deployments, support checks, and data commands do not fall back to an expired token or a different AWS account.

The login command does not create the profile. The named profile must already point to an IAM Identity Center account and permission set in ~/.aws/config, either through a shared [sso-session …] block or older inline SSO settings. After sign-in, the AWS CLI stores an access token under ~/.aws/sso/cache and uses it to request temporary role credentials when later service commands need them.

AWS CLI v2.22.0 and newer uses Proof Key for Code Exchange (PKCE) by default, which requires the authorization URL to be opened on the same device that ran the command. Use the device-code flow only for a shell with no local browser or when approval must happen on another device. One shared sso_session can have only one active sign-in at a time, so profiles that reuse it also reuse the same cached session.

Steps to log in to AWS CLI with IAM Identity Center:

List the saved profile names.
```
$ aws configure list-profiles
default
my-dev-profile
production-admin
```
The target profile must already exist before aws sso login can refresh its IAM Identity Center token. Create or repair the profile first if it is missing.
Related: How to configure an IAM Identity Center session in AWS CLI
Confirm that the target profile references the expected shared IAM Identity Center session.
```
$ aws configure get sso_session --profile my-dev-profile
my-sso
```
An empty result can mean the profile is missing SSO settings or still uses the older inline SSO profile layout. Check ~/.aws/config before logging in if the profile name is not familiar.
Confirm the target AWS account configured for the profile.
```
$ aws configure get sso_account_id --profile my-dev-profile
111122223333
```
The account ID should match the environment you intend to access before the browser sign-in starts.
Confirm the permission set role configured for the profile.
```
$ aws configure get sso_role_name --profile my-dev-profile
DeveloperAccess
```
The permission set controls the role credentials the AWS CLI requests after the browser sign-in succeeds.

Start the local browser login flow for the profile.

$ aws sso login --profile my-dev-profile
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize the request, open the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?<abbreviated>

Successfully logged into Start URL: https://my-sso-portal.awsapps.com/start

For the default PKCE flow, open the authorization URL on the same device that ran the command.

Use the device-code flow when the terminal cannot use a local browser.
```
$ aws sso login --profile my-dev-profile --use-device-code --no-browser
Open the following URL in another browser:
https://device.sso.us-east-1.amazonaws.com/

Then enter the code:
QCFK-N451
```
--use-device-code selects the device authorization flow, and --no-browser prevents the AWS CLI from trying to launch a browser from the shell.

Verify the AWS identity resolved through the refreshed profile.

$ aws sts get-caller-identity --profile my-dev-profile --output json
{
    "UserId": "AROAEXAMPLEID:my-dev-profile",
    "Account": "111122223333",
    "Arn": "arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_DeveloperAccess_1234567890abcdef/my-dev-profile"
}

The Account and Arn fields should match the account and permission set chosen for the IAM Identity Center profile.
Related: How to check the current caller identity in AWS CLI

Clear cached IAM Identity Center tokens only when retrying with a different sign-in.
```
$ aws sso logout
Successfully signed out of all SSO profiles.
```
aws sso logout signs out all cached IAM Identity Center sessions for the workstation, not only my-dev-profile.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.