The AWS.Tools.* family of PowerShell modules make for a convinient way to integrate scripts with AWS without the need to install the AWS cli onto your machine.

At the time of writing however there is no commandlet alternative for aws sso login, a command that should be familiar to anyone restricted to AWS Single Sign on accounts in their organisation.

Additonaly there seems to be very few people using the PowerShell modules in combination with SSO and the AWS docs reflect that given their lack of guidance.

The solution then was to borrow from others facing similar issues with the python library boto3:

How to use the AWS Python SDK while connecting via SSO credentials

I am attempting to create a python script to connect to and interact with my AWS account. I was reading up on it here https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html…

Stack Overflowuser1015214

With a little bit of effort and lots of scouring the AWS command docs, I was able to translate the Python script into PowerShell:

# This script is used to authenticate with AWS SSO for use with the AWS.Tools.* PowerShell modules

$AccountId = ""
$StartURL = ""
$RoleName = "PermissionSetNameHere"
$ProfileName = "SomeNameHere"

$SSOOIDCClient = $(Register-SSOOIDCClient -ClientName 'powershell' -ClientType 'public')
$DevAuth = $(Start-SSOOIDCDeviceAuthorization -ClientId $SSOOIDCClient.ClientId -ClientSecret $SSOOIDCClient.ClientSecret -StartUrl $StartURL)
$CodeExpiry = (Get-Date) + (New-TimeSpan -Seconds $DevAuth.ExpiresIn)
Set-Clipboard $DevAuth.VerificationUriComplete
Write-Host "Copied auth link to clipboard: $($DevAuth.VerificationUriComplete)"

while ((Get-Date) -le $CodeExpiry) {
    Start-Sleep $DevAuth.Interval
    try {
        $Token = $(New-SSOOIDCToken -ClientId $SSOOIDCClient.ClientId -ClientSecret $SSOOIDCClient.ClientSecret -DeviceCode $DevAuth.DeviceCode -GrantType 'urn:ietf:params:oauth:grant-type:device_code')
        break
    }
    catch [Amazon.SSOOIDC.Model.AuthorizationPendingException] {
        continue #Awaiting auth to be given
    }
}

$Credential = Get-SSORoleCredential -AccessToken $Token.AccessToken -AccountId $AccountId -RoleName $RoleName
Set-AWSCredential -AccessKey $Credential.AccessKeyId -SecretKey $Credential.SecretAccessKey -SessionToken $Credential.SessionToken -StoreAs $ProfileName
Get-AWSCredential -ListProfileDetail

The script above will take in a few required parameters (you'll need to fill in) and spit out temporary credentials to the specified profile name using the same method as the script in the StackOverflow post.

In the middle of the auth flow, you'll be directed to open the URL copied to the clipboard to authorise the device.

For it to work you'll need the AWS.Tools.SSO and AWS.Tools.SSOOIDC modules installed and loaded.

With that the script should have saved your crediantials to the profile name provided. Running any AWS commandlet with the -ProfileName parameter and the profile should use the new session.