---
name: aws-sso-login
description: Authenticate to AWS using Single Sign-On (SSO). Use when AWS CLI operations require SSO authentication or when SSO session has expired.
---
# AWS SSO Login
A skill to authenticate to AWS using Single Sign-On (SSO) for a specified profile.
## Purpose
Perform SSO authentication before executing AWS CLI operations. SSO sessions typically expire after 8-12 hours, requiring re-authentication.
## Input Parameters
- `profile`: AWS CLI profile name configured for SSO (default: defined by project, e.g., `web-hosting`)
- If the profile name is not known/available from project docs or prior context, ask the user which AWS CLI profile to use before running this skill.
## Execution Steps
1. Execute `aws sso login` command with the specified profile
2. Open browser automatically (or provide a URL to open manually)
3. Complete authentication in the browser
4. Confirm successful authentication
## Command Example
```bash
# Login with SSO using specified profile
aws sso login --profile <profile-name>
```
## Project Configuration
- Document the default profile name (e.g., `web-hosting`) in a separate project guide such as `.github/skills/README.md` or a skill configuration file.
- Refer to that document when invoking this Skill so the same definition can be reused across repositories without editing the Skill itself.
## Output
After successful authentication:
- SSO session is established and cached locally
- AWS CLI commands can be executed using the specified profile
- Session remains valid for the configured duration (typically 8-12 hours)
## Usage Examples
After executing this skill, AWS CLI commands with the profile become available:
```bash
# Verify authentication
aws sts get-caller-identity --profile web-hosting
# Assume a role (often used after SSO login)
aws sts assume-role --role-arn <role-arn> --role-session-name <session-name> --profile web-hosting
```
## Prerequisites
- AWS CLI v2 installed (SSO support requires v2 or later)
- SSO configuration set up in `~/.aws/config` for the specified profile
- Web browser available for authentication
- Network access to the SSO authentication endpoint
## Notes
- SSO sessions expire after a configured duration (typically 8-12 hours)
- When the session expires, re-execute this skill to re-authenticate
- Browser-based authentication is required; this cannot be fully automated
- For headless environments, consider using `--no-browser` flag and manually opening the provided URL
- This skill should be executed before the `assume-cloudformation-role` skill if role assumption requires SSO authentication
