aws-sso-cli
AWS SSO CLI is a Go-based command-line tool that simplifies managing AWS Identity Center credentials for organizations with multiple AWS accounts and roles. It encrypts credentials locally using secure storage, replacing the standard AWS CLI SSO configuration with a focus on security and user experience.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | synfinatic/aws-sso-cli |
| Owner | synfinatic |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 654 |
| Forks | 78 |
| Open issues | 25 |
| Latest release | v2.3.1 (2026-06-20) |
| Last updated | 2026-07-08 |
| Source | https://github.com/synfinatic/aws-sso-cli |
What aws-sso-cli is
Written in Go, the tool auto-discovers AWS SSO roles, manages ~/.aws/config, and exports STS credentials via encrypted keyring storage (99designs/keyring). It supports interactive role selection, tagging, ECS Task IAM Role sharing, and multiple web console sessions without external dependencies.
Get the aws-sso-cli source
Clone the repository and explore it locally.
git clone https://github.com/synfinatic/aws-sso-cli.gitcd aws-sso-cli# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires AWS IAM Identity Center already configured in your AWS organization; this tool does not set it up.
- End users must trust the local keyring/secure storage on their machines (macOS Keychain, Linux Secret Service, Windows Credential Manager, or pass).
- Initial setup guided but teams should plan for distribution, versioning, and documentation of the tool across developers.
- Encrypts credentials on disk but does not prevent exfiltration if terminal session or shell history is compromised; user discipline required.
- Single binary with no runtime dependencies simplifies deployment but version updates require redistribution.
When to avoid it — and what to weigh
- Legacy SAML-Based SSO — Explicitly requires AWS IAM Identity Center. Does not support older SAML integrations (OneLogin/Okta tile-based authentication).
- Static API Credential Workflows — Designed exclusively for temporary STS credentials via AWS IAM Identity Center. Not suitable if your organization relies on long-lived API keys or non-SSO authentication.
- Proprietary/Closed-Source Requirement — Released under GPL-3.0, which requires source code disclosure for derivative works. Organizations requiring proprietary tools should avoid or conduct legal review.
- Windows-First Environments — While Windows amd64/386 binaries are provided, primary development focus appears to be Linux/macOS; edge cases or platform-specific issues may have longer resolution times.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license requiring source code disclosure and same-license distribution for derivative works.
GPL-3.0 permits commercial use, but any modifications or derivative works must be open-sourced under GPL-3.0. Using unmodified binaries as a tool carries minimal license risk; embedding or modifying the code requires legal review and potential source disclosure obligations.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool encrypts credentials on disk using OS-level keyrings, addressing plaintext exposure in standard AWS CLI. However: (1) keyring backend strength varies by OS; (2) in-memory credentials during active use are not obfuscated; (3) shell history and process listing can leak credentials if user is not careful; (4) no mention of credential rotation frequency enforcement; (5) local machine compromise (malware, physical access) will bypass encryption. Suitable for reducing casual credential leakage but not a substitute for defense-in-depth.
Alternatives to consider
aws-vault
Similar credential encryption approach using keyring, broader credential backend support (Vault, static keys), but designed for static AWS API keys more than IAM Identity Center workflows.
Official AWS CLI v2 with aws configure sso
No external tool, credentials managed by AWS; however, stores plaintext SSO tokens and temporary credentials on disk—less secure but requires no third-party binary.
HashiCorp Vault with AWS Auth Method
Centralized credential management, audit logging, and encryption at rest; requires Vault infrastructure and learning curve but suitable for large enterprises with strict compliance.
Build on aws-sso-cli with DEV.co software developers
AWS SSO CLI encrypts credentials on disk and simplifies multi-account IAM Identity Center workflows. Evaluate it for your organization or contact our team to discuss secure credential management strategies.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
aws-sso-cli FAQ
Does this work with AWS organizations without IAM Identity Center?
Are credentials stored in plaintext?
Can I use this in CI/CD pipelines?
What if I modify the source code? Do I have to release it?
Work with a software development agency
DEV.co helps companies turn open-source tools like aws-sso-cli into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to Secure Your AWS Credentials?
AWS SSO CLI encrypts credentials on disk and simplifies multi-account IAM Identity Center workflows. Evaluate it for your organization or contact our team to discuss secure credential management strategies.