DEV.co
Open-Source Security · synfinatic

aws-sso-cli

AWS SSO CLI is a Go-based command-line tool that simplifies managing AWS Identity Center credentials for organizations with multiple AWS accounts and roles. It encrypts credentials locally using secure storage, replacing the standard AWS CLI SSO configuration with a focus on security and user experience.

Source: GitHub — github.com/synfinatic/aws-sso-cli
654
GitHub stars
78
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysynfinatic/aws-sso-cli
Ownersynfinatic
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars654
Forks78
Open issues25
Latest releasev2.3.1 (2026-06-20)
Last updated2026-07-08
Sourcehttps://github.com/synfinatic/aws-sso-cli

What aws-sso-cli is

Written in Go, the tool auto-discovers AWS SSO roles, manages ~/.aws/config, and exports STS credentials via encrypted keyring storage (99designs/keyring). It supports interactive role selection, tagging, ECS Task IAM Role sharing, and multiple web console sessions without external dependencies.

Quickstart

Get the aws-sso-cli source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/synfinatic/aws-sso-cli.gitcd aws-sso-cli# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-Account AWS Organizations

Ideal for enterprises managing many AWS accounts where users need to assume multiple IAM roles. Auto-discovery and tagging eliminate manual configuration and streamline role selection.

Security-Conscious Teams

Organizations requiring encrypted credential storage and rejecting plaintext AWS config. Encrypts SSO tokens, client secrets, and temporary credentials that standard AWS CLI leaves exposed.

Containerized Workloads with Temporary Credentials

Supports ECS Task IAM Role credential sharing for services needing temporary, rotated credentials without managing static API keys.

Implementation considerations

  • Requires AWS IAM Identity Center already configured in your AWS organization; this tool does not set it up.
  • End users must trust the local keyring/secure storage on their machines (macOS Keychain, Linux Secret Service, Windows Credential Manager, or pass).
  • Initial setup guided but teams should plan for distribution, versioning, and documentation of the tool across developers.
  • Encrypts credentials on disk but does not prevent exfiltration if terminal session or shell history is compromised; user discipline required.
  • Single binary with no runtime dependencies simplifies deployment but version updates require redistribution.

When to avoid it — and what to weigh

  • Legacy SAML-Based SSO — Explicitly requires AWS IAM Identity Center. Does not support older SAML integrations (OneLogin/Okta tile-based authentication).
  • Static API Credential Workflows — Designed exclusively for temporary STS credentials via AWS IAM Identity Center. Not suitable if your organization relies on long-lived API keys or non-SSO authentication.
  • Proprietary/Closed-Source Requirement — Released under GPL-3.0, which requires source code disclosure for derivative works. Organizations requiring proprietary tools should avoid or conduct legal review.
  • Windows-First Environments — While Windows amd64/386 binaries are provided, primary development focus appears to be Linux/macOS; edge cases or platform-specific issues may have longer resolution times.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license requiring source code disclosure and same-license distribution for derivative works.

GPL-3.0 permits commercial use, but any modifications or derivative works must be open-sourced under GPL-3.0. Using unmodified binaries as a tool carries minimal license risk; embedding or modifying the code requires legal review and potential source disclosure obligations.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool encrypts credentials on disk using OS-level keyrings, addressing plaintext exposure in standard AWS CLI. However: (1) keyring backend strength varies by OS; (2) in-memory credentials during active use are not obfuscated; (3) shell history and process listing can leak credentials if user is not careful; (4) no mention of credential rotation frequency enforcement; (5) local machine compromise (malware, physical access) will bypass encryption. Suitable for reducing casual credential leakage but not a substitute for defense-in-depth.

Alternatives to consider

aws-vault

Similar credential encryption approach using keyring, broader credential backend support (Vault, static keys), but designed for static AWS API keys more than IAM Identity Center workflows.

Official AWS CLI v2 with aws configure sso

No external tool, credentials managed by AWS; however, stores plaintext SSO tokens and temporary credentials on disk—less secure but requires no third-party binary.

HashiCorp Vault with AWS Auth Method

Centralized credential management, audit logging, and encryption at rest; requires Vault infrastructure and learning curve but suitable for large enterprises with strict compliance.

Software development agency

Build on aws-sso-cli with DEV.co software developers

AWS SSO CLI encrypts credentials on disk and simplifies multi-account IAM Identity Center workflows. Evaluate it for your organization or contact our team to discuss secure credential management strategies.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

aws-sso-cli FAQ

Does this work with AWS organizations without IAM Identity Center?
No. AWS SSO CLI explicitly requires AWS IAM Identity Center (formerly AWS Single Sign-On). Organizations using SAML-based SSO or static IAM user credentials need alternatives.
Are credentials stored in plaintext?
No. Credentials (SSO ClientID/Secret, AccessToken, and profile credentials) are encrypted using the OS-level keyring (Keychain on macOS, Secret Service on Linux, etc.) via the 99designs/keyring library, unlike the standard AWS CLI.
Can I use this in CI/CD pipelines?
Partially. Interactive role selection works for local development. For unattended CI/CD, you would need to pre-configure a specific profile and ensure the keyring is accessible in the pipeline environment—not all CI/CD platforms support this easily.
What if I modify the source code? Do I have to release it?
Yes. GPL-3.0 requires any derivative work to be released under the same license with source code available. Using the unmodified binary has no such obligation.

Work with a software development agency

DEV.co helps companies turn open-source tools like aws-sso-cli into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to Secure Your AWS Credentials?

AWS SSO CLI encrypts credentials on disk and simplifies multi-account IAM Identity Center workflows. Evaluate it for your organization or contact our team to discuss secure credential management strategies.