AWS CLI Access

This guide explains how to obtain temporary command-line credentials from the AWS SSO portal so you can use the AWS CLI on your local machine.

Before You Begin

You will need:

• The AWS CLI installed on your machine (version 2 or later)
• Your Synderys username, password, and MFA device
• Membership in at least one AWS access group

Getting Temporary Credentials

Option 1: Copy Credentials from the SSO Portal

This method gives you short-lived credentials you can paste into your terminal or credentials file.

1. Open your web browser and navigate to https://aws.synderys.com.

2. Sign in with your Synderys credentials and complete the MFA challenge.

3. Click on the account name to expand it.

4. Click Command line or programmatic access next to the role you want to use.

5. A panel will appear with temporary credentials. Choose one of the displayed options:

   Environment VariablesCredentials File

   Copy the block of environment variable exports and paste them into your terminal. This sets the credentials for your current terminal session only.

   Copy the profile block and paste it into your ~/.aws/credentials file. This persists until the credentials expire.

6. Your credentials are now active. Run any AWS CLI command as usual.

What to expect

Temporary credentials expire after 4 hours. When they expire, repeat the steps above to obtain fresh credentials. You will see an "ExpiredToken" error when your credentials have expired.

Option 2: Configure SSO Login (Recommended)

This method configures your AWS CLI to authenticate through the SSO portal directly, so you do not need to copy and paste credentials.

1. Open your terminal and run:

   aws configure sso
   

2. When prompted, enter the following values:

   • SSO session name: synderys
   • SSO start URL: https://aws.synderys.com
   • SSO region: us-east-1
   • SSO registration scopes: press Enter to accept the default

3. A browser window will open. Sign in with your Synderys credentials and authorize the CLI.

4. Back in the terminal, select your account and role from the list.

5. Enter a profile name when prompted (for example, synderys-readonly or synderys-dns).

6. Your profile is now configured. You only need to do this once per role.

Daily Use After Setup

Once your profile is configured, sign in each day with:

aws sso login --profile your-profile-name

A browser window will open for authentication. After signing in, your CLI session is active for 4 hours. Use the --profile flag with every command:

aws s3 ls --profile your-profile-name

Multiple Profiles

If you have access to multiple roles, run aws configure sso once for each role. Use descriptive profile names to keep them organized — for example, synderys-readonly, synderys-dns, or synderys-security.

Troubleshooting FAQ

Q: I see "ExpiredToken" or "The SSO session has expired" errors. : Your credentials have expired after 4 hours. Run aws sso login --profile your-profile-name again to refresh them.

Q: The browser does not open when I run aws sso login. : Copy the URL displayed in the terminal and open it manually in your browser. Complete the sign-in process there, then return to the terminal.

Q: I get "Error when retrieving token from SSO" after signing in. : Your SSO session configuration may be outdated. Run aws configure sso again to reconfigure the profile.

Q: Which profile should I use? : Use the profile that matches the account and role you need. If you are unsure, check Available Roles to understand what each role grants.

Q: Can I use these credentials in scripts or automation? : Temporary SSO credentials work in scripts, but they expire after 4 hours. For long-running automation, contact IT to discuss service account options.