# Generating Temporary Credentials from SSO Credentials File ## Overview This is a [really neat post](https://redcanary.com/blog/threat-detection/aws-sso-access-tokens/) detailing how threat actors can gain credentials from an AWS SSO credentials file. *** ### AWS SSO files To authenticate via SSO (AWS Identity Center) on the command line, a few steps are required: * This will redirect you to the AWS Console to authenticate {% code overflow="wrap" %} ```bash aws configure sso SSO session name (Recommended): my-sso-connection SSO start URL [None]: SSO region [None]: SSO registration scopes [sso:account:access]: Attempting to automatically open the SSO authorization page in your default browser. If the browser does not open, open the following URL: https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=IgPwONL[SNIP] ``` {% endcode %} * Then you'll be prompted to choose the account to access (assuming you can access more than one) ```bash There are 2 AWS accounts available to you. > Account A, email@domain.com (111111111111) Account B, email@domain.com (222222222222) ``` * Then you'll choose the permission set (assuming you have access to more than one) or if not, it'll default you to the only permission set you have access to {% code overflow="wrap" %} ```bash Using the account ID 111111111111 The only role available to you is: Billing Using the role name "Billing" Default client Region [us-east-1]: CLI default output format (json if not specified) [json]: Profile name [Billing-111111111111]: To use this profile, specify the profile name using --profile, as shown: aws sts get-caller-identity --profile Billing-111111111111 ``` {% endcode %} * Then this info will be added to `~/.aws/config` {% code overflow="wrap" %} ```bash [profile Billing-111111111111] sso_session = my-sso-connection sso_account_id = 111111111111 sso_role_name = Billing region = us-east-1 output = json [sso-session my-sso-connection] sso_start_url = https://d-[REDACTED].awsapps.com/start sso_region = us-east-1 sso_registration_scopes = sso:account:access ``` {% endcode %} * And two files will be added to `~/.aws/sso/cache` * The one we want contains this info {% code overflow="wrap" %} ```bash { "startUrl": "https://d-[REDACTED].awsapps.com/start", "region": "us-east-1", "accessToken": "aoaAA[REDACTED]", "expiresAt": "2025-11-10T00:03:54Z", "clientId": "t7o[REDACTED]", "clientSecret": "eyJra[REDACTED]", "registrationExpiresAt": "2026-02-07T23:02:29Z", "refreshToken": "aorAA[REDACTED]" } ``` {% endcode %} *** ### Getting STS Credentials We can't directly use the credentials found in the file above but we can leverage the refresh token to generate some new ones from the AWS STS service as long as the token is still valid. * Grab the info from `~/.aws/config` and `~/.aws/sso/cache/.json` and add to the command below: {% code overflow="wrap" %} ```bash aws sso get-role-credentials \ --account-id 111111111111 \ --role-name Billing \ --access-token aoaAA[REDACTED] { "roleCredentials": { "accessKeyId": "ASIA[REDACTED]", "secretAccessKey": "TPif[REDACTED]", "sessionToken": "IQoJ[REDACTED]", "expiration": 1762735200000 } } ``` {% endcode %} * We can setup those new credentials with `aws --profile billing-sso configure` * The credentials will last as long as is configured in AWS Identity Center under "User interactive sessions" e.g., (15 min - 90 days). ``` aws --profile billing-sso sts get-caller-identity { "UserId": "AROA[REDACTED]:hpotter", "Account": "111111111111", "Arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_Billing_[REDACTED]/hpotter" } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-persistence/generating-temporary-credentials-from-sso-credentials-file.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.