Generating Temporary Credentials from SSO Credentials File

AWS persistence technique

Overview

This is a really neat post detailing how threat actors can gain credentials from an AWS SSO credentials file.

AWS SSO files

To authenticate via SSO (AWS Identity Center) on the command line, a few steps are required:

This will redirect you to the AWS Console to authenticate

aws configure sso

SSO session name (Recommended): my-sso-connection
SSO start URL [None]: <AWS access portal URL>
SSO region [None]: <region-of-aws-identity-center>
SSO registration scopes [sso:account:access]: <hit-enter>

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open, open the following URL:

https://oidc.us-east-1.amazonaws.com/authorize?response_type=code&client_id=IgPwONL[SNIP]

Then you'll be prompted to choose the account to access (assuming you can access more than one)

There are 2 AWS accounts available to you.
> Account A, [email protected] (111111111111)         
  Account B, [email protected] (222222222222)

Then you'll choose the permission set (assuming you have access to more than one) or if not, it'll default you to the only permission set you have access to

Using the account ID 111111111111
The only role available to you is: Billing
Using the role name "Billing"
Default client Region [us-east-1]:
CLI default output format (json if not specified) [json]:
Profile name [Billing-111111111111]:
To use this profile, specify the profile name using --profile, as shown:

aws sts get-caller-identity --profile Billing-111111111111

Then this info will be added to ~/.aws/config

[profile Billing-111111111111]
sso_session = my-sso-connection
sso_account_id = 111111111111
sso_role_name = Billing
region = us-east-1
output = json
[sso-session my-sso-connection]
sso_start_url = https://d-[REDACTED].awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

And two files will be added to ~/.aws/sso/cache
The one we want contains this info

{
    "startUrl": "https://d-[REDACTED].awsapps.com/start",
    "region": "us-east-1",
    "accessToken": "aoaAA[REDACTED]",
    "expiresAt": "2025-11-10T00:03:54Z",
    "clientId": "t7o[REDACTED]",
    "clientSecret": "eyJra[REDACTED]",
    "registrationExpiresAt": "2026-02-07T23:02:29Z",
    "refreshToken": "aorAA[REDACTED]"
}

Getting STS Credentials

We can't directly use the credentials found in the file above but we can leverage the refresh token to generate some new ones from the AWS STS service as long as the token is still valid.

Grab the info from ~/.aws/config and ~/.aws/sso/cache/<file>.json and add to the command below:

aws sso get-role-credentials \
--account-id 111111111111 \
--role-name Billing \
--access-token aoaAA[REDACTED]

{
    "roleCredentials": {
        "accessKeyId": "ASIA[REDACTED]",
        "secretAccessKey": "TPif[REDACTED]",
        "sessionToken": "IQoJ[REDACTED]",
        "expiration": 1762735200000
    }
}

We can setup those new credentials with aws --profile billing-sso configure
The credentials will last as long as is configured in AWS Identity Center under "User interactive sessions" e.g., (15 min - 90 days).

aws --profile billing-sso sts get-caller-identity 

{
    "UserId": "AROA[REDACTED]:hpotter",
    "Account": "111111111111",
    "Arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_Billing_[REDACTED]/hpotter"
}

PreviousGenerating Temporary AWS Credentials from IAM User NextAWS Privilege Escalation

Last updated 1 month ago

Was this helpful?