AWS SSO

Refresh AWS SSO from VS Code so the CLI and your tools keep working. One click updates your credentials when the session expires.

Easiest way to use

1. Install the extension (from VSIX or Marketplace).
2. Set your profile once: Settings (⌘,) → search AWS SSO → set AWS SSO: Profile to your SSO profile (e.g. default).
3. Refresh when needed: Click the AWS SSO icon in the activity bar (left) → click Refresh SSO.
   Or: Command Palette (⌘⇧P) → AWS: Refresh Credentials.

Requirement: An SSO profile in ~/.aws/config and at least one successful aws sso login for that profile.

Sidebar: how SSO is configured (every step)

Open the AWS SSO view from the activity bar (left). The sidebar shows a Configured / Not configured badge and either Configure SSO or Refresh SSO.

First-time setup (sidebar shows “Not configured”)

1. Set profile: Settings (⌘,) → search AWS SSO → set AWS SSO: Profile to your profile name (e.g. default).
2. Open sidebar: Click the AWS SSO icon in the activity bar.
3. Start setup: Click Configure SSO.
4. SSO Start URL: When prompted, enter your SSO Start URL (e.g. https://my-sso-portal.awsapps.com/start).
5. SSO Region: When prompted, enter the region (e.g. us-east-1).
6. Browser login: A terminal opens and runs aws sso login. Complete the browser login when it opens.
7. Pick account: In VS Code, choose your AWS account from the list.
8. Pick role: Choose the role to use.
9. Done: The profile is saved to ~/.aws/config. The sidebar switches to Configured and shows Refresh SSO and your identity (account, role).

Refreshing credentials (sidebar shows “Configured”)

1. Open sidebar: Click the AWS SSO icon in the activity bar.
2. Refresh: Click Refresh SSO (or run AWS: Refresh Credentials from the Command Palette).
3. Login if asked: If the session expired, a terminal opens; complete the browser login.
4. Result: Credentials are written to ~/.aws/credentials. CLI, CDK, and other tools use them until they expire.

Other

• Identity: When configured, the sidebar shows Account and Role under “Identity”.
• Delete ~/.aws: The trash icon in the sidebar header opens a confirmation to delete your ~/.aws folder (config and credentials). Use only if you want to remove all local AWS config.

Commands & settings

• AWS: Refresh Credentials — refreshes SSO and writes credentials to your credentials file.
• AWS SSO: Profile — the profile name used for SSO (must exist in ~/.aws/config).

Credentials & privacy

• Credentials — The extension runs aws sso login and aws configure export-credentials locally. Short-term credentials are written only to your standard AWS credentials file (~/.aws/credentials or the path set by AWS_SHARED_CREDENTIALS_FILE). No credentials are stored inside the extension or sent anywhere.
• Config — Only the profile name you set in Settings is read. AWS config and credentials are read/written on your machine by the AWS CLI; the extension does not upload or transmit them.
• Privacy — No telemetry, no external calls, no data sent to any server. Everything runs locally (AWS CLI in a terminal, file writes to your AWS paths).