Any way to get CLI credentials when using AWS SSO with a 3rd party SSO account?

For our internal AWS accounts we use the aws cli with the aws sso command to login and get session credentials. We also have a few other 3rd party AWS accounts configured in AWS SSO (or whatever it's been called this week).

Getting cli credentials for this 3rd party AWS account without creating an IAM user is a bit of an issue. Is this possible at all?

Tried:

• Using aws sso cli commands to get third party account credentials
• Using AWS CloudShell to call STS to get session credentials. This doesn't work because we're assuming a role to get to CloudShell, and you can't use session credentials to get another session credential.

After a lot of digging, I found it was possible to do this by using the aws sts assume-role-with-saml command.

1. First, you need to use a web browser to capture the SAML response from your IDP to the SP (AWS console in this case). You can do this with the developer tab. Make a note of the base64 encoded SAML response.

2. Make a note of the ARN for the role your SAML user assumes, and the identity provider ARN that the IDP references

3. Put it all together in the command line (Command below is for PowerShell)

aws sts assume-role-with-saml `
--role-arn # Paste the role ARN here `
--principal-arn # Paste the identity provider ARN here `
--saml-assertion # Paste your SAML response here

4. Extract the access key, secret access key and token from the response
5. To use the credentials:

$Env:AWS_ACCESS_KEY_ID="$AccessKeyHere"
$Env:AWS_SECRET_ACCESS_KEY="$SecretAccessKeyHere"
$Env:AWS_SESSION_TOKEN="$SessionTokenHere"

Hope that helps someone!