Skip to content

AWS credentials and SSO profiles

CloudPouch reads the same local configuration files the AWS CLI uses — ~/.aws/credentials and ~/.aws/config — so profiles built on static credentials, IAM Identity Center (SSO), or source_profile role chaining work with CloudPouch unchanged. Connecting to an AWS account usually means selecting a profile you already have, not creating anything new.

  • Static IAM credentials in ~/.aws/credentials (access key and secret key).
  • AWS IAM Identity Center (SSO) profiles in ~/.aws/config, including the shared sso-session format where several profiles reference one session block.
  • Role-chaining profiles that assume a role via source_profile in ~/.aws/config.

The shared sso-session format is the practical choice when you analyze multiple AWS accounts behind one Identity Center start URL — one browser login covers every profile that references the session:

[sso-session my-company]
sso_start_url = https://my-company.awsapps.com/start
sso_region = eu-west-1
[profile prod]
sso_session = my-company
sso_account_id = 111111111111
sso_role_name = ReadOnlyAccess
[profile dev]
sso_session = my-company
sso_account_id = 222222222222
sso_role_name = ReadOnlyAccess

When you select an SSO profile whose session has expired or was never started, CloudPouch launches the browser-based AWS SSO sign-in flow automatically. If the browser authentication is not completed or the session is invalid, CloudPouch shows an error rather than silently continuing to display cost data from the previously active profile — so what you see always belongs to the profile you selected.

Cost work usually spans accounts, so profile switching is a first-class action:

  • Press Cmd/Ctrl + K to open the quick AWS profile switcher (Search AWS profiles…).
  • Type to filter by profile name, move with Up/Down, select with Enter, close with Esc.
  • The switcher covers named profiles, SSO profiles, and role-chaining profiles alike.
  • Edited ~/.aws/config while CloudPouch was open? Use the profile reload option to pick up new profiles without restarting.

If ~/.aws/credentials has no default profile, CloudPouch shows a welcome screen instead of failing on startup.

  1. Configure the profile with the AWS CLI (aws configure or aws configure sso).
  2. Verify it can read the account you want to analyze — for example, aws sts get-caller-identity --profile prod.
  3. Open CloudPouch and select the profile.

The permissions attached to that profile are all CloudPouch gets — it needs read access only. See AWS read-only access for the model and AWS permissions for a ready-made policy.