[ aws . sso-oidc ]



Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


--client-id <value>
--client-secret <value>
--grant-type <value>
--device-code <value>
[--code <value>]
[--refresh-token <value>]
[--scope <value>]
[--redirect-uri <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]


--client-id (string)

The unique identifier string for each client. This value should come from the persisted result of the RegisterClient API.

--client-secret (string)

A secret string generated for the client. This value should come from the persisted result of the RegisterClient API.

--grant-type (string)

Supports grant types for authorization code, refresh token, and device code request.

--device-code (string)

Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the StartDeviceAuthorization API.

--code (string)

The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token.

--refresh-token (string)

The token used to obtain an access token in the event that the access token is invalid or expired. This token is not issued by the service.

--scope (list)

The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.



"string" "string" ...

--redirect-uri (string)

The location of the application that will receive the authorization code. Users authorize the service to send the request to this location.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.


accessToken -> (string)

An opaque token to access AWS SSO resources assigned to a user.

tokenType -> (string)

Used to notify the client that the returned token is an access token. The supported type is BearerToken .

expiresIn -> (integer)

Indicates the time in seconds when an access token will expire.

refreshToken -> (string)

A token that, if present, can be used to refresh a previously issued access token that might have expired.

idToken -> (string)

The identifier of the user that associated with the access token, if present.