Easy!
Is this even a thing? There's a gazillion docs on the internet for how to do this. If you have a mac (don't you?) you just brew install awscli and boom, the latest AWS CLI 2 is there. Then you run aws configure and drop in your access key and secret key for your IAM user and done. This writes ~/.aws/credentials and you're off to the races. If you name the profile [default], you can just write aws s3 ls and it will work, nothing to it.
Without Identity Center
Identity Center (nee SSO) is relatively new (but already renamed...go figure, especially since countless other services should be renamed but aren't) so it stands to reason that many (many) orgs have not yet migrated to using it. But they will, when they realize how much easier it makes everything about managing AWS access. Anyway, the org doesn't have it. So how do they do it?
- A Single SSO Role - Sometimes an org creates a jump account, you authenticate only to that one account, and from there, your role can jump to any other account via the cross-account role assumption features of AWS directly ("Switch Role" in the Management Console with the little color coding thing). In this case, they have probably created an IAM user (with an access key pair) or IAM role (with a trust policy) such that the IdP can scan the account, find roles, and generate a session for the roles it finds. There may even be an External ID on the trust policy for further security. Once you have authenticated, you can just switch role. People will quickly hate this, because the roles you switch to are hard coded to only last for one hour (60 minutes). You can configure the CLI here fairly easily using any manner of tools (aws-vault, saml2aws, whatever). This will write the credentials into ~/.aws/credentials as [default] and then you can use ~/.aws/config to define more roles to bounce over to using that [default] as the starting point.
- Many Roles - Now we are cooking. The IdP knows all the roles you can have, scans all of them, and you choose which role you want to use. This works fairly well. You authenticate once, and then you can bounce between roles by maintaining a bunch of profiles or resetting what [default] means as you move between accounts. I find it terribly annoying to keep adding --profile to every call, although many people think this is safer and smarter. I have historically used saml2aws and defined all the account-role-region combos I have access to, and then aliases to jump between them. So, jtest would log me into the Administrator role in the test account in us-east-1. jprodw is for Administrator in the prod account in us-west-2 (we did not use us-west-1 so it was unambiguous).
New Hotness
Now that you have Identity Center, all of that stuff doesn't work (or work well). So how do you do it? First, you need V2 of the AWS CLI. It's been 3 or 4 years now, so it's time to grow up and move on. The only thing you have to fix is your docker logins, the rest is probably working just fine. Next, you'll need Identity Center configured and bound to your IdP. For me, I followed the steps for JumpCloud to create the AWS Identity Center integration and the AWS directions to set up Identity Center in my AWS organization. This leaves you with two pieces of data that you'll need - the AWS SSO start URL, which for me is something like https://d-123abc123.awsapps.com/start, and the JumpCloud SSO app URL, which for most of you will be https://sso.jumpcloud.com/saml2/aws-sso.
Now run aws sso configure and fill in the sesion name (anything, I just write awscli), the AWS SSO start URL, the region, and the default scope sso:account:access. This will cause a login to occur (it pops a browser, or gives a URL and a code) and then you log in to JumpCloud, which logs into Identity Center, which authorizes the CLI. When your sessions expire, you can run aws sso login again to get a new token. You only need to do this when your sessions expire typically. Some organizations might want you to MFA when you move between roles, whenever a role assumption occurs, so that might require a call to aws sso login once per role.
Next, you're going to make sure you have Python configured (when you ran brew install awscli you got Python for free) and then you'll want to pip install pipx and then install aws-sso-util by Ben Kehoe available here. Now run aws-sso-util configure populate, then edit your ~/.aws/config to adjust the profile names (be careful not to mess up the sso_role_name parameter if you do a find and replace) to your liking. My accounts are well-named but my role is AdministratorAccess and I wanted to replace that with just A (in case I have RO later or something), but I did not pay close enough attention to that sso_role_name parameter. Make sure to name one [profile default] and the rest you will add --profile Acct.A or whatever you picked to use the CLI.