Add --use-device-code as an option in config

[anthonyma94]

Describe the feature

In order to use aws sso login on non-local computers, you have to pass in --use-device-code. This should be an option as users who need to use the option will presumably always need to. Adding an option in the config as a convenience will be helpful.

Use Case

Having to always add the flag when logging in is annoying.

Proposed Solution

Add a login type in config:

[sso-session default]
...
login_type = device | pkce

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

2.22.2

Environment details (OS name and version, etc.)

Ubuntu 24.04

[ashovlin]

We intentionally started with just --use-device-code. Our thinking was to shift usage to the newly recommended authorization code flow by requiring a more explicit intent to fallback rather than setting once.

But I understand that can be frequent on non-local computers. We'll gather interest via this issue for a profile option.

[Dalzhim]

I have just run into this issue. I have a workflow where aws-cli is part of a docker container. The new PKCE-based Authorization flow doesn't work at all in that context. First: it can't open a browser from within the container. Second: when I copy the URL into my local browser, I then authorize the connection and I get redirected to an error page because whoever is listening for that redirect is not on the local machine. I need to start a new remote-shell, execute an additional bash process within the same container and curl the redirect url so that the login flow can resume correctly. So overall, --use-device-code is unavoidable in this flow, and having it as part of the saved profile would help a lot.

[michaelbutleridt]

In a related issue, it seems we cannot use --use-device-code when running aws configure sso which I was going to instruct users to run for the first time to set up their config. However, when running aws configure sso it assumes it will run in a same-device context, and has to use the 127.0.0.1 callback URL which will result in an error screen.

Please also support --use-device-code with aws configure sso wizard.

EDIT: fixed in later package version!

[Dalzhim]

@michaelbutleridt: aws configure sso --use-device-code is working fine on my end, it might be an unrelated issue (using aws-cli/2.22.10 Python/3.12.6 Linux/6.8.0-47-generic exe/aarch64.ubuntu.22).

[ashovlin]

@Dalzhim - the Docker anecdote is helpful for prioritization, thanks for writing that up.

@michaelbutleridt - --use-device-code for aws configure sso wasn't working at launch (2.22.0), but should be working in 2.22.2 or greater now. Let us know your --version value if you're still seeing issues.

[michaelbutleridt]

I have aws-cli/2.22.14 Python/3.12.6 Linux/6.8.0-1018-aws exe/x86_64.ubuntu.22 (Ubuntu 22.04 with awscli Snap package) and indeed it is working now. Thanks again!