IAM Identity Center (AWS SSO) allows users to sign in once and access AWS resources, such as Amazon S3, across multiple AWS accounts.
With S3 Browser, you can connect to Amazon S3 with IAM Identity Center credentials without entering long-term access keys. The account stores the SSO connection details and uses browser authorization when a new SSO token is required.
This page describes S3 Browser's built-in SSO authorization flow. If you use AWS CLI session-based IAM Identity Center profiles with sso_session in %USERPROFILE%\.aws\config, configure the account as Amazon S3 (Credentials from AWS Config or Credential file).
SSO Token Cache
After successful browser authorization, S3 Browser stores the SSO token in the AWS CLI-compatible cache directory: %USERPROFILE%\.aws\sso\cache.
When the same Start URL and SSO Region are used again, S3 Browser reuses the cached token and opens the account without another browser authorization prompt. If the cached token is close to expiration and can be refreshed, S3 Browser refreshes it in the background.
The browser authorization prompt is shown again only when the cache is missing, expired, or cannot be refreshed. S3 Browser writes the legacy Start URL cache file and does not modify AWS CLI sso_session cache files.
How to Add the Account
1. Start S3 Browser and click Accounts -> Add New Account.
Click Accounts -> Add New Account
The Add New Account dialog will open:
New Amazon S3 via AWS SSO account dialog.
2. Choose Amazon S3 via SSO as the account type.
3. Enter the SSO account details:
Start URL - the URL that points to your organization's IAM Identity Center user portal.
SSO Region - the AWS Region that contains the IAM Identity Center portal host.
Account ID - the AWS account ID that contains the IAM role you want to use.
Role name - the name of the IAM role that defines the user's permissions.
4. Click Add new account.
You can now choose the newly added account from the Accounts menu:
Click Accounts -> Account Name to switch between accounts.
Advanced Account Settings
You may also configure additional settings when adding a new account or editing an existing account.
To open advanced account settings, click the advanced settings link located at the bottom-left corner of the dialog.
The Advanced Account Settings dialog will open:
Advanced account settings
You may configure the following settings here:
Enable Dual-Stack Endpoints (IPv4/IPv6) - When checked, S3 Browser will use dual-stack endpoints to access storage, allowing connections over both IPv4 and IPv6. This improves compatibility with networks that support IPv6.
List All My Buckets When Account Assigned - When checked, S3 Browser will perform the s3:ListAllMyBuckets call when the account is assigned. If the account does not have permission to list all buckets, you can uncheck this option to avoid failed tasks and warnings in the log.
Check CloudFront Distributions When Account Assigned - When checked, S3 Browser will perform the cloudfront:ListDistributions call when the account is assigned, allowing it to set a special icon for buckets used as origins for CloudFront distributions. If the account does not have permission to list CloudFront distributions, you can uncheck this option to avoid failed tasks and warnings in the log.
External Buckets - You can edit the external buckets associated with the account. Each bucket should be listed on a new line. Optional paths are also supported, with a slash used as the delimiter (e.g., my-bucket/and/optional/path).
"Amazon Web Services", "AWS", "Amazon S3", "Amazon Simple Storage Service", "Amazon CloudFront", "CloudFront", the "Powered by Amazon Web Services" logo are trademarks of Amazon.com, Inc. or its affiliates in the US and/or other countries.
