Skip to main content

ck-prism CLI

ck-prism is a command-line tool that authenticates you with CloudKeeper Prism and writes temporary AWS credentials to ~/.aws/credentials. It replaces long-lived IAM access keys with short-lived, SSO-authenticated credentials — so you can run aws, Terraform, Boto3, or any other AWS tool against accounts you have access to in Prism, without managing static keys.

When to Use It

  • You need to run AWS CLI commands, SDKs, or infrastructure tools against AWS accounts federated through Prism.
  • You have access to one or more AWS roles via Prism and want them available as named AWS CLI profiles on your workstation.
  • You want credentials that expire automatically and refresh via SSO, instead of static access keys.

How It Works

  1. You run ck-prism configure once per AWS role you care about. Each run creates a profile stored in ~/.ck-prism/config.json and opens a browser for SSO login.
  2. Later, ck-prism login --profile <name> (or just ck-prism login) exchanges your SSO token for temporary AWS credentials and writes them to ~/.aws/credentials under the same profile name.
  3. You use aws, terraform, or any AWS SDK with --profile <name> (or AWS_PROFILE=<name>) as usual.

Tokens are cached on disk and refreshed silently, so most logins don't open a browser.

In This Section

  • Installation — Install ck-prism and verify it's on your PATH.
  • Configuration — Create and manage profiles with ck-prism configure, and enable automatic credential refresh.
  • Usage — Daily commands: login, profiles, credential-process, and shell tab-completion.
  • Troubleshooting — Common issues and how to fix them.

Prerequisites

  • A Prism account with at least one AWS role assigned to you.
  • Python 3.7 or later.
  • A desktop web browser for the SSO login step.
  • Optional but recommended: AWS CLI v2, so you can use the credentials ck-prism writes.