Usage
Once at least one profile is configured, you use ck-prism primarily through ck-prism login and the regular AWS CLI.
Log In
ck-prism login --profile production
On success, ck-prism:
- Reuses the cached SSO token if it's still valid, otherwise refreshes it silently, or — as a last resort — opens your browser for a fresh SSO login.
- Exchanges the token for temporary AWS credentials for the profile's role.
- Writes the credentials to
~/.aws/credentialsunder the profile name, and the region/output to~/.aws/config. - Prints how long the credentials are valid for.
Example output:
Using production profile
Exchanging token for AWS credentials...
AWS credentials written to ~/.aws/credentials
Credentials expire in 11 hours 59 minutes
Log In Without --profile
ck-prism login
ck-prism picks a profile for you based on this order:
- If you have only one profile configured, it's used automatically.
- Otherwise, you are shown a fuzzy-search picker with your profiles. The profile you used last time is pre-selected so you can just press Enter.
Every successful login records the profile used as the new "last profile", so repeated ck-prism login calls with Enter stay on the same profile until you pick a different one.
Use the AWS CLI
Once credentials are written, use aws as normal:
aws s3 ls --profile production
aws ec2 describe-instances --profile production
Or set it once for the shell:
export AWS_PROFILE=production
aws s3 ls
SDKs (Boto3, the AWS SDK for Go, Terraform's AWS provider, etc.) pick up the same profile from ~/.aws/credentials.
When Credentials Expire
AWS credentials issued by ck-prism are short-lived (typically around 12 hours). When they expire, just run ck-prism login again:
ck-prism login --profile production
If your SSO token is still valid, no browser opens. If it isn't, ck-prism will refresh it silently when possible, or open the browser for a fresh SSO login.
Token Caching
ck-prism caches SSO tokens on disk so you rarely need to open the browser. Tokens are stored per Prism tenant, not per profile — which means profiles sharing the same Prism domain and tenant also share a single SSO session. Logging into one profile satisfies the others on the same tenant until the SSO session itself expires.
In practice:
- First
ck-prism loginon a given Prism tenant opens the browser. - Subsequent
ck-prism logincalls for any profile on the same tenant reuse that session, even across different AWS accounts and roles. - Profiles on a different Prism tenant have their own independent session.
List Configured Profiles
ck-prism profiles list
Prints each profile name on its own line.
Remove a Profile
ck-prism profiles remove # interactive picker + confirmation
ck-prism profiles remove staging -y # by name, skip confirmation
See Configuration → Remove a Profile for what gets cleaned up.
Automatic Credential Refresh
Instead of running ck-prism login manually before each AWS command, you can have the AWS CLI fetch credentials from ck-prism on demand. When enabled for a profile, credentials live only in the AWS CLI's memory for each invocation and are never written to ~/.aws/credentials.
This is offered by default during ck-prism configure. To toggle it later, use:
ck-prism profiles enable-credential-process production
ck-prism profiles disable-credential-process production
Enabling updates ~/.aws/config with the right credential_process line and removes any static credentials for that profile from ~/.aws/credentials (otherwise the static entry would shadow it). Disabling reverts the change.
To enable it for every existing profile at once — useful if you have been using ck-prism for a while without it — run:
ck-prism profiles migrate-credential-process
This also repairs profiles that were already marked as enabled but whose ~/.aws/config entry is missing or out of date.
With automatic refresh on:
# No ck-prism login needed — the AWS CLI asks ck-prism for credentials as it needs them.
aws s3 ls --profile production
terraform plan
Running ck-prism login --profile production on a credential-process-enabled profile is a no-op and will print a reminder that no login is needed.
Automatic refresh still needs a valid SSO session. The first time it runs in a new terminal session, or after the SSO token expires, ck-prism will try to open your browser. On headless machines (CI runners, SSH sessions without display forwarding), run ck-prism login --profile <name> interactively once to seed the token cache.
Shell Tab-Completion
ck-prism ships tab-completion for bash and zsh — press Tab after ck-prism to cycle through commands, subcommands, and configured profile names.
Completions are installed automatically the first time you run ck-prism configure. If you need to (re)install them manually, or force a specific shell:
ck-prism setup-completions
ck-prism setup-completions --shell zsh # force zsh even if the login shell is bash
Restart your terminal, or source the path printed by the command, to activate the new completions.
All Commands
| Command | What it does |
|---|---|
ck-prism configure | Create a new profile via an interactive flow |
ck-prism login [--profile <name>] | Fetch AWS credentials for a profile |
ck-prism credential-process --profile <name> | Output AWS credentials as JSON (used by credential_process) |
ck-prism profiles list | List configured profiles |
ck-prism profiles remove [<name>] [-y] | Remove a profile and its cached state |
ck-prism profiles enable-credential-process <name> | Turn on automatic credential refresh for a profile |
ck-prism profiles disable-credential-process <name> | Turn off automatic credential refresh for a profile |
ck-prism profiles migrate-credential-process | Enable (or repair) automatic refresh for every profile |
ck-prism setup-completions [--shell bash|zsh] | Install bash/zsh tab-completion |
ck-prism help | Show help |
Next Steps
- Troubleshooting — Fix common issues.