Skip to content

AWS Settings

AWS Settings Window

Configure AWS credentials and Single Sign-On for AWS Session Manager tunnels.

Quick Setup

  1. Install AWS CLI - StormTunnel uses your existing AWS configuration
  2. Configure credentials - Run aws configure in Terminal
  3. Select profile - Choose your AWS profile in Settings
  4. Set region - Pick your default AWS region
  5. Ready - Create AWS Session Manager tunnels

Credentials

AWS Profile

Select which AWS profile to use from the dropdown. Profiles are loaded from ~/.aws/config and ~/.aws/credentials.

Supported profile types:

  • Standard credentials (Access Key + Secret Key)
  • Temporary credentials (with Session Token)
  • SSO profiles (Amazon SSO login)
  • Assume Role profiles (cross-account access)

Profile not listed?

Run aws configure in Terminal, then restart StormTunnel to refresh.

Credentials Status

Status Meaning
✅ Connected Credentials valid and ready
⏳ Checking Validating credentials
❌ Invalid Missing, expired, or incorrect

Region

Select your default AWS region for Session Manager tunnels. You can override this per-tunnel.

Instance not found?

Verify the instance is in the selected region and has SSM Agent running.

AWS Single Sign-On (SSO)

Use browser-based SSO authentication instead of storing access keys.

Setup

  1. Enable AWS SSO toggle
  2. Enter your SSO Start URL (e.g., https://your-org.awsapps.com/start)
  3. Select your SSO Region (usually us-east-1)
  4. Click Authenticate with SSO
  5. Sign in through browser

SSO Status

Status Action
✅ Authenticated Token valid, ready to use
⏳ Token Expiring Soon Will refresh automatically
❌ Token Expired Click "Re-authenticate"

Required Permissions

Your AWS user/role needs these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession",
                "ssm:TerminateSession",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        }
    ]
}

Click Check Permissions to validate your access.

Cross-Account Access

To access resources in other AWS accounts, create an assume role profile:

[profile cross-account]
role_arn = arn:aws:iam::987654321098:role/CrossAccountRole
source_profile = default

Select this profile in AWS Settings.

Troubleshooting

"Profile Not Found"

  1. Run aws configure in Terminal
  2. Verify ~/.aws/config exists
  3. Restart StormTunnel

"Invalid Credentials"

  1. Check if access key expired
  2. Verify IAM user is active
  3. Contact AWS admin for new credentials

"Permission Denied"

  1. Verify IAM policy includes ssm:StartSession
  2. Check EC2 instance has SSM Agent running
  3. Verify instance IAM role includes AmazonSSMManagedInstanceCore

"Instance Not Found"

  1. Check selected region matches instance location
  2. Verify SSM Agent is running on instance
  3. Check instance has proper IAM role

Security

  • Credentials stored: In standard AWS locations (~/.aws/)
  • SSO tokens: Stored in macOS Keychain (encrypted)
  • Never logged: Credentials are never written to logs
  • Never transmitted: Only sent to AWS APIs