AWS SSO permission sets are a collection of policies that get attached to a managed IAM role in every account the permission set is provisioned to (that is, a principal — a user or group — is given that permission set in that account). While the IAM role has a complex name, with the prefix AWSReservedSSO, followed by the permission set name, followed by a random tag, each separated with an underscore, when the user is signing in, the “role name” they see is just the permission set name.

This means you want to create permission sets that apply to…

I’ve seen some confusion around the AWS CLI v2 command aws sso login. In particular, suppose you have an ~/.aws/config that looks like the following:

[profile AcctA-Role1]
sso_start_url =
sso_region = us-east-2
sso_account_id = 111122223333
sso_role_name = Role1
[profile AcctB-Role2]
sso_start_url =
sso_region = us-east-2
sso_account_id = 777788889999
sso_role_name = Role2
[profile AcctB-Role1]
sso_start_url =
sso_region = us-east-2
sso_account_id = 777788889999
sso_role_name = Role1

(if you’ve been putting this in ~/.aws/credentials, read my explainer about AWS config files)

I have seen people get the impression that if they want to use Role1 in account A (111122223333), they…

I decided to write down the helpful features and settings I’ve discovered in Zoom.

How to leave a meeting quickly

Everyone knows that awkward pause. “Bye!” followed by several seconds of figuring out where your mouse pointer is and landing it on the “Leave Meeting” button.

You can make this less painful by using the keyboard to leave meetings.

First, disable the “Ask me to confirm when I leave a meeting” option in the “General” tab of the desktop app settings. This will reduce your time to leave even when you’re using the mouse.

Recently, I ran a poll on twitter asking how people interacted with boto3, the AWS Python SDK (why is called boto3? See the end of the article for an appendix on this). What I wanted to know is how many people used boto3 sessions, and how many people use the module-level functions. I asked which style people use:

s3 = boto3.client('s3')
ddb = boto3.resource('dynamodb')


session = boto3.Session()
s3 = session.client('s3')
ddb = session.resource('dynamodb')

The split ended up being about 70% in favor of the first option. In this article I’ll share why most application and library code I write…

There are myriad APIs in AWS services that allow services to accept large and/or binary content from you. Zip files for your Lambda functions, images for Rekognition, CloudFormation templates, etc. All of them have one thing in common: that content has to be provided as an S3 object. I think this leaves a lot to be desired.

First, accounts do not come with an S3 bucket to use for this purpose. There’s no “default” bucket you can use. If you use the CloudFormation console, your uploaded template file gets whisked away to an AWS-owned bucket. …

Python dependency management is known to be bad. Over time, I’ve decided the only way I’m willing to live is to push my Python environment hygiene to the max. As I’ve recommended my setup to a lot of people, I figured I should write it up as a reference.


This is what I aim to accomplish in my Python setup. You don’t have to agree with these tenets, and if you don’t, feel free to ignore any of the advice that follows as it flows from them.

  • Never install anything in system python installs
  • Always use a virtualenv
  • virtualenvs are…

I see a lot of people who aren’t fully aware of the difference between ~/.aws/config and ~/.aws/credentials. While it is more or less fine to just use one or the other, I think it’s worth understanding their intended purpose. So here’s a short explainer.

The idea is that ~/.aws/config is the main file, where you create profiles with the region, output format, and non-sensitive setup, like a profile that assumes a role based on another profile, an AWS SSO-authenticated profile, or a credential process. It’s a file you can (and maybe should) commit to source control.

~/.aws/credentials, on the other…

InGraph is CloudFormation in Python syntax instead of YAML

TLDR; check out the project called InGraph

I’m on the record as preferring declarative infrastructure as code (IaC) to imperative versions, such as the AWS CDK. I believe that declarative IaC has a lower total cost of ownership (TCO).

But while I prefer declarative to imperative, imperative IaC enables something I consider much worse: infrastructure as imperative programs that generate declarative IaC documents. Almost all imperative IaC frameworks work this way. There are two aspects to this that I consider particularly damaging.

First, these programs are generally not enforced to be deterministic, and when it’s not enforced, people…

1. On the tablet, tap “Meet now”, the top item on the side bar.

2. In small text on the bottom, tap “Call H.323/SIP

3. Enter the Chime H.323 number:

CloudFormation should represent our desired infrastructure graphs in the way we want to build them

What’s AWS CloudFormation?

As Richard Boyd says, CloudFormation is not a cloud-side version of the AWS SDK. Rather, CloudFormation is an infrastructure-graph management service.

Ben Kehoe

Cloud Robotics Research Scientist at @iRobot

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store