aws-sso-creds
aws-sso-creds is a helper utility to retrieve temporary credentials when using AWS SSO
About
If you're using AWS SSO, you're able to set up your AWS profile like so:
[profile sso-profile]
output = json
region = us-west-2
sso_account_id = <my-account-id>
sso_region = us-west-2
sso_role_name = <role-to-assume>
sso_start_url = <special-sso-url>
This is great, because it means you're able to login very easily using aws sso login from the AWS CLI
This retrieves a set of cached credentials, which are saved into ~/.aws/sso/cache and you can now use the AWS CLI with those credentials.
However
Unfortunately, the AWS SDK's in nearly every language currently do not support these credentials. In this case, you can retrieve temporary credentials that look like the AWS credentials you're used to:
AWS_ACCESS_KEY_ID=<key>
AWS_SECRET_ACCESS_KEY=<key>
AWS_SESSION_TOKEN=<key>
However, it's really quite annoying to have to login to the URL and grab these tokens manually. The AWS CLI has support for retrieving them, but you have to run:
aws sso get-role-credentials --role-name <SOME_ROLE_I_CANNOT_REMEMBER> --account-id <WHATS_MY_ACCOUNT_ID_AGAIN?> --access-token <I_HAVE_TO_LOOK_THIS_UP_IN_A_FILE_WHERE?>This simple utility is designed to take the pain out of this process. It can:
- Grab you a set of credentials to copy and paste for a specific account/profile (If you're so inclinded)
- Generate an
evalcompatible output to ease the process of grabbing these credentials - List the accounts and roles you have access to for ease of management
Usage
Get credentials
If you just want to retrieve a set of credentials for your AWS SSO based profile, just run aws-sso-creds get:
$ aws-sso-creds get
Your temporary credentials for account <foo> are:
AWS_ACCESS_KEY_ID <KEY>
AWS_SECRET_ACCESS_KEY <ACCESS_KEY>
AWS_SESSION_TOKEN <A_LONG_SESSION_TOKEN>
These credentials will expire at: Mon Oct 31 16:03:20 PST 52495 aws-sso-creds will automatically use the AWS_PROFILE environment variable you have set. You can also specify a profile with aws-sso-creds --profile
Populate your shell with vars
If you want to just get going without any copying and pasting, use eval with aws-sso-creds export
eval $(aws-sso-creds export)This command generates output in the form of export variables:
$ aws-sso-creds export
export AWS_ACCESS_KEY_ID=<KEY>
export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>
export AWS_SESSION_TOKEN=<SESSION_TOKEN>List accounts
You can also list the accounts you have available within AWS SSO:
$ aws-sso-creds list accounts
ID NAME EMAIL ADDRESS
<id> dev-sandbox [email protected]
<id> -ci [email protected]List account roles
You can list the roles available in an account like so:
$ aws-sso-creds list roles <account-id>
NOTE: currently this tool doesn't support multiple roles when getting credentials, if this is necessary, please file a feature request
Installation
This is a compiled go binary, so just put it in your $PATH.
If you're on os x make sure to then run xattr -d com.apple.quarantine /path/to/aws-sso-creds to allow it to run.
Homebrew
A tap is provided to install via homebrew:
brew tap jaxxstorm/tap
brew install aws-sso-credsNix
nixpkgs includes a recipe for aws-sso-creds.
- If flakes are enabled:
nix profile install nixpkgs#aws-sso-creds - Otherwise:
nix-env --install --attr aws-sso-creds