-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for credentials via AWS SSO #1158
Comments
This is very much needed! I made a hacky script that figures out the current CLI session from .aws/cli/cache and sets the environment variables automatically, but I shouldn't need to do that. Here's the script in case anyone needs the workaround: #!/usr/bin/env bash
# Set strict mode if inside a script.
if [ -n "${BASH_SOURCE[0]:-}" ]; then
set -euo pipefail
fi
echo "Loading temporary access credentials for AWS profile ${AWS_PROFILE:-default}..."
# Figure out temporary credentials.
SSO_ROLE=$(aws sts get-caller-identity --query=Arn | cut -d'_' -f 2)
SSO_ACCOUNT=$(aws sts get-caller-identity --query=Account --output text)
SESSION_FILE=$(find ~/.aws/sso/cache -type f -regex ".*/cache/[a-z0-9]*.json" | head -n 1)
SSO_ACCESS_TOKEN=$(jq -r '.accessToken' "$SESSION_FILE")
CREDENTIALS=$(aws sso get-role-credentials --role-name="$SSO_ROLE" --account-id="$SSO_ACCOUNT" --access-token="$SSO_ACCESS_TOKEN")
# Export temporary credentials
AWS_ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.accessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.secretAccessKey')
AWS_SESSION_TOKEN=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.sessionToken')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN
echo "AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
echo "AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:0:10}..."
echo "AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN:0:20}..." Usage: export AWS_PROFILE=your-sso-profile
source set-aws-sso-credentials.sh |
I made a tool that uses the |
Another workaround for bash and zsh shells. Add this to your ~/.bashrc or ~/.zshrc. Usage: function awscreds() {
export AWS_PAGER=""
aws sts get-caller-identity --profile $1 || aws sso login --profile $1
FILE=~/.aws/cli/cache/$(ls -t ~/.aws/cli/cache | head -n 1)
export AWS_ACCESS_KEY_ID="$(jq -r '.Credentials.AccessKeyId' $FILE)" AWS_SECRET_ACCESS_KEY="$(jq -r '.Credentials.SecretAccessKey' $FILE)" AWS_SESSION_TOKEN="$(jq -r '.Credentials.SessionToken' $FILE)"
} |
@monken I've also got
separately, your |
In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks. |
Is this accessible through npm yet? If not, can you re-open this and close it once a version has been released? |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Hi @benkehoe The SSO credential provider has been released to NPM since 3.7.0. Here's the documentation with example: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/modules/_aws_sdk_credential_provider_sso.html |
Is your feature request related to a problem? Please describe.
The new AWS CLI v2 supports a profile configuration using SSO credentials.
This improves security as there are no longer any long-term credentials (access-key-id, secret-access-key) stored on the device.
Describe the solution you'd like
AWS SDK for Javascript (v3) should add support for SSO profiles in
~/.aws/config
.Describe alternatives you've considered
Current workaround is to copy & paste the credentials as environment variables provided by the AWS SSO sign-in page.
The text was updated successfully, but these errors were encountered: