Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for credentials via AWS SSO #1158

Closed
foxylion opened this issue May 8, 2020 · 8 comments · Fixed by #2055
Closed

Support for credentials via AWS SSO #1158

foxylion opened this issue May 8, 2020 · 8 comments · Fixed by #2055
Labels
feature-request New feature or enhancement. May require GitHub community feedback.

Comments

@foxylion
Copy link

foxylion commented May 8, 2020

Is your feature request related to a problem? Please describe.
The new AWS CLI v2 supports a profile configuration using SSO credentials.
This improves security as there are no longer any long-term credentials (access-key-id, secret-access-key) stored on the device.

Describe the solution you'd like
AWS SDK for Javascript (v3) should add support for SSO profiles in ~/.aws/config.

Describe alternatives you've considered
Current workaround is to copy & paste the credentials as environment variables provided by the AWS SSO sign-in page.

@foxylion foxylion added the feature-request New feature or enhancement. May require GitHub community feedback. label May 8, 2020
@villelahdenvuo
Copy link

villelahdenvuo commented Aug 3, 2020

This is very much needed! I made a hacky script that figures out the current CLI session from .aws/cli/cache and sets the environment variables automatically, but I shouldn't need to do that.

Here's the script in case anyone needs the workaround:

#!/usr/bin/env bash

# Set strict mode if inside a script.
if [ -n "${BASH_SOURCE[0]:-}" ]; then
	set -euo pipefail
fi

echo "Loading temporary access credentials for AWS profile ${AWS_PROFILE:-default}..."

# Figure out temporary credentials.
SSO_ROLE=$(aws sts get-caller-identity --query=Arn | cut -d'_' -f 2)
SSO_ACCOUNT=$(aws sts get-caller-identity --query=Account --output text)
SESSION_FILE=$(find ~/.aws/sso/cache -type f -regex ".*/cache/[a-z0-9]*.json" | head -n 1)
SSO_ACCESS_TOKEN=$(jq -r '.accessToken' "$SESSION_FILE")
CREDENTIALS=$(aws sso get-role-credentials --role-name="$SSO_ROLE" --account-id="$SSO_ACCOUNT" --access-token="$SSO_ACCESS_TOKEN")

# Export temporary credentials
AWS_ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.accessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.secretAccessKey')
AWS_SESSION_TOKEN=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.sessionToken')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

echo "AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID"
echo "AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:0:10}..."
echo "AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN:0:20}..."

Usage:

export AWS_PROFILE=your-sso-profile
source set-aws-sso-credentials.sh

@benkehoe
Copy link

I made a tool that uses the credential_process mechanism to add support to SDKs that don't support AWS SSO yet: aws-sso-util, which supports refreshing credentials so you don't run into credential expiration, etc.

@monken
Copy link

monken commented Dec 30, 2020

Another workaround for bash and zsh shells. Add this to your ~/.bashrc or ~/.zshrc.

Usage: awscreds myprofile. This will export the credentials into the current terminal session or trigger the sign in process if the credentials expired.

function awscreds() {
    export AWS_PAGER=""
    aws sts get-caller-identity --profile $1 || aws sso login --profile $1
    FILE=~/.aws/cli/cache/$(ls -t ~/.aws/cli/cache | head -n 1)

    export AWS_ACCESS_KEY_ID="$(jq -r '.Credentials.AccessKeyId' $FILE)" AWS_SECRET_ACCESS_KEY="$(jq -r '.Credentials.SecretAccessKey' $FILE)" AWS_SESSION_TOKEN="$(jq -r '.Credentials.SessionToken' $FILE)"
}

@benkehoe
Copy link

@monken I've also got aws-export-credentials to make the process of retrieving and injecting credentials simpler and more reliable. You'd do

function awscreds() {
    AWS_PAGER="" aws sts get-caller-identity --profile $1 || AWS_PAGER="" aws sso login --profile $1
    export "$(aws-export-credentials --env --profile $1)"
}

separately, your export AWS_PAGER="" would affect subsequent CLI commands, which I don't think is your intent.

@urz9999
Copy link

urz9999 commented Jan 14, 2021

In case like this one or other similar cases where AWS SSO result in incompatibilities with your library and you don't want to play with workarounds or complicated fixes, maybe you can give a try to our open-source project: https://github.com/Noovolari/leapp. It deals with AWS SSO authentication and accounts/roles retrieval then it creates short-lived temporary credentials in .aws/credentials to maximize compatibility with third party tools / sdks.

@benkehoe
Copy link

Is this accessible through npm yet? If not, can you re-open this and close it once a version has been released?

@github-actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 12, 2021
@AllanZhengYP
Copy link
Contributor

Hi @benkehoe

The SSO credential provider has been released to NPM since 3.7.0. Here's the documentation with example: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/modules/_aws_sdk_credential_provider_sso.html

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
feature-request New feature or enhancement. May require GitHub community feedback.
Projects
None yet
6 participants