aws-sso-creds
is a helper utility to retrieve temporary credentials when using AWS SSO
If you're using AWS SSO, you're able to set up your AWS profile like so:
[profile sso-profile]
output = json
region = us-west-2
sso_account_id = <my-account-id>
sso_region = us-west-2
sso_role_name = <role-to-assume>
sso_start_url = <special-sso-url>
This is great, because it means you're able to login very easily using aws sso login
from the AWS CLI
This retrieves a set of cached credentials, which are saved into ~/.aws/sso/cache
and you can now use the AWS CLI with those credentials.
However
Unfortunately, the AWS SDK's in nearly every language currently do not support these credentials. In this case, you can retrieve temporary credentials that look like the AWS credentials you're used to:
AWS_ACCESS_KEY_ID=<key>
AWS_SECRET_ACCESS_KEY=<key>
AWS_SESSION_TOKEN=<key>
However, it's really quite annoying to have to login to the URL and grab these tokens manually. The AWS CLI has support for retrieving them, but you have to run:
aws sso get-role-credentials --role-name <SOME_ROLE_I_CANNOT_REMEMBER> --account-id <WHATS_MY_ACCOUNT_ID_AGAIN?> --access-token <I_HAVE_TO_LOOK_THIS_UP_IN_A_FILE_WHERE?>
This simple utility is designed to take the pain out of this process. It can:
- Grab you a set of credentials to copy and paste for a specific account/profile (If you're so inclinded)
- Generate an
eval
compatible output to ease the process of grabbing these credentials - List the accounts and roles you have access to for ease of management
If you just want to retrieve a set of credentials for your AWS SSO based profile, just run aws-sso-creds get
:
$ aws-sso-creds get
Your temporary credentials for account <foo> are:
AWS_ACCESS_KEY_ID <KEY>
AWS_SECRET_ACCESS_KEY <ACCESS_KEY>
AWS_SESSION_TOKEN <A_LONG_SESSION_TOKEN>
These credentials will expire at: Mon Oct 31 16:03:20 PST 52495
aws-sso-creds
will automatically use the AWS_PROFILE
environment variable you have set. You can also specify a profile with aws-sso-creds --profile
If you want to just get going without any copying and pasting, use eval with aws-sso-creds export
eval $(aws-sso-creds export)
This command generates output in the form of export
variables:
$ aws-sso-creds export
export AWS_ACCESS_KEY_ID=<KEY>
export AWS_SECRET_ACCESS_KEY=<SECRET_KEY>
export AWS_SESSION_TOKEN=<SESSION_TOKEN>
If you're using PowerShell, you can use export-ps
to generate PowerShell assignments, instead.
> aws-sso-creds export-ps
$env:AWS_ACCESS_KEY_ID='<KEY>'
$env:AWS_SECRET_ACCESS_KEY='<SECRET_KEY>'
$env:AWS_SESSION_TOKEN='<SESSION_TOKEN>'
Use it with Invoke-Expression
:-
> aws-sso-creds export-ps | Invoke-Expression
You can also list the accounts you have available within AWS SSO:
$ aws-sso-creds list accounts
ID NAME EMAIL ADDRESS
<id> dev-sandbox [email protected]
<id> -ci [email protected]
You can list the roles available in an account like so:
$ aws-sso-creds list roles <account-id>
NOTE: currently this tool doesn't support multiple roles when getting credentials, if this is necessary, please file a feature request
This is a compiled go binary, so just put it in your $PATH
.
If you're on os x make sure to then run xattr -d com.apple.quarantine /path/to/aws-sso-creds
to allow it to run.
A tap is provided to install via homebrew:
brew tap jaxxstorm/tap
brew install aws-sso-creds
nixpkgs includes a recipe for aws-sso-creds
.
- If flakes are enabled:
nix profile install nixpkgs#aws-sso-creds
- Otherwise:
nix-env --install --attr aws-sso-creds