Repository files navigation

This package provides a command line interface to get AWS credentials withAWS SSO.

The aws-cli package works on Python versions:

• 3.7.x and greater

This package relies onSelenium and Google Chrome to work.Therefore, you needGoogle Chrome andChromeDriver to be installed.

This is being developped and tested on macOS, if you encounter problems on other platforms, please open an issue.

brew cask install chromedriver

¯\_(ツ)_/¯

pip install awssso

For each command you can get help with--help flag.

usage: awssso configure [-h] [-p PROFILE] [-a AWS_PROFILE] [-f] [--url URL]                        [--username USERNAME]optional arguments:  -h, --help            show this help message and exit  -p PROFILE, --profile PROFILE                        AWS SSO Profile (default: default)  -a AWS_PROFILE, --aws-profile AWS_PROFILE                        AWS CLI Profile (default: AWS_PROFILE, fallback: same                        as --profile)  -f, --force-refresh   force token refresh  --url URL  --username USERNAME

$ awssso configure[?] URL: https://d-0123456789.awsapps.com/start/[?] AWS CLI profile: my-awssso-profile[?] Username: me@example.com[?] Password: **************[?] MFA Code: 042042[?] AWS Account: 000000000000 (Master)   111111111111 (Log archive)   222222222222 (Audit) > 000000000000 (Master)[?] AWS Profile: AWSAdministratorAccess   AWSServiceCatalogEndUserAccess > AWSAdministratorAccess

This will create a configuration file in~/.awssso/config.

$ awssso login

This will get the credentials for theprofile as defined in the configuration fileand useaws-cli to set those credentials to the correct AWS Profile.

$ awssso login -eexport AWS_ACCESS_KEY_ID=ACCESS_KEY_IDexport AWS_SECRET_ACCESS_KEY=SECRET_ACCESS_KEYexport AWS_SESSION_TOKEN=SESSION_TOKEN

This will echoexport commands to stdout ; can be used like this$(awssso login -e)

$ awssso login -chttps://signin.aws.amazon.com/federation?Action=login&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=TOKEN

This will generate a Sign In URL to the AWS Console ; URL will open in a new tab if used with--browser.

You can also use this tool as acredential_process for awscli. To do so, configure your awscli configuration file like so:

[profile my-sso-profile]credential_process = awssso login -p my-awssso-profile --json

And then simply use awscli normally:

$ aws --profile my-sso-profile s3 ls

aws-sso has its own configuration file (~/.awssso/config).
Each section in this file corresponds to an AWS SSO profile. Those profiles are different from AWS profiles.

When using thelogin command, it'll set credentials for the configured AWS Profile by invokingaws configure.

Inside~/.awssso/ are also stored cookie files for each pair of username / url. This allows not prompting for MFA code at each login.

Secrets are stored usingkeyring so for example on macOS they are stored in Keychain.
For each username / url aws-sso stores three secrets:

• password
• authn-token
• authn-expiry-date

aws-sso doesn't make new login attempts until authn-token is expired.
aws-sso also stores credentials using keyring to avoid making too many STS calls.

The release notes for AWS SSO can be foundhere.

Known issues can be foundhere.