Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configuring sso-session settings non-interactively #7835

Open
2 tasks
fitzoh opened this issue Apr 19, 2023 · 11 comments
Open
2 tasks

Allow configuring sso-session settings non-interactively #7835

fitzoh opened this issue Apr 19, 2023 · 11 comments
Labels
configure feature-request A feature should be added or improved. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue sso

Comments

@fitzoh
Copy link

fitzoh commented Apr 19, 2023

Describe the feature

As mentioned in this comment, you cannot use aws configure set to set sso-session parameters in the AWS config file.

The CLI should provide a mechanism to non-interactively set these values

Use Case

I'm trying to set up command line tools for multiple users in an organization, making it easy to use AWS SSO for their tooling.
I would like to be able to give them a script to run to add SSO config to their config files vs manual instructions.

Proposed Solution

Update aws configure to work with sso-session prefixes like this:

aws configure set sso-session.session-name.sso_region eu-west-1 

(As shown by @ezzatron in #7364 (comment)).

Alternatively, update aws configure sso-session to allow non-interactive operation by allowing flags instead of passing in values interactively (this might make sense as a separate issue)

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

2.9.6

Environment details (OS name and version, etc.)

Mac OS Ventura

@fitzoh fitzoh added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 19, 2023
@tim-finnigan
Copy link
Contributor

Thanks for creating this feature request, I could see how it would be helpful to have this functionality. I'll mark this issue for further review by the team, and in the meantime others can add a 👍 to this issue or comment here to share any more details on use cases.

@tim-finnigan tim-finnigan added configure needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Apr 20, 2023
@eytanhanig
Copy link

@tim-finnigan Any updates on when the team will be able to review the PR?

@fitz-vivodyne
Copy link

Just bumping this to mention there's a PR open to resolve this coming up on a year open without review: #7847

@raylas
Copy link

raylas commented Mar 7, 2024

Also very interested in the functionality described here and implemented in #7847

@ccmcbeck
Copy link

Dear AWS, with all due respect, this is "must have" for a large organization that wants to automate onboarding CLI users to https://aws.amazon.com/iam/identity-center/

Meanwhile, I suppose we can use workarounds like $AWS_CONFIG_FILE or https://github.com/pixelb/crudini. But feels grodo.

@ccmcbeck
Copy link

ccmcbeck commented Mar 13, 2024

Meanwhile, I suppose we can use workarounds like $AWS_CONFIG_FILE or https://github.com/pixelb/crudini. But feels grodo.

I wound up implementing the missing features with crudini. In addition to Identity Center, I needed to support a --legacy option to use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

My implementation was to delete any [profile {PROFILE}] or [sso-session {SESSION}] sections from ~/.aws/config and then create only the sections needed for Identity Center vs --legacy -- making it easy to switch between both options.

  1. When deleting a section, I used crudini --del {SECTION}
  2. When creating [profile {PROFILE}], I used aws configure set.
  3. When creating [sso-session {SESSION}], I used crudini --set

Therefore:

  1. This PR would handle requirement 3
  2. The addition of aws configure unset {SECTION} [{KEY}] [{VALUE}] would handle requirement 1 and keep me entirely in the realm of aws configure

Thanks. Not so grodo after all.

@andreluiznsilva
Copy link

andreluiznsilva commented Apr 12, 2024

I was able to automate the setup using a shell script like:

echo "sso-session-name                                                                                                                                                                                  
https://sso-alias.awsapps.com/start
us-east-1
sso:account:access" | aws configure sso-session

However, would be nice to have the option to either set the variables using aws configure or passing it as parameter to the aws configure sso-session command

@evanstucker-hates-2fa
Copy link

I wrote a script to configure all AWS IAM Identity Center (SSO) accounts and roles automatically. It requires AWS CLI v2 and jq. Download the aws_configure_all_sso.sh script here: https://codeberg.org/dedevsecops/aws

@silasdavis
Copy link

silasdavis commented Jul 3, 2024

needing to do something similar to @evanstucker-hates-2fa to get a fairly simple non-interactive setup that isn't full of traps and annoyances for new users. Primarily need to be able to generate a profile with a known name that can be reference from makefile. The current tool makes this obnoxiously hard. In particular no easy was to get the sso_account_id other than digging around for access token in cache and hitting API as above.

@ashovlin ashovlin added the sso label Oct 28, 2024
@scottillogical
Copy link

I use sso without use an sso session prefix, and thus can set the sso role name via aws configure set... why is the prefix necessary?

@evanstucker-hates-2fa
Copy link

I've switched to using https://github.com/synfinatic/aws-sso-cli. It works great! And it encrypts the tokens/cache, which adds an additional layer of security, which is nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
configure feature-request A feature should be added or improved. needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue sso
Projects
None yet
Development

No branches or pull requests