Skip to content
This repository has been archived by the owner on Jul 1, 2024. It is now read-only.

Support for AWS SSO? #26

Open
lorengordon opened this issue Oct 23, 2018 · 11 comments
Open

Support for AWS SSO? #26

lorengordon opened this issue Oct 23, 2018 · 11 comments

Comments

@lorengordon
Copy link

When logging in through AWS SSO, it can retrieve temporary keys for users to copy/paste into their shell or a config file. This isn't ideal; it's still difficult to use on a routine basis from the command line as you need to get the credentials out of the browser. Seems like something this package could help with, yes?

It appears that AWS SSO works by adding a SAML identity provider within the configured accounts. I would think it ought to be possible then to use a package like this to interface with SSO to retrieve the credentials and make them available via credential_process. Does that already work and I'm just not seeing how? Or, any idea how to go about adding that support?

@JordonPhillips
Copy link
Contributor

This is definitely something we're interested in supporting, but I can't give a specific timeline for when it will be ready.

@obijan42
Copy link

It seems totally customer-hostile to have an AWS CLI not work with an AWS service. For every other (competing!) IDP there is support, but not for the AWS one.
Going to see if I can hack something together myself.

@dan-lind
Copy link

dan-lind commented Jul 5, 2019

+1

@drankard
Copy link

drankard commented Aug 6, 2019

Any updates on this issue ??

@mattmcf
Copy link

mattmcf commented Oct 18, 2019

+1

@drj42
Copy link

drj42 commented Jan 30, 2020

I'll echo the sentiments of @obijan42. I've wasted considerable time tonight trying to figure out how to auth on the cli without this copy/paste loop - which is just not practical for routine use. It didn't even occur to me that this impractical method would really be the only way to combine sso with the aws cli.

Its shocking to me that there isn't a CLI based auth flow for temporary credentials, and I think this is in direct tension with the advice we see in AWS documentation and from AWS personnel - which instructs us to avoid IAM users and long-lived access keys in favor of SSO, roles and rotating credentials in a multi account setup. Nothing makes me want to reach for long-lived access keys and IAM users more than this cumbersome alternate scenario.

At least one of AWS's competitors in the top-tier cloud provider space does it exactly right, out of the box, and has for years (Google it :P). This is a huge quality of life loser for AWS, I really hope you consider making it a higher priority.

@mattmcf
Copy link

mattmcf commented Jan 30, 2020

For what it’s worth. The aws2 cli is now out in beta, which support aws sso commands and auth.

There’s also support for the aws sso service in some aws sdk’s now (ruby for example).

@ericvilla
Copy link

ericvilla commented Jan 13, 2021

Hi @lorengordon, it's been a while since this issue is open but - as @mattmcf stated - AWS CLI v2 has support for AWS SSO, allowing you to log into your Portal URL, providing you AWS SSO User's credentials. Through the aws configure sso command you'll be able to create Named Profiles associated to the AWS IAM Roles you want to access, and that your user is allowed to access. For what concerns support to AWS SSO - IMO - the overall AWS CLI v2 user-experience could be improved, and that's what my team is trying to address. We're working on an Open Source project that manages credentials in your local-environment to access a complex Cloud Environment. If it makes sense to you, give a look at Leapp project

@pydemo
Copy link

pydemo commented Feb 14, 2021

It's a bit quirky (it opens browser) but it saves keys to file using python/selenium automation: automate-AWS-SSO

@nash-az
Copy link

nash-az commented Apr 4, 2022

+1

1 similar comment
@jaroszan
Copy link

jaroszan commented Feb 3, 2023

+1

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests