-
Notifications
You must be signed in to change notification settings - Fork 40
Support for AWS SSO? #26
Comments
This is definitely something we're interested in supporting, but I can't give a specific timeline for when it will be ready. |
It seems totally customer-hostile to have an AWS CLI not work with an AWS service. For every other (competing!) IDP there is support, but not for the AWS one. |
+1 |
Any updates on this issue ?? |
+1 |
I'll echo the sentiments of @obijan42. I've wasted considerable time tonight trying to figure out how to auth on the cli without this copy/paste loop - which is just not practical for routine use. It didn't even occur to me that this impractical method would really be the only way to combine sso with the aws cli. Its shocking to me that there isn't a CLI based auth flow for temporary credentials, and I think this is in direct tension with the advice we see in AWS documentation and from AWS personnel - which instructs us to avoid IAM users and long-lived access keys in favor of SSO, roles and rotating credentials in a multi account setup. Nothing makes me want to reach for long-lived access keys and IAM users more than this cumbersome alternate scenario. At least one of AWS's competitors in the top-tier cloud provider space does it exactly right, out of the box, and has for years (Google it :P). This is a huge quality of life loser for AWS, I really hope you consider making it a higher priority. |
For what it’s worth. The aws2 cli is now out in beta, which support aws sso commands and auth. There’s also support for the aws sso service in some aws sdk’s now (ruby for example). |
Hi @lorengordon, it's been a while since this issue is open but - as @mattmcf stated - AWS CLI v2 has support for AWS SSO, allowing you to log into your Portal URL, providing you AWS SSO User's credentials. Through the |
It's a bit quirky (it opens browser) but it saves keys to file using python/selenium automation: automate-AWS-SSO |
+1 |
1 similar comment
+1 |
When logging in through AWS SSO, it can retrieve temporary keys for users to copy/paste into their shell or a config file. This isn't ideal; it's still difficult to use on a routine basis from the command line as you need to get the credentials out of the browser. Seems like something this package could help with, yes?
It appears that AWS SSO works by adding a SAML identity provider within the configured accounts. I would think it ought to be possible then to use a package like this to interface with SSO to retrieve the credentials and make them available via credential_process. Does that already work and I'm just not seeing how? Or, any idea how to go about adding that support?
The text was updated successfully, but these errors were encountered: