aws-sso-lib
allows you to programmatically interact with AWS IAM Identity Center (formerly AWS SSO).
The primary functions that will be of interest are available at the package level:
get_boto3_session
: Get a boto3 session for a specific account and role.login
: ensure the user is logged in to Identity Center, with dispatch to the browser.list_available_accounts
andlist_available_roles
: discover the access the user has.list_assignments
: for admin purposes, iterate over all assignments in Identity Center, which is currently hard to do through the API.
aws-sso-util
is a command-line utility built on aws-sso-lib
for interacting with Identity Center; see the details of that project here.
pip install --user aws-sso-lib
python -c "import aws_sso_lib; aws_sso_lib.login('https://my-start-url.awsapps.com/start', 'us-east-2')"
Often when writing a script, you know the exact account and role you want the script to use.
You could configure a profile in your ~/.aws/config
for this (perhaps using aws-sso-util configure profile
), but especially if multiple people may be using the script, it's more convenient to have the configuration baked into the script itself.
get_boto3_session()
is the function to do that with.
get_boto3_session(start_url, sso_region, account_id, role_name, *, region,
login=False,
sso_cache=None,
credential_cache=None)
start_url
: [REQUIRED] The start URL for the Identity Center instance.sso_region
: [REQUIRED] The AWS region for the Identity Center instance.account_id
: [REQUIRED] The AWS account ID to use.role_name
: [REQUIRED] The Identity Center role (aka PermissionSet) name to use.region
: [REQUIRED] The AWS region for the boto3 session (note, required but keyword-only).login
: Set toTrue
to interactively log in the user if their Identity Center credentials have expired.sso_cache
: A dict or dict-like object for Identity Center credential caching to replace the default file cache in~/.aws/sso/cache
.credential_cache
: A dict or dict-like object to cache the role credentials in to replace the default in-memory cache.- Returns a boto3 Session object configured for the account and role.
For more control over the login process, use the login
function separately.
While the functions that require the user to be logged in let you specify login=True
to interactively log in the user if they are not already logged in, you can have more control over the process, or retrieve the access token, using login()
.
If the user is not logged in or force_refresh
is True
, it will attempt to log in.
If the user is logged in and force_refresh
is False
, no action is taken.
Normally, it will attempt to automatically open the user's browser to log in, as well as printing the URL and code to stderr as a fallback. However, if disable_browser
is True
, or if disable_browser
is None
(the default) and the environment variable AWS_SSO_DISABLE_BROWSER
is set to 1
or true
, only the message with the URL and code will be printed.
A custom message can be printed by setting message
to a template string using any or all of {url}
, {code}
, and {urlWithCode}
as placeholders.
The message can be suppressed by setting message
to False
.
To fully control the communication with the user, use the user_auth_handler
parameter.
It must be a callable taking four keyword arguments: verificationUri
, userCode
, verificationUriComplete
, and expiresAt
(a datetime).
Provide verificationUri
and userCode
to the user if they are expected to type them in manually (e.g., on a separate device); verificationUriComplete
has the userCode embedded in it, suitable for copying, linking, or a browser popup.
The function must return promptly or it will block the login process.
login(start_url, sso_region, *,
force_refresh=False,
expiry_window=None,
disable_browser=None,
message=None,
outfile=None,
user_auth_handler=None,
sso_cache=None)
start_url
: [REQUIRED] The start URL for the Identity Center instance.sso_region
: [REQUIRED] The AWS region for the Identity Center instance.force_refresh
: Set toTrue
to always go through the authentication process.expiry_window
: A datetime.timedelta (or number of seconds), or callable returning such, specifying the minimum duration any existing token must be valid for.disable_browser
: Set toTrue
to skip the browser popup and only print a message with the URL and code.message
: A message template to print with the fallback URL and code, orFalse
to suppress the message.outfile
: The file-like object to print the message to (stderr by default)user_auth_handler
: override browser popup and message printing and use the given function instead.sso_cache
: A dict or dict-like object for Identity Center credential caching, to override the default file cache in~/.aws/sso/cache
.- Returns the token dict as returned by sso-oidc:CreateToken, which contains the actual authorization token, as well as the expiration.
Identity Center provides programmatic access to the permissions that a user has.
You can access this through list_available_accounts()
and list_available_roles()
.
With both, you can set login=True
to interactively log in the user if they are not already logged in.
Note that these functions return iterators; they don't return a list, because the number of roles may be very large and you shouldn't have to wait for the entire list to be created to start processing.
You can always get a list by, for example, list(list_available_roles(...))
.
list_available_accounts(start_url, sso_region, *, login=False)
start_url
: The start URL for the Identity Center instance.sso_region
: The AWS region for the Identity Center instance.login
: Set toTrue
to interactively log in the user if their Identity Center credentials have expired.- Returns an iterator that yields account id and account name.
list_available_roles(start_url, sso_region, account_id=None, *, login=False)
start_url
: [REQUIRED] The start URL for the Identity Center instance.sso_region
: [REQUIRED] The AWS region for the Identity Center instance.account_id
: Optional account id or list of account ids to check.- If not set, all accounts available to the user are used.
login
: Set toTrue
to interactively log in the user if their Identity Center credentials have expired.- Returns an iterator that yields account id, account name, and role name.
The Identity Center API only allows you to list assignments for a specific account and permission set.
To find all your assignments, you need to iterate over all accounts, and then interate over all permission sets.
list_assignments()
does this work for you.
Unlike the other functions list above, this uses admin APIs, which require AWS credentials, rather than taking as input a start URL and region.
list_assignments
returns an iterator over Assignment
named tuples, which have the following fields:
instance_arn
principal_type
principal_id
principal_name
permission_set_arn
permission_set_name
target_type
target_id
target_name
The name fields may be None
, if the names are not known or looked up.
By default, principal and permission set names are not retrieved, nor are account names for accounts that have been provided as explicit targets.
If you don't specify instance_arn
and/or identity_store_id
, these will be looked up using the ListInstances API, which today returns at most one instance (with associated identity store).
An assignment is the combination of a principal (a user or a group), a permission set, and a target (an AWS account). For each of these values, you can provide either an explicit specification, or a filter function.
You can provide an OU as a target, which will use all accounts in that OU, and optionally all accounts recursively in child OUs as well.
list_assignments(
session,
instance_arn=None,
identity_store_id=None,
principal=None,
principal_filter=None,
permission_set=None,
permission_set_filter=None,
target=None,
target_filter=None,
get_principal_names=False,
get_permission_set_names=False,
get_target_names=False,
ou_recursive=False)
session
: [REQUIRED] boto3 session to useinstance_arn
: The Identity Center instance to use, or it will be looked up using ListInstancesidentity_store_id
: The identity store to use if principal names are being retrieved or it will be looked up using ListInstancesprincipal
: A principal specification or list of principal specifications.- A principal specification is a principal id or a 2-tuple of principal type and id.
principal_filter
: A callable taking principal type, principal id, and principal name (which may beNone
), and returningTrue
if the principal should be included.permission_set
: A permission set arn or id, or a list of the same.permission_set_filter
: A callable taking permission set arn and name (name may beNone
), returning True if the permission set should be included.target
: A target specification or list of target specifications.- A target specification is an account or OU id, or a 2-tuple of target type, which is either AWS_ACCOUNT or AWS_OU, and target id.
target_filter
: A callable taking target type, target id, and target name (which may beNone
), and returningTrue
if the target should be included.get_principal_names
: Set toTrue
to retrieve names for principals in assignments.get_permission_set_names
: Set toTrue
to retrieve names for permission sets in assignments.get_target_names
: Set toTrue
to retrieve names for targets in assignments, when they are explicitly provided as targets. For OUs as targets or if no targets are specified, the account names will be retrieved automatically during the enumeration process.ou_recursive
: Set toTrue
if an OU is provided as a target to get all accounts including those in child OUs.- Returns an iterator over
Assignment
tuples