{"id":37109551,"url":"https://github.com/allcloud-io/clisso","last_synced_at":"2026-01-14T13:01:29.714Z","repository":{"id":22653913,"uuid":"95244633","full_name":"allcloud-io/clisso","owner":"allcloud-io","description":"Get temporary credentials for cloud providers from the command line.","archived":false,"fork":false,"pushed_at":"2025-05-19T15:50:05.000Z","size":926,"stargazers_count":46,"open_issues_count":14,"forks_count":15,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-05-19T16:34:49.450Z","etag":null,"topics":["aws","golang","okta","onelogin","temporary-credentials"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/allcloud-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-06-23T18:08:56.000Z","updated_at":"2025-05-19T15:50:08.000Z","dependencies_parsed_at":"2023-02-17T19:46:04.915Z","dependency_job_id":"5ff6a77a-d397-4c48-9443-472ed5e9a16a","html_url":"https://github.com/allcloud-io/clisso","commit_stats":null,"previous_names":[],"tags_count":61,"template":false,"template_full_name":null,"purl":"pkg:github/allcloud-io/clisso","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allcloud-io%2Fclisso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allcloud-io%2Fclisso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allcloud-io%2Fclisso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allcloud-io%2Fclisso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/allcloud-io","download_url":"https://codeload.github.com/allcloud-io/clisso/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/allcloud-io%2Fclisso/sbom","scorecard":{"id":185166,"data":{"date":"2025-08-11","repo":{"name":"github.com/allcloud-io/clisso","commit":"f1e7cc48005c76ef68895ffde491b4ff174192f0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.2,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":2,"reason":"3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29","Warn: no topLevel permission defined: .github/workflows/build-artifacts-and-draft-release.yaml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/homebrew-release.yaml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-artifacts-and-draft-release.yaml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/build-artifacts-and-draft-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/codeql-analysis.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/homebrew-release.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/homebrew-release.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/allcloud-io/clisso/test.yml/master?enable=pin","Info:   0 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 0.20.4 not signed: https://api.github.com/repos/allcloud-io/clisso/releases/208396176","Warn: release artifact 0.20.3 not signed: https://api.github.com/repos/allcloud-io/clisso/releases/199885825","Warn: release artifact 0.20.2 not signed: https://api.github.com/repos/allcloud-io/clisso/releases/193907937","Warn: release artifact 0.20.1 not signed: https://api.github.com/repos/allcloud-io/clisso/releases/191132900","Warn: release artifact 0.20.0 not signed: https://api.github.com/repos/allcloud-io/clisso/releases/188721818","Warn: release artifact 0.20.4 does not have provenance: https://api.github.com/repos/allcloud-io/clisso/releases/208396176","Warn: release artifact 0.20.3 does not have provenance: https://api.github.com/repos/allcloud-io/clisso/releases/199885825","Warn: release artifact 0.20.2 does not have provenance: https://api.github.com/repos/allcloud-io/clisso/releases/193907937","Warn: release artifact 0.20.1 does not have provenance: https://api.github.com/repos/allcloud-io/clisso/releases/191132900","Warn: release artifact 0.20.0 does not have provenance: https://api.github.com/repos/allcloud-io/clisso/releases/188721818"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-artifacts-and-draft-release.yaml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (29) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T19:40:03.526Z","repository_id":22653913,"created_at":"2025-08-16T19:40:03.526Z","updated_at":"2025-08-16T19:40:03.526Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28420816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","golang","okta","onelogin","temporary-credentials"],"created_at":"2026-01-14T13:01:28.422Z","updated_at":"2026-01-14T13:01:29.707Z","avatar_url":"https://github.com/allcloud-io.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Clisso: CLI Single Sign-On\n\n[![Coverage Status](https://coveralls.io/repos/github/allcloud-io/clisso/badge.svg)](https://coveralls.io/github/allcloud-io/clisso)\n\nClisso (pronounced `/ˈklIsoʊ/`) allows you to retrieve temporary credentials for cloud platforms\nby authenticating with an identity provider (IdP).\n\nThe following identity providers are currently supported:\n\n- [OneLogin][2]\n- [Okta][3]\n\nThe following cloud platforms are currently supported:\n\n- [AWS][1]\n\nClisso uses the [SAML][7] standard to authenticate users.\n\n## Installation\n\n### Using a Pre-Compiled Binary\n\nThe easiest way to use Clisso is to download a pre-compiled binary for your platform. To do so,\nperform the following:\n\n1. Go to the [latest release][4] on the releases page.\n1. Download the ZIP file corresponding to your platform and architecture.\n1. Unzip the binary.\n1. Rename the binary using `mv clisso-\u003cplatform\u003e-\u003carch\u003e clisso`.\n1. Move the binary to a place under your path.\n\nClisso supports **macOS**, **Linux** and **Windows**.\n\n### Installing Using Homebrew\n\nTo install Clisso using Homebrew, run the following commands:\n\n    brew tap allcloud-io/tools\n    brew install clisso\n\nTo update Clisso to the latest release, run the following command:\n\n    brew upgrade clisso\n\n### Building from Source\n\n#### Requirements\n\n- Go `1.12` or above\n- Git\n- Make\n\n#### Building\n\nTo build Clisso from source, do the following:\n\n```\n# Get the source\ngit clone github.com/allcloud-io/clisso\n\n# Build the binary\ncd clisso\ngo build\n\n# Install the binary in $GOPATH/bin\ngo install\n\n# Clean up\ngo clean\n```\n\n#### MacOS Signing\n\nA [self-signed certificate](https://support.apple.com/guide/keychain-access/create-self-signed-certificates-kyca8916/mac) may be created and used to sign the binary when building Clisso from source on a MacOS machine with Gatekeeper enabled. After installing Clisso, sign the binary:\n\n```\ncodesign -f -s \"Your Certificate Name\" $GOPATH/bin/clisso\n```\n\n## Configuration\n\nClisso stores configuration in a file called `.clisso.yaml` under the user's home directory. You\nmay specify a different config file using the `-c` flag.\n\n\u003eNOTE: It is recommended to use the `clisso` command to manage the config file, however you may\n\u003ealso edit the file manually. The file is in YAML format. You may find a sample config file\n\u003e[here][11].\n\n## Usage\n\nClisso has the following commands:\n\n    $ ./clisso\n    Usage:\n        clisso [command]\n\n    Available Commands:\n        apps        Manage apps\n        completion  Generate the autocompletion script for the specified shell\n        get         Get temporary credentials for an app\n        help        Help about any command\n        providers   Manage providers\n        status      Show active (non-expired) credentials\n\n    Flags:\n        -c, --config string      config file (default is $HOME/.clisso.yaml)\n        -h, --help               help for clisso\n            --log-level string   set log level to trace, debug, info, warn, error, fatal or panic (default \"info\")\n        -v, --version            version for clisso\n\n    Use \"clisso [command] --help\" for more information about a command.\n\nIn order to use Clisso you will have to configure at least one *provider* and one *app*. A provider\nrepresents an identity provider against which Clisso authenticates. An app represents an account\non a cloud platform such as AWS, for which Clisso retrieves credentials.\n\n### Listing Providers\n\nTo list the existing providers on Clisso, use the following command:\n\n    clisso providers ls\n\nFollowing is a sample output:\n\n    okta-prod\n    onelogin-dev\n    onelogin-prod\n\n### Listing Apps\n\nTo list the existing apps on Clisso, use the following command:\n\n    clisso apps ls\n\nFollowing is a sample output:\n\n      dev-account\n    * prod-account\n\nThe app marked with an asterisk is [selected](#selecting-an-app).\n\n### Creating Providers\n\n#### OneLogin\n\nTo create a OneLogin identity provider, use the following command:\n\n    clisso providers create onelogin my-provider \\\n        --client-id myid \\\n        --client-secret mysecret \\\n        --subdomain mycompany \\\n        --username user@mycompany.com \\\n        --region US \\\n        --duration 14400 \\\n        --arn arn:aws:iam::123456789012:role/Worker\n\nThe example above creates a OneLogin identity provider configuration for Clisso, with the name\n`my-provider`.\n\nThe `--client-id` and `--client-secret` flags are OneLogin API credentials. You may follow the\ninstructions [here][8] to obtain them. OneLogin requires using static credentials even for\n**attempting authentication**, and for that reason Clisso needs them. Please be sure to select\n**Authentication Only** when generating the credentials. Higher-level permissions aren't used by\nClisso and will only pose a security risk when stored at a client machine. You might have to open\na ticket with your OneLogin administrator to obtain these credentials as administrator privileges\nare required.\n\nThe `--subdomain` flag is the subdomain of your OneLogin account. You can see it in the URL when\nlogging in to OneLogin. For example, if you log in to OneLogin using `mycompany.onelogin.com`, use\n`--subdomain mycompany`.\n\nThe `--username` flag is optional, and allows Clisso to always use the given value as the OneLogin\nusername when retrieving credentials for apps which use this provider. Omitting this flag will make\nClisso prompt for a username every time.\n\nThe `--duration` flag is optional. If specified, sessions will be assumed with the provided\nduration, in seconds, instead of the default of 3600 (1 hour). Valid values are between 3600 and\n43200 seconds. The [max session duration][12] has be equal to or lower than what is configured on\nthe role in AWS. If a longer session time is requested than what is configured on the AWS role,\nClisso will fallback to a duration of 3600. The default duration specified for the provider can be\noverridden on a per-app basis (see below).\n\nThe `--arn` flag is optional. If specified, it will not prompt for a choice of roles presented\nfrom the list of available AWS accounts/roles. This makes it easy to run `clisso get my-app`\nand get the correct account/role.\n\n#### Okta\n\nTo create an Okta identity provider, use the following command:\n\n    clisso providers create okta my-provider \\\n        --base-url https://mycompany.okta.com \\\n        --username user@mycompany.com \\\n        --duration 14400\n\nThe example above creates an Okta identity provider configuration for Clisso, with the name\n`my-provider`.\n\nThe `--base-url` flag is your Okta base URL. You can see it in the URL when logging in to Okta.\nPlease specify a full URL in one of the following formats:\n\n- `https://your-subdomain.okta.com` if you have an enterprise Okta account.\n- `https://your-subdomain.oktapreview.com` if you have a developer Okta account.\n\nThe `--username` flag is optional, and allows Clisso to always use the given value as the Okta\nusername when retrieving credentials for apps which use this provider. Omitting this flag will make\nClisso prompt for a username every time.\n\nThe `--duration` flag is optional. If specified, sessions will be assumed with the provided\nduration, in seconds, instead of the default of 3600 (1 hour). Valid values are between 3600 and\n43200 seconds. The [max session duration][12] has be equal to or lower than what is configured on\nthe role in AWS. If a longer session time is requested than what is configured on the AWS role,\nClisso will fallback to a duration of 3600. The default duration specified for the provider can be\noverridden on a per-app basis (see below).\n\n### Deleting Providers\n\nDeleting providers using the `clisso` command isn't currently supported. To delete a provider,\nremove its configuration from the config file.\n\n### Creating Apps\n\n#### OneLogin\n\nTo create a OneLogin app, use the following command:\n\n    clisso apps create onelogin my-app \\\n        --provider my-provider \\\n        --app-id 12345 \\\n        --duration 3600\n\nThe example above creates a OneLogin app configuration for Clisso, with the name `my-app`.\n\nThe `--provider` flag is the name of a provider which already exists in the config file.\n\nThe `--app-id` flag is the OneLogin app ID. This ID can be retrieved using the OneLogin admin\ninterface or the OneLogin API. Unfortunately, the OneLogin API doesn't allow obtaining app IDs\nwithout storing sensitive, high-level permissions on the client machine. For that reason we have to\nmanually configure the app ID for every app.\n\n\u003eNOTE: The ID seen in the browser URL when visiting a OneLogin app as a user is **NOT** the app ID.\n\u003eOnly a OneLogin administrator can obtain an app ID.\n\nThe `--duration` flag is optional and defaults to the value set at the provider level. Valid values\nare between 3600 and 43200 seconds. Can be used to raise or lower the session duration for an\nindividual app. The [max session duration][12] has be equal to or lower than what is configured on\nthe role in AWS. The default maximum is 3600 seconds. If the requested duration exceeds the\nconfigured maximum Clisso will fallback to 3600 seconds.\n\n#### Okta\n\nTo create an Okta app, use the following command:\n\n    clisso apps create okta my-app \\\n        --provider my-provider \\\n        --url https://mycompany.okta.com/home/amazon_aws/xxxxxxxxxxxxxxxxxxxx/137 \\\n        --duration 3600\n\nThe example above creates an Okta app configuration for Clisso, with the name `my-app`.\n\nThe `--provider` flag is the name of a provider which already exists in the config file.\n\nThe `--url` flag is the app's **embed link**. This can be retrieved as an Okta user by examining\nthe URL of an app on the Okta web UI. The same can also be retrieved as an administrator by\nclicking an app in the **Applications** view. The embed link is on the **General** tab.\n\n\u003eNOTE: An Okta embed link must not contain an HTTP query, only the base URL. For AWS apps, the link\nshould end with `/137`.\n\nThe `--duration` flag is optional and defaults to the value set at the provider level. Valid values\nare between 3600 and 43200 seconds. Can be used to raise or lower the session duration for an\nindividual app. The [max session duration][12] has be equal to or lower than what is configured on\nthe role in AWS. The default maximum is 3600 seconds. If the requested duration exceeds the\nconfigured maximum Clisso will fallback to 3600 seconds.\n\n### Deleting Apps\n\nFor deleting apps, use the following command:\n\n    clisso apps delete my-app\n\nDeletion of an app will remove its configuration from the config file. You can also do it manually\nby editing the config file.\n\n### Obtaining Credentials\n\nTo obtain temporary credentials for an app, use the following command:\n\n    clisso get my-app\n\nThe example above will obtain credentials for an app named `my-app`. Type your credentials for the\nrelevant identity provider. If multi-factor authentication is enabled on your account, you will be\nasked in addition for a one-time password.\n\nBy default, Clisso will store the credentials in the [shared credentials file][6] of the AWS CLI\nwith the app's name as the [profile name][10]. You can use the temporary credentials by specifying\nthe profile name as an argument to the AWS CLI (`--profile my-profile`), by setting the\n`AWS_PROFILE` environment variable or by configuring any AWS SDK to use the profile.\n\nTo save the credentials to a custom file, use the `--output` flag with a custom path. For example:\n\n    clisso get my-app --output /path/to/credentials\n\nTo print the credentials to the shell instead of storing them in a file, use the `--output environment` flag. This\nwill output shell commands which can be pasted in any shell to use the credentials.\n\nTo select a specific MFA device by name instead of choosing from a list, use the `-m` flag. The\nconfiguration field `global.mfa-device` may also be set.\n\n### Running as `credential_process`\n\nAWS CLI v2 introduced the `credential_process` feature which allows you to use an external command to obtain temporal credentials.\nClisso can be used as a `credential_process` command by setting the `--output credential_process` flag. For example:\n\n    clisso get my-app --output credential_process\n\nYou can use this by adding the following to your `~/.aws/credentials` file:\n\n```ini\n[my-app]\ncredential_process = clisso get my-app --output credential_process\n```\n\n\u003e **IMPORTANT**: If `clisso get my-app --output credential_process` prompts for any input, the `credential_process` will not work as expected. Make sure to configure Clisso to not prompt for any input (Store the password in the key chain, use push MFA).\n\nAlternatively you can run the following command to configure all Apps for use with `credential_process`:\n\n```bash\nclisso cp configure\n```\n\nThe AWS SDK does not cache any credentials obtained using `credential_process`. This means that every time you use the profile, Clisso will be called to obtain new credentials. If you want to cache the credentials, you can use the `--cache` flag. For example:\n\n```ini\n[my-app]\ncredential_process = clisso get my-app --output credential_process --cache\n```\n\nAlternatively you can set it in the `~/.clisso.yaml` file:\n\n```yaml\nglobal:\n  cache:\n    enable: true\n```\n\n#### Temporarily Disabling Credential Process Functionality\n\nDifferent processes on your system might continue using AWS Profiles configured for use with Clisso. To temporarily disable the `credential_process` functionality, you can use the `clisso cp` submenu. For example:\n\n```bash\nclisso cp disable # to disable\nclisso cp enable # to enable\nclisso cp status # to check the status\n```\n\nIf you disable the `credential_process` functionality, all refreshes will be disabled. While cached credentials will still be used, new credentials will not be fetched. This can be useful if you lock your computer with an active, e.g., VSCode session with CodeCommit. If you wouldn't disable the `credential_process` functionality, the VSCode would constantly trigger new credential requests to refresh the remote CodeCommit repository.\n\nIf you want to check the status programmatically, you can use the exit code of the `clisso cp status` command. If the exit code is `0`, the `credential_process` functionality is enabled. If the exit code is `1`, the `credential_process` functionality is disabled.\n\n### Storing the password in the key chain\n\n\u003e WARNING: Storing the password without having MFA enabled is a security risk. It allows anyone\n\u003e to assume your roles who has access to your computer.\n\nStoring a password for a provider is as simple as running:\n\n    clisso providers passwd my-provider\n\n### Selecting an App\n\nYou can **select** an app by using the following command:\n\n    clisso apps select my-app\n\nYou can get credentials for the currently-selected app by simply running `clisso get`, without\nspecifying an app name. The currently-selected app will have an asterisk near its name when listing\napps using `clisso apps ls`.\n\n## AWS STS Regional Endpoint\n\nAWS recommends using [regional STS endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html) instead of the default Global endpoint when requesting a token.\n\nTo use a regional endpoint, specify the region via the `global.aws-region` field in the config file. A per app configuration using `apps.\u003capp\u003e.aws-region` is also possible.\n\n## YubiKey Autodetection\n\nYubiKey Autodetection is available for the OneLogin provider. To enable this feature set the `global.autodetect-yubikey` field to `true`. Clisso will look at attached USB devices and automatically select the YubiKey as an MFA device if it is available. Only one YubiKey may be connected for this feature to work.\n\n## Caveats and Limitations\n\n- No support for Okta applications with MFA enabled **at the application level**.\n- Yubikey Autodetection is only available with the prebuilt binaries on these platforms:\n  - MacOS (ARM/x86)\n  - Linux (x86)\n  - Windows (x86)\n\n## Troubleshooting\n\n### Clisso is not working\n\nClisso logs to `stderr` by default. To enable more detailed logging, set the `--log-level` flag to `debug` or `trace`. With `trace` log level, sensitive information will be logged.\n\n### Creating a trace log\n\nIf you run into issues, you can create a trace log by setting the `--log-level` flag to `trace`. This will create a file called `.clisso.log` your home directory. You can alter the location of the log file by setting the `--log-file` flag. The below example will create a trace log in the current directory in\na file called `trace.log`.\n\n    clisso --log-level trace --log-file trace.log get my-app\n\nAlternatively, you can configure logging via the config file. The below example will create a trace log in your home directory in a file called `clisso.log`.\n\n```yaml\nglobal:\n  log:\n    level: trace\n    file: ~/clisso.log\n```\n\nWhen attaching the log file to an issue, please make sure to remove any sensitive information.\n\n### Storing passwords is not working\n\n`dbus: couldn't determine address of session bus` This behavior has been [observed][13] on Ubuntu 20.04 WSL.\nSimply running `sudo systemd-machine-id-setup` gets you past the initial missing machine id setup.\n\n`failed to unlock correct collection '/org/freedesktop/secrets/collection/login'`,\n`The name org.freedesktop.secrets was not provided by any .service files` Check that you have a working\nkeychain setup. On headless systems like WSL this might not be easy to archive. Installing `gnome-keyring`\nalong with the proper DBus setup is required. During tests adding the below to the `~/.bashrc` on Ubuntu 20.04 WSL\nwas enough.\n\n```bash\n if [ \"$DBUS_SESSION_BUS_ADDRESS\" = \"\" ]; then\n    exec dbus-run-session -- bash;\nelse\n    eval $(echo \"$(/lib/cryptsetup/askpass 'Password: ')\" | gnome-keyring-daemon --unlock);\nfi\n```\n## Contributing\n\nTODO\n\n## License\n\nThis code is released under the Mozilla Public License 2.0 License. Please see [LICENSE](LICENSE) and [NOTICE](NOTICE) for more details.\n\nCopyright \u0026copy; 2017-2023 AllCloud\n\n[1]: https://aws.amazon.com/\n[2]: https://www.onelogin.com/\n[3]: https://www.okta.com/\n[4]: https://github.com/allcloud-io/clisso/releases/latest\n[5]: https://github.com/golang/dep\n[6]: https://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html\n[7]: https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language\n[8]: https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials\n[9]: https://onelogin.service-now.com/support?id=kb_article\u0026sys_id=de999903db109700d5505eea4b961966\n[10]: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html\n[11]: sample_config.yaml\n[12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session\n[13]: https://github.com/Versent/saml2aws/issues/436\n[14]: https://github.com/zalando/go-keyring/issues/48\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallcloud-io%2Fclisso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fallcloud-io%2Fclisso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fallcloud-io%2Fclisso/lists"}