{"id":22180763,"url":"https://github.com/jftuga/aws-sso-util-next","last_synced_at":"2025-03-24T19:15:42.723Z","repository":{"id":117698604,"uuid":"479335320","full_name":"jftuga/aws-sso-util-next","owner":"jftuga","description":"the benkehoe/aws-sso-util project but with GitHub Actions","archived":false,"fork":false,"pushed_at":"2022-04-08T10:35:53.000Z","size":130,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-29T23:30:01.158Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jftuga.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-08T09:53:28.000Z","updated_at":"2022-05-06T12:50:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"295f953e-0fa5-496d-b261-7aa12522a11d","html_url":"https://github.com/jftuga/aws-sso-util-next","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jftuga%2Faws-sso-util-next","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jftuga%2Faws-sso-util-next/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jftuga%2Faws-sso-util-next/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jftuga%2Faws-sso-util-next/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jftuga","download_url":"https://codeload.github.com/jftuga/aws-sso-util-next/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245334899,"owners_count":20598386,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-02T09:19:34.734Z","updated_at":"2025-03-24T19:15:42.692Z","avatar_url":"https://github.com/jftuga.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-sso-util\n## Making life with AWS SSO a little easier\n\n[AWS SSO](https://aws.amazon.com/single-sign-on/) has some rough edges, and `aws-sso-util` is here to smooth them out, hopefully temporarily until AWS makes it better.\n\nYou can read a primer on AWS SSO [here](docs/primer.md).\n\n`aws-sso-util` contains utilities for the following:\n* Configuring `.aws/config`\n* Logging in/out\n* AWS SDK support\n* Looking up identifiers\n* CloudFormation\n\n`aws-sso-util` supersedes `aws-sso-credential-process`, which is still available in its original form [here](https://github.com/benkehoe/aws-sso-credential-process).\nRead the updated docs for `aws-sso-util credential-process` [here](docs/credential-process.md).\n\n## Programmatic interaction with AWS SSO\n\n`aws-sso-util` provides command-line utilities. The underlying Python library for AWS SSO authentication is [`aws-sso-lib`](lib/README.md), which has useful functions like interactive login, creating a boto3 session for specific a account and role, and the programmatic versions of the `lookup` functions in `aws-sso-util`. See the documentation [here](lib/README.md).\n\n## Quickstart\n\n0. It's a good idea to [install the AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) (which has AWS SSO support).\n\n1. I recommend you install [`pipx`](https://pipxproject.github.io/pipx/), which installs the tool in an isolated virtualenv while linking the script you need.\n\nMac [and Linux](https://docs.brew.sh/Homebrew-on-Linux):\n```bash\nbrew install pipx\npipx ensurepath\n```\n\nOther:\n```bash\npython3 -m pip install --user pipx\npython3 -m pipx ensurepath\n```\n\n2. Install\n```bash\npipx install aws-sso-util\n```\n\n3. Learn\n```bash\naws-sso-util --help\n```\n\n4. Autocomplete\n\n`aws-sso-util` uses [click](https://click.palletsprojects.com/en/7.x/), which supports autocompletion.\nThe details of enabling shell completion with click vary by shell ([instructions here](https://click.palletsprojects.com/en/7.x/bashcomplete/)), but here is an example for `.bashrc` that updates the completion script in the background.\n\n```bash\n_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR=~/.local/share/aws-sso-util\n_AWS_SSO_UTIL_COMPLETE_SCRIPT=$_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR/complete.sh\nif which aws-sso-util \u003e /dev/null; then\n  mkdir -p $_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR\n  ({ _AWS_SSO_UTIL_COMPLETE=source_bash aws-sso-util \u003e $_AWS_SSO_UTIL_COMPLETE_SCRIPT.tmp ;\n    mv $_AWS_SSO_UTIL_COMPLETE_SCRIPT.tmp $_AWS_SSO_UTIL_COMPLETE_SCRIPT; } \u0026)\n  if [ -f $_AWS_SSO_UTIL_COMPLETE_SCRIPT ]; then\n    source $_AWS_SSO_UTIL_COMPLETE_SCRIPT\n  fi\nfi\n```\n\n## Configuring `.aws/config`\n\nRead the full docs for `aws-sso-util configure` and `aws-sso-util roles` [here](docs/configure.md).\n\nThe AWS CLI and most AWS SDKs support AWS SSO configuration in `~/.aws/config`; each profile specifies the account and SSO role to use.\nA profile configured for AWS SSO looks like this:\n\n```ini\n[profile my-sso-profile]\nsso_start_url = https://example.awsapps.com/start\nsso_region = us-east-1 # the region AWS SSO is configured in\nsso_account_id = 123456789012\nsso_role_name = MyRoleName\nregion = us-east-2 # the region to use for AWS API calls\n```\n\nYou can view the roles you have available to you with `aws-sso-util roles`, which you can use to configure your profiles in [`~/.aws/config`](https://ben11kehoe.medium.com/aws-configuration-files-explained-9a7ea7a5b42e), or you can use `aws configure sso` in the AWS CLI v2, but `aws-sso-util` also provides functionality to directly configure profiles for you.\n\n`aws-sso-util configure` has two subcommands, `aws-sso-util configure profile` for configuring a single profile, and `aws-sso-util configure populate` to add _all_ your permissions as profiles, in whatever region(s) you want (with highly configurable profile names).\n\nYou probably want to set the environment variables `AWS_DEFAULT_SSO_START_URL` and `AWS_DEFAULT_SSO_REGION`, which will inform these commands of your start url and SSO region (that is, the region that you've configured AWS SSO in), so that you don't have to pass them in as parameters every time.\n\n`aws-sso-util configure profile` takes a profile name and prompts you with the accounts and roles you have access to, to configure that profile.\n\n`aws-sso-util configure populate` takes one or more regions, and generates a profile for each account+role+region combination.\nThe profile names are completely customizable.\n\n## Logging in and out\n\nRead the full docs for `aws-sso-util login` and `aws-sso-util logout` [here](docs/login.md).\n\nA problem with [`aws sso login`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/login.html) is that it's required to operate on a profile, that is, you have to tell it to log in to AWS SSO *plus some account and role.*\nBut the whole point of AWS SSO is that you log in once for *many* accounts and roles.\nYou could have a particular account and role set up in your default profile, but I prefer not to have a default profile so that I'm always explicitly selecting a profile and never accidentally end up in the default by mistake.\n`aws-sso-util login` solves this problem by letting you *just log in* without having to think about where you'll be using those credentials.\n\n## Running one-off commands as a specific account and role\n\nRead the full docs for `aws-sso-util run-as` [here](docs/run-as.md).\n\nIn general, in the AWS SSO world, you shouldn't be trying to manually set credentials in an environment, nor thinking about \"logging in\" to a particular account and role.\nYou log in to *AWS SSO* once, and then *use* accounts and roles with that session.\nYou should orient yourself around configuration profiles—use [`aws-sso-util configure populate`](configure.md) to set up profiles for every account and role you have access to, and then use either the `--profile` argument to tell a command to use a specific profile, or set the `AWS_PROFILE` environment variable to have all commands your shell use a particular profile unless they are told otherwise ([here's a shell function to help manage that env var](https://gist.github.com/benkehoe/0d2985e56059437e489314d021be3fbe)).\n\nHowever, there are times when it's useful to be able to run a command as a specific account and role, without needing a profile configured for it—or without knowing the profile name corresponding to the account and role.\nFor this purpose, there's `aws-sso-util run-as`.\nThink of it as the shell equivalent to [`aws_sso_lib.get_boto3_session()`](lib/README.md#get_boto3_session).\n\n## Opening the AWS console in a browser\n\n\u003e :warning: This feature is in beta and is subject to change without a compatibility version bump.\n\nRead the full docs for `aws-sso-util console` [here](docs/console.md).\n\nYou can open the AWS console in the browser for a given account and role with `aws-sso-util console`, including going to a specific page in the console.\nThis uses the [federated sign-in](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) process.\nIt also allows for the launch configuration to be packaged up as a token, which makes it easier to share between users.\n\n## Debugging issues\n\nRead the full docs for `aws-sso-util check` [here](docs/check.md).\n\n`aws-sso-util check` helps diagnose configuration and access issues.\nIt can be used to help administrators debug user issues, or as validation in shell scripting.\nIt validates that `aws-sso-util` can find an AWS SSO instance configuration, and additionally whether the user has access to a particular account and/or role.\n\n## Adding AWS SSO support to AWS SDKs\n\nThe credential process is added automatically (by default) by the `aws-sso-util configure` commands; you only need to read this section if you're not using that or want to understand it more fully.\nRead the full docs for `aws-sso-util credential-process` [here](docs/credential-process.md).\n\nNot all AWS SDKs have support for AWS SSO (which will change eventually).\nHowever, they all have support for `credential_process`, which allows an external process to provide credentials.\n`aws-sso-util credential-process` uses this to allow these SDKs to get credentials from AWS SSO.\n\nNOTE: if you test it out with your favorite script or application and get something like `NoCredentialProviders: no valid providers in chain.`, you may need to set the environment variable `AWS_SDK_LOAD_CONFIG=1`\n\n## Administrators: Looking up identifiers and assignments\n\nRead the full docs for `aws-sso-util admin lookup` and `aws-sso-util admin assignments` [here](docs/lookup.md).\n\nWhen you're creating assignments through the API or CloudFormation, you're required to use identifiers like the instance ARN, the principal ID, etc.\nThese identifiers aren't readily available through the console, and the principal IDs are not the IDs you're familiar with.\n`aws-sso-util admin lookup` allows you to get these identifers, even en masse.\n\nThere is no simple API for retrieving all assignments or even a decent subset.\nThe current best you can do is [list all the users with a particular PermissionSet on a particular account](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignments.html).\n`aws-sso-util admin assignments` takes the effort out of looping over the necessary APIs.\n\n## Administrators: CloudFormation support\n\nYou'll want to read the full docs [here](docs/cloudformation.md).\n\nAWS SSO's CloudFormation support currently only includes [`AWS::SSO::Assignment`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html), which means for every combination of principal (group or user), permission set, and target (AWS account), you need a separate CloudFormation resource.\nAdditionally, AWS SSO does not support OUs as targets, so you need to specify every account separately.\n\nObviously, this gets verbose, and even an organization of moderate size is likely to have tens of thousands of assignments.\n`aws-sso-util admin cfn` provides two mechanisms to make this concise.\n\nI look forward to discarding this part of the tool once there are two prerequisites:\n1. OUs as targets for assignments\n2. An `AWS::SSO::AssignmentGroup` resource that allows specifications of multiple principals, permission sets, and targets, and performs the combinatorics directly.\n\n### CloudFormation Macro\n`aws-sso-util` defines a resource format for an AssignmentGroup that is a combination of multiple principals, permission sets, and targets, and provides a CloudFormation Macro you can deploy that lets you use this resource in your templates.\n\n### Client-side generation\n\nI am against client-side generation of CloudFormation templates, but if you don't want to trust this 3rd party macro, you can generate the CloudFormation templates directly.\n\n`aws-sso-util admin cfn` takes one or more input files, and for each input file, generates a CloudFormation template and potentially one or more child templates.\nThese templates can then be packaged and uploaded using [`aws cloudformation package`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/package.html) or [the SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html), for example.\n\nThe input files can either be templates using the Macro (using the `--macro` flag), or somewhat simpler configuration files using a different syntax.\nThese configuration files can define permission sets inline, have references that turn into template parameters, and you can provide a base template that the resulting resources are layered on top of.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjftuga%2Faws-sso-util-next","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjftuga%2Faws-sso-util-next","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjftuga%2Faws-sso-util-next/lists"}