Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/synfinatic/aws-sso-cli
A powerful tool for using AWS Identity Center for the CLI and web console.
https://github.com/synfinatic/aws-sso-cli
aws aws-identity-center aws-sso cli credentials credentials-helper iam iam-role keychain security-tools temporary-credentials
Last synced: 3 months ago
JSON representation
A powerful tool for using AWS Identity Center for the CLI and web console.
- Host: GitHub
- URL: https://github.com/synfinatic/aws-sso-cli
- Owner: synfinatic
- License: gpl-3.0
- Created: 2021-05-15T03:36:13.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-07-30T10:20:14.000Z (3 months ago)
- Last Synced: 2024-07-31T07:11:58.042Z (3 months ago)
- Topics: aws, aws-identity-center, aws-sso, cli, credentials, credentials-helper, iam, iam-role, keychain, security-tools, temporary-credentials
- Language: Go
- Homepage: https://synfinatic.github.io/aws-sso-cli/
- Size: 3.64 MB
- Stars: 428
- Watchers: 8
- Forks: 51
- Open Issues: 36
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.md
- Security: docs/security.md
Awesome Lists containing this project
README
# AWS SSO CLI
[](https://github.com/synfinatic/aws-sso-cli/actions/workflows/tests.yml)
[](https://github.com/synfinatic/aws-sso-cli/actions/workflows/codeql-analysis.yml)
[](https://github.com/synfinatic/aws-sso-cli/actions/workflows/golangci-lint.yaml)
[](https://goreportcard.com/report/github.com/synfinatic/aws-sso-cli)
[](https://raw.githubusercontent.com/synfinatic/aws-sso-cli/main/LICENSE.md)
[](https://codecov.io/gh/synfinatic/aws-sso-cli)
[](https://github.com/synfinatic/aws-sso-cli/actions/workflows/update-mkdocs.yaml)
[](https://github.com/synfinatic/aws-sso-cli/actions/workflows/build-release.yml)
[](https://github.com/synfinatic/aws-sso-cli/releases/)
[Documentation](https://synfinatic.github.io/aws-sso-cli/) |
[Demos](https://synfinatic.github.io/aws-sso-cli/latest/demos/) |
[ChangeLog](CHANGELOG.md)
## About
AWS SSO CLI is a secure replacement for using the [aws configure sso](
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html)
wizard with a focus on security and ease of use for organizations with
many AWS Accounts and/or users with many IAM Roles to assume. It shares
a lot in common with [aws-vault](https://github.com/99designs/aws-vault),
but is more focused on the AWS IAM Identity Center use case instead
of static API credentials.
AWS SSO CLI requires your AWS account(s) to be setup with [AWS IAM Identity Center](
https://aws.amazon.com/iam/identity-center/), which was previously known as AWS Single Sign-On.
If your organization is using the older SAML integration (typically you will
have multiple tiles in OneLogin/Okta) then this won't work for you.
AWS SSO CLI focuses on making it easy to select a role via CLI arguments or
via an interactive auto-complete experience with both automatic and user-defined
metadata (tags) and exports the necessary [AWS STS Token credentials](
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli)
to your shell environment in a variety of ways. It even supports sharing
credentials via the [AWS ECS Task IAM Role](https://synfinatic.github.io/aws-sso-cli/latest/ecs-server/).
As part of the goal of improving the end-user experience with AWS SSO, it also
supports using [multiple AWS Web Console sessions](https://synfinatic.github.io/aws-sso-cli/latest/quickstart/#aws-console-access)
and many other quality of life improvements!
## Key Features
* Enhanced security over stock AWS tooling
* Auto-discover your AWS SSO roles and [manage](https://synfinatic.github.io/aws-sso-cli/latest/commands/#config)
your `~/.aws/config` file
* Support selecting an IAM role via `$AWS_PROFILE`, CLI (with auto-completion)
or interactive search
* Ability to select roles based on [user-defined](https://synfinatic.github.io/aws-sso-cli/latest/config/#tags)
and auto-discovered tags
* Support for [multiple active AWS Console sessions](https://synfinatic.github.io/aws-sso-cli/latest/quickstart/#aws-console-access)
* Guided setup to help you configure `aws-sso` the first time you run
* Advanced configuration available to [adjust colors](https://synfinatic.github.io/aws-sso-cli/latest/config/#PromptColors)
and generate [named profiles via templates](https://synfinatic.github.io/aws-sso-cli/latest/config/#ProfileFormat)
* Easily see how much longer your STS credentials [are valid for](https://synfinatic.github.io/aws-sso-cli/latest/commands/#time)
* Written in GoLang, so only need to install a single binary (no dependencies)
* Supports Linux, MacOS, and Windows
## Security
Unlike the official [AWS cli tooling](https://aws.amazon.com/cli/), _all_
authentication tokens and credentials used for accessing AWS and your SSO
provider are encrypted on disk using your choice of secure storage solution.
All encryption is handled by the [99designs/keyring](https://github.com/99designs/keyring)
library which is also used by [aws-vault](https://github.com/99designs/aws-vault).
Credentials encrypted by `aws-sso` and not via the standard AWS CLI tool:
* AWS SSO ClientID/ClientSecret -- `~/.aws/sso/cache/botocore-client-id-.json`
* AWS SSO AccessToken -- `~/.aws/sso/cache/.json`
* AWS Profile Access Credentials -- `~/.aws/cli/cache/.json`
As you can see, not only does the standard AWS CLI tool expose the temporary
AWS access credentials to your IAM roles, but more importantly the SSO
AccessToken which can be used to fetch IAM credentials for any role you have
been granted access!