-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide way to get current credentials (AWS SDKs do not support SSO) #5261
Comments
This is an important feature, please prioritize it. Many of the AWS SDKs do not work with SSO forcing a workaround. Most SDKs do support external credential_process handlers via configuration profile. It would be great if
Format for credential helpers to export: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html Example of a 3rd party tool, also has a list of other tools on the README: https://github.com/victorskl/yawsso |
Are there any updates on this feature request? |
In the meantime, aws-vault v6+ is a nice solution to circumvent this issue in your local environment. |
I've created an npm package for updating the credentials from the command line for any users out there running node https://github.com/ryansonshine/aws-sso-creds-helper |
I've also written a utility in Python that supports AWS SSO credentials. https://github.com/benkehoe/aws-export-credentials |
On the CDK repo they recommend the following wrapper: https://pypi.org/project/aws2-wrap/ |
Please, please fix this. |
The solution from @m4dc4p has the added benefit of working well with tools like |
unfortunately, this is a blocker for moving to SSO for my organization. sad to see it's been 2 years since the issue was brought up. Is there any significant movement or news on this? |
SSO support is nearly universal across AWS SDKs today. As of now, all AWS SDKs except C++ support the credentials from SSO login. You can read more about the feature and support across AWS SDKs here:
I'm made a couple of posts in a related issue. Specifically these two comments:
I also note here that exporting credentials of various types remains a desirable feature for users that we should explore further:
I don't have a timeline on when we would have something implemented at this time. |
Since my team and I needed this sooner than the merged PR, which I am glad to see in motion. Here is my shell function
|
Thanks @TechIsCool, that function was extremely helpful. I had to make just a few changes to make it work for me, since I swap between SSO orgs, and some profiles didn't have regions, so I defaulted aws-sso-creds() {
local account_id role_name access_token region
account_id="$(aws configure get sso_account_id --profile ${AWS_PROFILE})"
role_name="$(aws configure get sso_role_name --profile ${AWS_PROFILE})"
region="$(aws configure get region --profile ${AWS_PROFILE})"
access_token="$( \
\ls -c "${HOME}/.aws/sso/cache/" | grep -v botocore \
| sort -nr | cut -d' ' -f2 | head -n1 \
| xargs -I{} jq -r .accessToken ${HOME}/.aws/sso/cache/{}
)"
aws sso get-role-credentials \
--account-id "${account_id}" \
--role-name "${role_name}" \
--region "${region:-us-east-1}" \
--access-token "${access_token}" \
--no-sign-request \
--output json \
| jq -r '.roleCredentials |
{
"AWS_ACCESS_KEY_ID": .accessKeyId,
"AWS_SECRET_ACCESS_KEY": .secretAccessKey,
"AWS_SESSION_TOKEN": .sessionToken,
"AWS_CREDENTIALS_EXPIRATION": (.expiration / 1000 | todate)
} | keys[] as $k | "export \($k)=\(.[$k])"'
} Edited: Made my first version OSX compatible |
Based on the examples above, my version initializes AWS env vars using .aws/sso & .aws/cli caches. It requires good profiles defined in .aws/config file. Compatible with both Zsh and Bash. Source this file from your login profile (.zprofile or .bash_profile) or directly from the shell: Switch between profiles by exporting AWS_PROFILE with a new value & source this script again.
Save that as |
Love all the script sharing here. I used @datfinesoul's as a base, but I wanted to have more confidence finding the SSO cache file instead of using the first found token. The SSO cache file name is a This does not automatically set the environment variables. It just outputs the export statements. aws_creds() {
local profile="${1:-${AWS_PROFILE}}"
local account_id="$(aws configure get sso_account_id --profile "${profile}")" \
role_name="$(aws configure get sso_role_name --profile "${profile}")" \
region="$(aws configure get region --profile "${profile}")" \
start_url="$(aws configure get sso_start_url --profile "${profile}")"
if [ -z "$start_url" ] ; then
echo "did not find sso_start_url in profile ${profile}"
exit 1
fi
local cache_file="${HOME}/.aws/sso/cache/$(echo -n "$start_url" | sha1sum | awk '{print $1}').json"
if [ ! -f "$cache_file" ] ; then
echo "sso creds not found. are you logged into AWS SSO?"
echo ;
echo "aws sso login --profile \"${profile}\""
exit 1
fi
local access_token=$(jq -r .accessToken "${cache_file}")
aws sso get-role-credentials \
--account-id "${account_id}" \
--role-name "${role_name}" \
--region "${region:-us-east-1}" \
--access-token "${access_token}" \
--no-sign-request \
--output json \
| jq -r '.roleCredentials |
{
"AWS_ACCESS_KEY_ID": .accessKeyId,
"AWS_SECRET_ACCESS_KEY": .secretAccessKey,
"AWS_SESSION_TOKEN": .sessionToken,
"AWS_CREDENTIALS_EXPIRATION": (.expiration / 1000 | todate)
} | keys[] as $k | "export \($k)=\(.[$k])"'
} |
@jsifuentes - I am not sure if this is right..
The code you link to is a great find, I don't want to take away from that. But shouldn't you be doing Anyway, I tried the following...
Once I find a solution for this, I'll post here. But you can verify the results fairly easily using this recipe |
Hi @vnagendra , I'm not sure I understand your question about the UTF-8 encoding. I don't think it's applicable in this case. Make sure you don't forget to include Hope that helps. |
@jsifuentes, Thanks for your help! Using your script as a base, this is what I did. My specific use case was there were a couple of Terraform modules. I wanted to upgrade them one by one to the latest version of Terraform. The latest version supports AWS SSO credentials, the older versions don't. I've always used direnv for managing a bunch of environment variables. So I used the following script inside the
Please note, if you use this trick -- you must have the "function aws_sso()" declared inside that specific
With this setup, it was fairly simple..
|
This PR builds on the interface proposed in aws#6808 and implements the additional features proposed in aws#7388. From the original PRs, the additional features are: * Added support for an explicit `--format` args to control the output format. * Add support for env vars, powershell/windows vars, and a JSON format that's enables this command to be used as a `credential_process`. * Detect, and prevent infinite recursion when the credential process resolution results in the CLI calling itself with the same command. Closes aws#7388 Closes aws#5261
This PR builds on the interface proposed in aws#6808 and implements the additional features proposed in aws#7388. From the original PRs, the additional features are: * Added support for an explicit `--format` args to control the output format. * Add support for env vars, powershell/windows vars, and a JSON format that's enables this command to be used as a `credential_process`. * Detect, and prevent infinite recursion when the credential process resolution results in the CLI calling itself with the same command. Closes aws#7388 Closes aws#5261
The code examples above work by mutating the AWS environment variables. This can be problematic if you're using multiple environments. I altered a previous script to instead dump credentials into the credentials file. Now I can sso into multiple profiles I use this to run it
|
I think this can now be closed as #7398 was merged. Please refer to this documentation for |
|
For AWS cli > 2.13.5 which uses sso-session sections in configuration file, you need to change the SHA1 source to ...
local sso_session="$(aws configure get sso_session --profile "${profile}")"
...
local cache_file="${HOME}/.aws/sso/cache/$(echo -n "$sso_session" | sha1sum | awk '{print $1}').json"
|
My team has set up AWS SSO and is starting to use
aws sso login
for most of their needs. Everything is working smoothly. However, it appears that AWS SDKs (e.g. Golang apps that call AWS APIs) do not support reading the temporary SSO credentials stored in~/.aws/cli/cache
/~/.aws/sso/cache
. (See aws/aws-sdk-go#3186)And as a result, my team is blocked from adopting AWS SSO because it only works with the AWS CLI but none one our existing tools.
Ideally, the various language-specific AWS SDKs would be able to pick up on the current AWS SSO credentials seamlessly. Honoring
AWS_PROFILE
orAWS_DEFAULT_PROFILE
environment variables, and using the same credential lookup algorithm as the CLI. (I assume that's the on the roadmap eventually.)However, getting that change fixed across all of the AWS SDKs, as well as them upstreamed into tools that rely on them, will take a long time. And it would be nice to unblock my team until then so they can just rely on
aws sso login
.I can see the credential files on my local disk, e.g.
~/.aws/sso/cache/61368d38a2497e42a24a243072108001849d0b07.json
. But it isn't clear how to map the current set of environment variables to which JSON file to load.Could the CLI support some way of returning whatever the credentials it is using? e.g.
I don't know if there is a better approach here, as I'm do not know the specific differences between credential resolution in the AWS CLI vs. AWS SDKs. But hopefully there is some sort of workaround to make this scenario work?
The text was updated successfully, but these errors were encountered: