aws-cli
aws-cli copied to clipboard
aws
Allow configuring sso-session settings non-interactively
Describe the feature
As mentioned in this comment, you cannot use aws configure set to set sso-session parameters in the AWS config file.
The CLI should provide a mechanism to non-interactively set these values
Use Case
I'm trying to set up command line tools for multiple users in an organization, making it easy to use AWS SSO for their tooling. I would like to be able to give them a script to run to add SSO config to their config files vs manual instructions.
Proposed Solution
Update aws configure to work with sso-session prefixes like this:
aws configure set sso-session.session-name.sso_region eu-west-1
(As shown by @ezzatron in https://github.com/aws/aws-cli/pull/7364#issuecomment-1329854689).
Alternatively, update aws configure sso-session to allow non-interactive operation by allowing flags instead of passing in values interactively (this might make sense as a separate issue)
Other Information
No response
Acknowledgements
- [ ] I may be able to implement this feature request
- [ ] This feature might incur a breaking change
CLI version used
2.9.6
Environment details (OS name and version, etc.)
Mac OS Ventura
Thanks for creating this feature request, I could see how it would be helpful to have this functionality. I'll mark this issue for further review by the team, and in the meantime others can add a 👍 to this issue or comment here to share any more details on use cases.
@tim-finnigan Any updates on when the team will be able to review the PR?
Just bumping this to mention there's a PR open to resolve this coming up on a year open without review: https://github.com/aws/aws-cli/pull/7847
Also very interested in the functionality described here and implemented in #7847
Dear AWS, with all due respect, this is "must have" for a large organization that wants to automate onboarding CLI users to https://aws.amazon.com/iam/identity-center/
Meanwhile, I suppose we can use workarounds like $AWS_CONFIG_FILE or https://github.com/pixelb/crudini. But feels grodo.
Meanwhile, I suppose we can use workarounds like
$AWS_CONFIG_FILEor https://github.com/pixelb/crudini. But feels grodo.
I wound up implementing the missing features with crudini. In addition to Identity Center, I needed to support a --legacy option to use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
My implementation was to delete any [profile {PROFILE}] or [sso-session {SESSION}] sections from ~/.aws/config and then create only the sections needed for Identity Center vs --legacy -- making it easy to switch between both options.
- When deleting a section, I used
crudini --del {SECTION} - When creating
[profile {PROFILE}], I usedaws configure set. - When creating
[sso-session {SESSION}], I usedcrudini --set
Therefore:
- This PR would handle requirement 3
- The addition of
aws configure unset {SECTION} [{KEY}] [{VALUE}]would handle requirement 1 and keep me entirely in the realm ofaws configure
Thanks. Not so grodo after all.
I was able to automate the setup using a shell script like:
echo "sso-session-name
https://sso-alias.awsapps.com/start
us-east-1
sso:account:access" | aws configure sso-session
However, would be nice to have the option to either set the variables using aws configure or passing it as parameter to the aws configure sso-session command
I wrote a script to configure all AWS IAM Identity Center (SSO) accounts and roles automatically. It requires AWS CLI v2 and jq. Download the aws_configure_all_sso.sh script here: https://codeberg.org/dedevsecops/aws
needing to do something similar to @evanstucker-hates-2fa to get a fairly simple non-interactive setup that isn't full of traps and annoyances for new users. Primarily need to be able to generate a profile with a known name that can be reference from makefile. The current tool makes this obnoxiously hard. In particular no easy was to get the sso_account_id other than digging around for access token in cache and hitting API as above.
