aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

Add --use-device-code as an option in config

Open anthonyma94 opened this issue 1 year ago • 7 comments

Describe the feature

In order to use aws sso login on non-local computers, you have to pass in --use-device-code. This should be an option as users who need to use the option will presumably always need to. Adding an option in the config as a convenience will be helpful.

Use Case

Having to always add the flag when logging in is annoying.

Proposed Solution

Add a login type in config:

[sso-session default]
...
login_type = device | pkce

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CLI version used

2.22.2

Environment details (OS name and version, etc.)

Ubuntu 24.04

anthonyma94 avatar Nov 22 '24 13:11 anthonyma94

We intentionally started with just --use-device-code. Our thinking was to shift usage to the newly recommended authorization code flow by requiring a more explicit intent to fallback rather than setting once.

But I understand that can be frequent on non-local computers. We'll gather interest via this issue for a profile option.

ashovlin avatar Nov 25 '24 20:11 ashovlin

I have just run into this issue. I have a workflow where aws-cli is part of a docker container. The new PKCE-based Authorization flow doesn't work at all in that context. First: it can't open a browser from within the container. Second: when I copy the URL into my local browser, I then authorize the connection and I get redirected to an error page because whoever is listening for that redirect is not on the local machine. I need to start a new remote-shell, execute an additional bash process within the same container and curl the redirect url so that the login flow can resume correctly. So overall, --use-device-code is unavoidable in this flow, and having it as part of the saved profile would help a lot.

Dalzhim avatar Dec 05 '24 16:12 Dalzhim

In a related issue, it seems we cannot use --use-device-code when running aws configure sso which I was going to instruct users to run for the first time to set up their config. However, when running aws configure sso it assumes it will run in a same-device context, and has to use the 127.0.0.1 callback URL which will result in an error screen.

Please also support --use-device-code with aws configure sso wizard.

EDIT: fixed in later package version!

michaelbutleridt avatar Dec 11 '24 22:12 michaelbutleridt

@michaelbutleridt: aws configure sso --use-device-code is working fine on my end, it might be an unrelated issue (using aws-cli/2.22.10 Python/3.12.6 Linux/6.8.0-47-generic exe/aarch64.ubuntu.22).

Dalzhim avatar Dec 12 '24 15:12 Dalzhim

@Dalzhim - the Docker anecdote is helpful for prioritization, thanks for writing that up.

@michaelbutleridt - --use-device-code for aws configure sso wasn't working at launch (2.22.0), but should be working in 2.22.2 or greater now. Let us know your --version value if you're still seeing issues.

ashovlin avatar Dec 12 '24 19:12 ashovlin

I have aws-cli/2.22.14 Python/3.12.6 Linux/6.8.0-1018-aws exe/x86_64.ubuntu.22 (Ubuntu 22.04 with awscli Snap package) and indeed it is working now. Thanks again!

michaelbutleridt avatar Dec 12 '24 20:12 michaelbutleridt

Being able to automatically have --use-device-code for configure sso and sso login would greatly benefit those working on remote shell sessions;

psantus avatar Mar 29 '25 06:03 psantus

Hello, I am experiencing this issue as well, in a similar situation as Dalzhim (https://github.com/aws/aws-cli/issues/9098#issuecomment-2520870754): I am running AWS CLI in a docker container (which is also configured to run in some VPN networks to access private servers) and my browser is running in a completely different environment. Adding --use-device-code fixed my workflow.

Anyway, I would like to express a slightly different feature request. When using aws sso login --no-browser and copying the URL to my browser, my browser proceeds with the authentication and tries to access to http://127.0.0.1:46375/oauth/callback?code=eyJ...&state=.... Would it be possible to copy-paste this response URL to the waiting AWS CLI command?

Said differently, right now the terminal user experience is:

$ aws sso login --no-browser --sso-session mysession
Browser will not be automatically opened.
Please visit the following URL:

https://oidc.us-west-1.amazonaws.com/authorize?response_type=code&client_id=...&redirect_uri=http%3A%2F%2F127.0.0.1%3A46375%2Foauth%2Fcallback&...

It would be nice if it was possible to paste in this terminal the http://127.0.0.1:46375/oauth/callback?... URL that the browser cannot access (and make AWS CLI decode the URL parameters, instead of spawing a local HTTP server waiting for local connections).

What do you think?

niooss-ledger avatar Jun 27 '25 09:06 niooss-ledger