Ben Kehoe

Note that OUs are expanded by the macro, so if you change the membership of the OU, you need to do a stack update, which will cause the macro to...

Oh, of course. I don't see much way around that either.

Thanks for the poke; I have not made progress on this. I have some other changes in progress with the macro, I will look into this again.

I'm open to this, but I'd rather see it implemented on the AWS CLI (/botocore) instead, so that it's not specific to aws-sso-util. Could you open an issue/PR there first...

It also occurred to me that it may be dangerous to allow an environment variable to tell it where to *put* credentials. A bit like the redirect on an OAuth...

The AWS SDK generally has the capability for you to tell it where to *get* credentials that you've already stored (e.g., with `AWS_SHARED_CREDENTIALS_FILE`), which is different from telling it where...

https://github.com/boto/botocore/issues/1923 is different. It's asking for the functionality of [`aws_sso_lib.get_boto3_session()`](https://github.com/benkehoe/aws-sso-util/blob/master/lib/README.md#get_boto3_session) to be native in boto3.

I'd rather have this as documentation (e.g., in something like `docs/development.md`). A lot of the script feels brittle, and in general I think it's unnecessary? For development, instead of building...

I'd prefer to leave these as separate tools, but is there a place in the documentation that you think this would be appropriate to mention?

I've been thinking more about this. What I don't want is people constantly exporting environment variables as a substitute for actually using profiles. I don't have a problem telling people...