aws-sso-cli
aws-sso-cli copied to clipboard
Support static API creds
basically do what aws-vault
does since people often have non-SSO roles they need to access.
So we need:
- Way to import the config/credentials file
- Way to manually add and delete new keys/roles
- Add & manage records to cache?
- Ideally get temporary tokens so if they are compromised you aren't very sad.
- Use creds to auto-discover Account level tags
- Need to be able to list roles
- Automate key rotation
- ~~MFA support~~
Why this feature?
- Because orgs need to migrate to AWS SSO and this doesn't happen over night.
- Some people access accounts across multiple orgs and SSO isn't viable in that case.
- Others???
when not using SSO, need to support MFA: https://github.com/99designs/aws-vault/blob/master/USAGE.md#using-credential_process
UX:
Phase 0:
- ~~Research MFA support?~~ TL;DR: Use for AssumeRole/GetSessionToken calls. (Not even sure this is necessary really???)
- Need to think harder on UX and map it out. What are the workflows I wish to enable?
Phase 1:
-
list
-- list static roles as well as SSO -
static import
-- import from config/credentials file. - Should work with
exec
,console
andeval
Phase 2+:
-
static add
-- add new static role creds -
static del
-- delete static role creds - write
~/.aws/config
and generate profiles - Import metadata for Tags + a
Type
tag forstatic
vssso
- Should include tags on our IAM user (iam:ListUserTags)
- Automate key rotation
- Support temporary session tokens (without MFA)
- Custom tags support