aws-sso-cli icon indicating copy to clipboard operation
aws-sso-cli copied to clipboard
verified publisher icon synfinatic

CLI SSO auth w/o a web browser

Open synfinatic opened this issue 3 years ago • 8 comments

Would be great to not have to rely on opening a URL in a GUI web browser and have the user login to AWS SSO. Would be preferred to perform the auth workflow via the CLI. I tried using Lynx, but that doesn't work because AWS SSO requires JS.

Can we integrate a JS enabled web scraper and somehow interact with the rendered pages? Lots of possible libraries listed here: https://github.com/lorien/awesome-web-scraping/blob/master/golang.md

synfinatic avatar May 02 '22 17:05 synfinatic

Interesting. I ran across the option of leveraging a containerized environment which cannot invoke the hosts web browser, and wouldn't mind this feature.

fggrtech avatar Dec 07 '22 00:12 fggrtech

@fggrtech Can you give more info about your containerized ENV / workflow? What is the use case? How long are these containers running? Do they run locally? Can they talk to services on your local laptop/PC?

synfinatic avatar Dec 07 '22 16:12 synfinatic

I was experimenting with providing a containerized linux IDE (vim, emacs) that had built-in support for AWS via this tooling. The hosting environment may differ (x86, arm, win, osx, linux), thus making communication for the external browser challenging.

This approach interests me, as the path for providing a container having the tooling pre-configured and allowing for different environments (node, jdk, all differing version combinations) is appealing.

I was able to experiment with an alpine linux container image, a locally built (make + go) binary on the image, and execute the resulting aws-sso. However, integration with the browser (js) auth mode isn't workable.

fggrtech avatar Dec 07 '22 19:12 fggrtech

For this use case you might just try using --url-action=print and let the user copy & paste the URL into their local browser.

synfinatic avatar Dec 09 '22 18:12 synfinatic

I'll give that a try.

I've also experimented with invoking aws-sso on the host system to completion, followed by a env | grep -E "AWS_" > ~/.aws-current-env && docker exec -it --env-file ~/.aws-current-env bash.

That propagates the results of the aws-sso-cli login process, but i'm unsure if there is more that needs to occur to utilize it.

fggrtech avatar Dec 09 '22 21:12 fggrtech

you can indeed export the AWS_* environment variables and pass that in via the environment or mount it as ~/.aws/credentials, but you won't be able to refresh the IAM credentials that way which will cause issues for long running containers since the reds are limited to X hours (defined by the admin).

The advantage of using --url-action=print is that you get a local SSO Access Token which is typically good for a longer period of time (potentially days) and can be used to not just refresh your IAM creds, but switch between roles in your container.

synfinatic avatar Dec 09 '22 21:12 synfinatic

also, I should mention, if you want to do the environmental variable route aws-sso eval would likely be easier than doing the env | grep trick.

synfinatic avatar Dec 09 '22 21:12 synfinatic

For this use case you might just try using --url-action=print and let the user copy & paste the URL into their local browser.

This works as-expected. Thanks.

fggrtech avatar Dec 12 '22 21:12 fggrtech

not completely without a browser, but interesting. https://www.brow.sh/

synfinatic avatar Sep 03 '25 00:09 synfinatic