Skip to main content

Build AWS CLI config profiles for SSO accounts and roles

Project description

AWS SSO Config Builder

PyPI - Version PyPI - Python Version


Table of Contents

The Gist

This tool generates AWS CLI configuration blocks for use with AWS IAM Identity Center (formerly AWS SSO):

Why

...would someone use this?

If they:

  • Have access to a large or shifting set of accounts and roles through AWS SSO
  • Don't already have tools in place to generate and maintain their named profiles
  • Want to automatically generate/regenerate templatized blocks without interfering with manually-defined sections

...did I publish this?

  • After https://github.com/99designs/aws-vault/pull/1088 got merged, I wanted to update the script I use to update my AWS CLI config
  • Cog wasn't on my radar when I started doing this stuff, but is just what I want to maintain the cleaner bits of my frankenconfig
  • I wanted an excuse to try Hatch on something

...the focus on aws-vault?

From the user experience perspective, the biggest win is that when using my aws-vault profiles, they just work:

  • If I don't have an active SSO session, it pops open a browser to login without me having to manually type aws sso login
  • If my session credentials are missing or expired, aws-vault refreshes them behind the scenes without killing running commands

But to be fair, a lot of wy I use aws-vault is habit. If you're not already using it, I'm not here to sell it to you.

Installation

Into the Active Python Environment

pip install aws-sso-config-builder

With Pipx

pipx install aws-sso-config-builder

With Pipx Alongside Cog

Useful to support Usage with Cog.

pipx install cogapp
pipx inject cogapp aws-sso-config-builder

Usage

Generate AWS CLI sso-session and profile blocks based on the accounts and roles granted by your AWS SSO login(s).

Use as a CLI tool or from Python.

CLI

Quickstart with Defaults

generate-sso-profiles -s my-sso-directory-name

This will generate sso-session and profile blocks

More Options

Usage: generate-sso-profiles [OPTIONS]

Options:
  -s, --sso-directories TEXT     SSO directory names, which will be used:

                                 - To define "sso-session" config blocks
                                 - To build an SSO start URL  [required]
  -t, --profile-template TEXT    An AWS CLI profile block template with
                                 {placeholders} for profile values

                                 Supported placeholder variables:
                                 - profile_name
                                 - account_name
                                 - account_id
                                 - role_name
                                 - sso_session

                                 ...and any other "key" provided in --extra-
                                 vars
  -e, --extra-vars TEXT          Custom variables in the form "key=value" that
                                 can be referenced with {placeholders} in a
                                 profile template.
  -r, --regex-replacements TEXT  Regex replacements to perform on generated
                                 profile names, in the form
                                 'pattern,replacement'
  --help                         Show this message and exit.

Python

Quickstart with Defaults

from aws_sso_config_builder.gen_config import generate_config_blocks

print(generate_config_blocks(sso_directories=["my-sso-directory-name"]))

Usage with Cog

Use Cog to dynamically generate or replace specific sections inside an ~/.aws/config file without touching manually-maintained blocks.

This invocation specifies:

  • A custom profile template, including:
    • credential_process profiles for use with aws-vault
    • additional settings defined for each profile
  • Some regex replacements to adjust the generated profile name

Add this Cog block to a new or existing ~/.aws/config file:

# [[[cog
# import cog
# from aws_sso_config_builder.gen_config import generate_config_blocks
#
# cog.outl(generate_config_blocks(
#     sso_directories=["home", "work"],
#     profile_template="""
#         [profile {profile_name}-sso]
#         sso_session = {sso_session}
#         sso_account_id = {account_id}
#         sso_role_name = {role_name}
#         output = json
#         region = us-east-2
#         cli_history = enabled
#
#         [profile {profile_name}]
#         credential_process = {aws_vault_path} exec --json {profile_name}-sso
#         output = json
#         region = us-east-2
#         cli_history = enabled
#     """,
#     regex_replacements={
#         "speckledmonkey": "sm",
#         "^Customer": "cust",
#         "Sandbox-": "sbx-"
#     },
#     aws_vault_path="/home/aj/go/bin/aws-vault",
# ))
# ]]]
# [[[end]]]

And then run:

cog -r ~/.aws/config

Note that this depends on having Cog and aws-sso-config-builder installed in the same Python environment. See also Installation with Pipx Alongside Cog above.

License

aws-sso-config-builder is distributed under the terms of the MIT license.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_sso_config_builder-0.0.1.tar.gz (8.3 kB view details)

Uploaded Source

Built Distribution

aws_sso_config_builder-0.0.1-py3-none-any.whl (8.1 kB view details)

Uploaded Python 3

File details

Details for the file aws_sso_config_builder-0.0.1.tar.gz.

File metadata

File hashes

Hashes for aws_sso_config_builder-0.0.1.tar.gz
Algorithm Hash digest
SHA256 72826812777375c10af321fee56b5c4b37051899b3ec2462af063498d6fd8607
MD5 7516188fb94a682b098c88e9d202b463
BLAKE2b-256 5b243401fcf3795fc5d3f5c2689d42175c8ecdcb8a1470744464d4e772da9633

See more details on using hashes here.

File details

Details for the file aws_sso_config_builder-0.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for aws_sso_config_builder-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c23f6eaf735f65b1af4aad96fbf05ab8493f209b1d13fbfc708ff82c4a347f7c
MD5 aeed9c8cd0aeb31ccda5fe6f07b3a07e
BLAKE2b-256 70c24d495a46a549a7b2eafe08946b5909c60665c67f688e6baf32592fdec74f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page