Skip to main content

A wrapper for executing a command with AWS CLI v2 and SSO

Project description

aws2-wrap

Quality Gate Status

This is a simple script to make it easier to use AWS Single Sign On credentials with tools that don't understand the sso entries in an AWS profile.

The script provides the following capabilities:

Please note that the script is called aws2-wrap to show that it works with AWS CLI v2, even though the CLI tool is no longer called aws2.

Install

Using pip

https://pypi.org/project/aws2-wrap

pip3 install aws2-wrap

Using brew

brew install aws2-wrap

Run a command using AWS SSO credentials

aws2-wrap [--profile <awsprofilename>] [--exec] <command>

Note that if you are using --exec and <command> contains spaces, it must be surrounded with double-quotation marks.

You can also specify the profile to be used via AWS_PROFILE which then allows the same profile to be used by subsequent tools and commands.

Examples:

aws2-wrap --profile MySSOProfile terraform plan

aws2-wrap --profile MySSOProfile --exec "terraform plan"

AWS_PROFILE=MySSOProfile aws2-wrap terraform plan

If you are having problems with the use of quotes in the command, you may find one of the other methods works better for you.

Generate a temporary profile in the $AWS_CONFIG_FILE and $AWS_SHARED_CREDENTIALS_FILE file

There are some utilities which work better with the configuration files rather than the environment variables. For example, if you need to access more than one profile at a time.

aws2-wrap --generate --profile $AWS_PROFILE --credentialsfile $AWS_SHARED_CREDENTIALS_FILE --configfile $AWS_CONFIG_FILE --outprofile $DESTINATION_PROFILE

Optionally, you can specify --generatestdout instead of --generate. --outprofile is still required in order to name the section but --credentialsfile and --configfile are ignored. With this command option, the generated credentials will then be output to the console.

Export the AWS SSO credentials

There may be circumstances when it is easier/better to set the appropriate environment variables so that they can be re-used by any aws command.

Since the script cannot directly set the environment variables in the calling shell process, it is necessary to use the following syntax:

eval "$(aws2-wrap [--profile <awsprofilename>] --export)"

For example:

eval "$(aws2-wrap --profile MySSOProfile --export)"

If you are using PowerShell, the equivalent command is:

aws2-wrap --profile MySSOProfile --export | invoke-expression

Use the credentials via .aws/config

If you are using a tool that works with normal AWS credentials but doesn't understand the new AWS SSO credentials, another option is to add a profile to .aws/config that calls the aws2-wrap script.

For example, add the following block to .aws/config:

[profile Wrapped]
credential_process = aws2-wrap --process --profile <awsprofilename>

then, after authentication, you can run any command that uses AWS credentials by specifying the "Wrapped" profile:

aws sso login --profile <awsprofilename>
export AWS_PROFILE=Wrapped
export AWS_SDK_LOAD_CONFIG=1
terraform plan

Note that because the profile is being specified via AWS_PROFILE, it is sometimes necessary (as shown above) to set AWS_SDK_LOAD_CONFIG in order to get tools like terraform to successfully retrieve the credentials.

Assume a role via AWS SSO

Your .aws/config file can look like this:

[default]
sso_start_url = xxxxxxxxxxxx
sso_region = us-west-2
sso_account_id = xxxxxxxxxxxx
sso_role_name = SSORoleName

[profile account1]
role_arn = arn:aws:iam::xxxxxxxxxxxx:role/role-to-be-assumed
source_profile = default
region = ap-northeast-1

allowing you to then run:

aws2-wrap --profile account1 <command>

and <command> will be run under role-to-be-assumed.

Contributing

Contributions are more than welcome, particularly if you are able to expand on the test code. Please ensure, though, that before you submit a Pull Request, you run make test to ensure that your changes don't break any of the existing tests and make pylint to ensure that the linter is happy. Please note that the CI/CD pylint test may use different pylint rules from your own local setup.

Please also note that make pylint will only report errors. You may want to explicitly run python3 -m pylint setup.py aws2wrap

Credits

Thanks to @matan129, @nitrocode, @chenrui333, @l1n, @sodul, @damian-bisignano, @flyinprogrammer, @abeluck, @topu, @bigwheel, @krabbit, @jscook2345, @hieki, @blazdivjak, @fukushun1994, @johann8384, @ppezoldt, @atwoodjw, @lummish, @life36-vinny, @lukemassa and @axelri for their contributions.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws2-wrap-1.4.0.tar.gz (22.4 kB view details)

Uploaded Source

Built Distribution

aws2_wrap-1.4.0-py3-none-any.whl (22.7 kB view details)

Uploaded Python 3

File details

Details for the file aws2-wrap-1.4.0.tar.gz.

File metadata

  • Download URL: aws2-wrap-1.4.0.tar.gz
  • Upload date:
  • Size: 22.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.4.2 requests/2.22.0 setuptools/68.2.2 requests-toolbelt/0.8.0 tqdm/4.30.0 CPython/3.8.10

File hashes

Hashes for aws2-wrap-1.4.0.tar.gz
Algorithm Hash digest
SHA256 77613ae13423a6407e79760bdd35843ddd128612672a0ad3a934ecade76aa7fc
MD5 37c4fa24affbe29939d59dcce38c4ed3
BLAKE2b-256 6dc78afdf4d0c7c6e2072c73a0150f9789445af33381a611d33333f4c9bf1ef6

See more details on using hashes here.

File details

Details for the file aws2_wrap-1.4.0-py3-none-any.whl.

File metadata

  • Download URL: aws2_wrap-1.4.0-py3-none-any.whl
  • Upload date:
  • Size: 22.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.4.2 requests/2.22.0 setuptools/68.2.2 requests-toolbelt/0.8.0 tqdm/4.30.0 CPython/3.8.10

File hashes

Hashes for aws2_wrap-1.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 824b9d9527a0b3fb6359429d9b1db12cb6b2de815fa72aff41fd35dad4a6daba
MD5 ba2e32187ee70cb7d0c6de0e1712081d
BLAKE2b-256 42bd323faf593629df069a08221a3c7cf099c56a7a0a150ebfce03c2c8b45275

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page