Skip to main content

A tool to create/refresh a backwards-compatible AWS profile with temporary credentials from a new-style AWS SSO profile.

Project description

refresh-legacy-aws-sso-profile: Backwards-compatible AWS SSO login using new-stile SSO profiles

License: MIT Latest release

A simple tool to refresh backwards-compatible AWS profiles using temporary credentials derived from newer SSO profiles.

Table of contents

Introduction

Some time back, AWS added direct support for IAM Identitity Center token provider credentials into its CLI and various AWS API language providers (e.g., boto3 for Python). This is really nice because it allows users to log into AWS via single-sign-on (SSO) with the ```aws sso login` command and the assistance of a browser, and appropriate session credentials are automatically cached and subsequently used by other CLI commands or API clients with automatic token refresh. See AWS documentation for details of how to configure SSO to make this work.

Setting up a profile for SSO involves a new type of profile configuration in ~/.aws/config. For example:

[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

All this works great if you have a recent AWS CLI or AWS API language provider; however, if you are using an application that is bound to an older language provider (e.g., older versions of boto3) that does not support the new SSO profiles, the newer profile (my-dev-profile in the example) will be unusable by the application. The workaround for this situation is to run:

eval `aws configure export-credentials --profile my-dev-profile --format env`

This will set environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN to temporary credentials that will allow older clients to usethe session until the temporary credentials expire.

While this method works, it has several problems:

  • It only allows a single profile to be active at a time. Applications that deal with multiple profiles are problemation
  • The credentials are only valid for the current process and child processes that inherit environment variables. It is not possible to refresh SSO credentials in a different shell session and have the refresh apply to all shell sessions.
  • Child processes that inherit the environment variables do not get refreshed credentials when the parent process refreshes credentials.
  • It is awkward to pass refreshed credentials into a container environment (environment variables within the container must be updated in all processes, potentially after the container has launched). It's much easier to just bind mount ~/.aws into a container.
  • Passing sensitive credentials around in environment variables increases the risk of unintentionally leaking credentials.

This package provides a simple function and associated command-line tool that eliminates all of these concerns by eschewing the use of environment variables and instead updating an old-style credential profile in ~/.aws/credentials with temporary session credentials derived from a newer SSO profile. Older applications simply need to be directed to use the derived profile instead of the newer SSO profile. When temporary credentials expire, simply run this tool again and all clients using the derived profile will start seeing the refreshed credentials.

Installation

Prerequisites

Python: Python 3.10+ is required. See your OS documentation for instructions.

From PyPi

The current released version of refresh-legacy-aws-sso-profile can be installed with:

pip3 install refresh-legacy-aws-profile

From GitHub

PDM is required; it can be installed with:

curl -sSL https://pdm-project.org/install-pdm.py | python3 -

Clone the repository and install refresh-legacy-aws-sso-profile into a private virtualenv with:

cd <parent-folder>
git clone https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile.git
cd py-refresh-legacy-aws-sso-profile
pdm install

You can then launch a bash shell with the virtualenv activated using:

pdm run bash

Usage

usage: refresh-legacy-aws-sso-profile [-h] [-p PROFILE] [-o OUTPUT_PROFILE] [-c CONFIG] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]

Update legacy AWS SSO profile with temporary creds from new AWS SSO profile. A simple command-line utility that reads temporary AWS credentials from a profile (which may be a newer SSO-based profile) and writes them to a different AWSprofile that can be used by tools that do not yet support the new SSO model. Since the derived credentials are temporary, they will eventually expire (typically 12 hours SSO refresh). After refreshing SSO credentials, you can run this utility again to update the legacy profile. By default, this utility directly manipulates the ~/.aws/credentials file. An attempt is made to preserve the file's round-trip
integrity.

options:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        The input SSO-based AWS profile to use. Defaults to $AWS_PROFILE, or 'default'.
  -o OUTPUT_PROFILE, --output-profile OUTPUT_PROFILE
                        The output AWS profile to update with temporary credentials. Defaults to '<input-profile-name>-legacy-sso'.
  -c CONFIG, --config CONFIG
                        The AWS Configuration file in which to placer the credentials. Defaults to ~/.aws/credentials.
  -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                        Set the logging level. Default is 'WARNING'.```

Known issues and limitations

TBD.

Getting help

Please report any problems/issues here.

Contributing

Pull requests welcome.

License

refresh-legacy-aws-sso-profile is distributed under the terms of the MIT License. The license applies to this file and other files in the GitHub repository hosting this file.

Authors and history

The author of refresh-legacy-aws-sso-profile is Sam McKelvie.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

refresh_legacy_aws_sso_profile-1.0.0.tar.gz (8.8 kB view details)

Uploaded Source

Built Distribution

File details

Details for the file refresh_legacy_aws_sso_profile-1.0.0.tar.gz.

File metadata

File hashes

Hashes for refresh_legacy_aws_sso_profile-1.0.0.tar.gz
Algorithm Hash digest
SHA256 2a57f62ef9dbb1c9807dd329883a3a0200ada28511eb06094303657eca372197
MD5 d5d8c3c8c3eb8cfbdbeee3f0d2f5442b
BLAKE2b-256 92c447f70453b612246e46564b5bd73f5c5a0cc642d904eed01a2920f4a89e7b

See more details on using hashes here.

File details

Details for the file refresh_legacy_aws_sso_profile-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for refresh_legacy_aws_sso_profile-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 766aba6ca1afdcc1c311ba0d241464b461090c97e01164b98c38da1273b6396f
MD5 fc85fc8bb32aa6178064ae6f1cedebcd
BLAKE2b-256 8ce870834b941b780bd1ed9337f3fc5cebf3720d66d579cea8996a6a07a57fcd

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page