yawsso 0.4.0

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials

yawsso

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.

Do I need it?

• See Upstream Tracking at https://github.com/victorskl/yawsso/wiki

Prerequisite

• Required AWS CLI v2
• Assume you have already setup AWS SSO for your organization

TL;DR

• Install latest from PyPI like so:

pip install yawsso

• Do your per normal SSO login and, have at least one org-level SSO login session cache:

aws sso login --profile=dev

• To sync for all named profiles (e.g. dev, prod, stag, ...), then just:

yawsso

• To sync default profile and all named profiles, do:

yawsso --default

• To sync default profile only, do:

yawsso --default-only

• To sync for selected named profile, do:

yawsso -p dev

• To sync for multiple selected named profiles, do:

yawsso -p dev prod

• To sync for default profile as well as multiple selected named profiles, do:

yawsso --default -p dev prod

• Use -e flag if you want a temporary copy-paste-able time-gated access token for an instance or external machine. It use default profile if no additional arguments pass. The main use case is for those who use default profile, and would like to PIPE like this aws sso login && yawsso -e | pbcopy. Otherwise for named profile, do yawsso -e -p dev.

  PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES:

yawsso -e
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx

• You can also use yawsso subcommand login to SSO login then sync all in one go:

yawsso login -h
yawsso login
yawsso login -e
yawsso login --this
yawsso login --profile dev
yawsso login --profile dev --this

• Print help to see other options:

yawsso -h

• Then, continue per normal with your daily tools. i.e.
  • cdk deploy ...
  • terraform ...
  • cw ls -p dev groups
  • awsbw -L -P dev

Why

AWS CLI v2 SSO login cache/store credentials is somewhat different to AWS CLI v1 i.e. no longer in ~/.aws/credentials. There are many SDK and tools still depends on this legacy ~/.aws/credentials format.

• boto3 - https://github.com/boto/boto3/issues/2091
• botocore - https://github.com/boto/botocore/issues/1988
• terraform aws provider - https://github.com/terraform-providers/terraform-provider-aws/issues/10851
• cdk - https://github.com/aws/aws-cdk/issues/5455
• cw - https://github.com/lucagrulla/cw/issues/119
• awsbw - https://github.com/jgolob/awsbw

And, https://github.com/aws/aws-cli/issues/4982 in CLI repo itself!!

This tool is originally based on aws_sso.py script but take different approach and depends only on AWS CLI v2 for get-role-credentials. Well, everything else fail (including boto3) except CLI itself, so...

Someday, we won't need this anymore. But, until then this tool sync up AWS CLI v2 SSO login session to legacy format auto-magically!!

Others

If this tools is not working for you, try the following:

• https://github.com/benkehoe/aws-sso-credential-process
• https://github.com/flyinprogrammer/aws-sso-fetcher
• https://gist.github.com/sgtoj/af0ed637b1cc7e869b21a62ef56af5ac

Develop

• Create virtual environment and then:

pip install '.[dev,test]' .
pytest
python -m unittest
python -m yawsso --trace

• Create issue or pull request welcome

License

MIT License