Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials
Project description
yawsso
Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.
Do I need it?
- See Upstream Tracking at https://github.com/victorskl/yawsso/wiki
Prerequisite
- Required AWS CLI v2
- Assume you have already setup AWS SSO for your organization
TL;DR
- Install latest from PyPI like so:
pip install yawsso
- Do your per normal SSO login and, have at least one org-level SSO login session cache:
aws sso login --profile=dev
- To sync for all named profiles (e.g. dev, prod, stag, ...), then just:
yawsso
- To sync default profile and all named profiles, do:
yawsso --default
- To sync default profile only, do:
yawsso --default-only
- To sync for selected named profile, do:
yawsso -p dev
- To sync for multiple selected named profiles, do:
yawsso -p dev prod
- To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod
-
Use
-eflag if you want a temporary copy-paste-able time-gated access token for an instance or external machine. It usedefaultprofile if no additional arguments pass. The main use case is for those who usedefaultprofile, and would like to PIPE like thisaws sso login && yawsso -e | pbcopy. Otherwise for named profile, doyawsso -e -p dev.PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES:
yawsso -e
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
- You can also use
yawssosubcommandloginto SSO login then sync all in one go:
yawsso login -h
yawsso login
yawsso login -e
yawsso login --this
yawsso login --profile dev
yawsso login --profile dev --this
- Print help to see other options:
yawsso -h
- Then, continue per normal with your daily tools. i.e.
cdk deploy ...terraform ...cw ls -p dev groupsawsbw -L -P dev
Why
AWS CLI v2 SSO login cache/store credentials is somewhat different to AWS CLI v1 i.e. no longer in ~/.aws/credentials. There are many SDK and tools still depends on this legacy ~/.aws/credentials format.
- boto3 - https://github.com/boto/boto3/issues/2091
- botocore - https://github.com/boto/botocore/issues/1988
- terraform aws provider - https://github.com/terraform-providers/terraform-provider-aws/issues/10851
- cdk - https://github.com/aws/aws-cdk/issues/5455
- cw - https://github.com/lucagrulla/cw/issues/119
- awsbw - https://github.com/jgolob/awsbw
And, https://github.com/aws/aws-cli/issues/4982 in CLI repo itself!!
This tool is originally based on aws_sso.py script but take different approach and depends only on AWS CLI v2 for get-role-credentials. Well, everything else fail (including boto3) except CLI itself, so...
Someday, we won't need this anymore. But, until then this tool sync up AWS CLI v2 SSO login session to legacy format auto-magically!!
Others
If this tools is not working for you, try the following:
- https://github.com/benkehoe/aws-sso-credential-process
- https://github.com/flyinprogrammer/aws-sso-fetcher
- https://gist.github.com/sgtoj/af0ed637b1cc7e869b21a62ef56af5ac
Develop
- Create virtual environment and then:
pip install '.[dev,test]' .
pytest
python -m unittest
python -m yawsso --trace
- Create issue or pull request welcome
License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
