Skip to main content

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials

Project description

yawsso

DOI Pull Request Build Status CodeQL codecov.io coveralls.io codeclimate - Test Coverage codeclimate - Maintainability snyk kandi PyPI - Downloads PyPI PyPI - License

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.

See also Release v1.0.0 Notes

Prerequisite

  • Required Python >= 3.7
  • Required AWS CLI v2
  • Assume you have already setup AWS SSO for your organization

Main Use Case

pip install yawsso
  • Do your per normal SSO login and, have at least one active SSO session cache:
aws sso login --profile dev
  • To sync for all named profiles in config (i.e. lazy consensus), then just:
yawsso
  • To sync default profile and all named profiles, do:
yawsso --default
  • To sync default profile only, do:
yawsso --default-only
  • To sync for selected named profile, do:
yawsso -p dev
  • To sync for multiple selected named profiles, do:
yawsso -p dev prod
  • To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod
  • To sync for all named profiles start with prefix pattern lab*, do:
(zsh)
yawsso -p 'lab*'

(bash)
yawsso -p lab*
  • To sync for all named profiles start with lab* as well as dev and prod, do:
yawsso -p 'lab*' dev prod
  • Print help to see other options:
yawsso -h
  • Then, continue per normal with your daily tools. i.e.
    • cdk deploy ...
    • terraform apply ...
    • cw ls groups
    • awsbw -L -P dev
    • sqsmover -s main-dlq -d main-queue
    • ecs-cli ps --cluster my-cluster
    • awscurl -H "Accept: application/json" --profile dev --region ap-southeast-2 "https://api..."

Additional Use Cases

Rename Profile on Sync

  • Say, you have the following profile in your $HOME/.aws/config:
[profile dev]
sso_start_url = https://myorg.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
cli_pager =
  • You want to populate access token as, say, profile name foo in $HOME/.aws/credentials:
[foo]
region = ap-southeast-2
aws_access_key_id = XXX
aws_secret_access_key = XXX
aws_session_token = XXX
...
  • Do like so:
yawsso -p dev:foo
  • Then, you can export AWS_PROFILE=foo and use foo profile!

Export Tokens

PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES.

🤚 START FROM VERSION 1.0.0, yawsso -e EXPORT TOKENS IN ROT13 ENCODED STRING.

  • Use -e flag if you want a temporary copy-paste-able time-gated access token for an instance or external machine.

  • Please note that, it uses default profile if no additional arguments pass.

yawsso -e | yawsso decrypt
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
  • This use case is especially tailored for those who use default profile and, who would like to PIPE commands as follows.
aws sso login && yawsso -e | yawsso decrypt | pbcopy
  • Otherwise, for a named profile, do:
yawsso -p dev -e | yawsso decrypt
  • Or, right away export credentials into the current shell environment variables, do:
yawsso -p dev -e | yawsso decrypt | source /dev/stdin

Note: ☝️ are mutually exclusive with the following 👇 auto copy into your clipboard. Choose one, a must!

  • If you have pyperclip package installed, yawsso will copy access tokens to your clipboard instead.
yawsso -e
Credentials copied to your clipboard for profile 'default'
  • You may pip install pyperclip or, together with yawsso as follows.
pip install 'yawsso[all]'

Login

  • You can also use yawsso subcommand login to SSO login then sync all in one go.

🙋‍♂️ NOTE: It uses default profile or AWS_PROFILE environment variable if optional argument --profile is absent

yawsso login -h
yawsso login
  • Otherwise you can pass the login profile as follows:
yawsso login --profile dev
  • Due to lazy consensus design, yawsso will sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use --this flag to limit as follows.

👉 Login using default profile and sync only upto this default profile

yawsso login --this

👉 Login using named profile dev and sync only upto this dev profile

yawsso login --profile dev --this

👉 Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.

yawsso login --profile dev:foo

Login then Export token

  • Exporting access token also support with login subcommand as follows:

👉 Login using default profile, sync only upto this default profile and, print access token

yawsso login -e | yawsso decrypt

👉 Login using named profile dev, sync only upto this dev profile and, print access token

yawsso login --profile dev -e | yawsso decrypt

Auto Login then Sync

  • Like login, you may use yawsso subcommand auto to SSO login then sync all in one go.
  • It will check if SSO session has expired and, if so, yawsso will attempt to auto login again.
yawsso auto -h

(either)
yawsso auto --profile dev

(or)
export AWS_PROFILE=dev
yawsso auto

Encryption

yawsso can encrypt and decrypt some arbitrary string from stdin using ROT13 (a simple letter substitution cipher) as follows.

echo 'Hello this is a test' | yawsso encrypt
Uryyb guvf vf n grfg

echo 'Uryyb guvf vf n grfg' | yawsso decrypt
Hello this is a test

(or Pipe through some text corpus)
cat test.txt | yawsso encrypt

(or on Windows)
type test.txt | yawsso encrypt

This is the same as using trivial Unix tr command as follows.

echo 'Hello this is a test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Uryyb guvf vf n grfg

echo 'Uryyb guvf vf n grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hello this is a test

Hence, you could also decode yawsso exported tokens using tr command, like so.

yawsso -p dev -e | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Develop

  • Create virtual environment, activate it and then:
make install
make test
python -m yawsso --trace version

(Windows)

python -m venv venv
.\venv\Scripts\activate
pip install ".[dev,test]" .
pytest
python -m yawsso --trace version
  • Create issue or pull request welcome

License

MIT License

License: MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yawsso-1.2.0rc1.tar.gz (23.4 kB view details)

Uploaded Source

Built Distribution

yawsso-1.2.0rc1-py3-none-any.whl (16.0 kB view details)

Uploaded Python 3

File details

Details for the file yawsso-1.2.0rc1.tar.gz.

File metadata

  • Download URL: yawsso-1.2.0rc1.tar.gz
  • Upload date:
  • Size: 23.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.11.7

File hashes

Hashes for yawsso-1.2.0rc1.tar.gz
Algorithm Hash digest
SHA256 e7c23b24b4b06ed4d51e2e572b11f8573f0df6452024c1e06bdfab9a16e5f857
MD5 deee10ba2bd4a666d598071b991b6858
BLAKE2b-256 a3ae27d9a17252c32182936ddcd1bde8ce5322fbe4392c03e251af94a8c33605

See more details on using hashes here.

File details

Details for the file yawsso-1.2.0rc1-py3-none-any.whl.

File metadata

  • Download URL: yawsso-1.2.0rc1-py3-none-any.whl
  • Upload date:
  • Size: 16.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.11.7

File hashes

Hashes for yawsso-1.2.0rc1-py3-none-any.whl
Algorithm Hash digest
SHA256 a6c24b73a04796eae88308ad806747ff3ac9a46d5f22350f161fbd86bf91db1a
MD5 6ed43ea63cb13c9fde33d3e95bd5ac40
BLAKE2b-256 3103a5702ac881b8f6b6edd231c6111b01b831cad22fb68813269e5760284768

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page