Skip to content
/ yawsso Public
forked from victorskl/yawsso

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials

License

MIT license
0 stars 26 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

billogram/yawsso

BranchesTags
 
 

Repository files navigation

yawsso

Pull Request Build Status Build Status codecov.io Coverage Status Codacy Badge Language grade: Python Total alerts PyPI - Downloads PyPI PyPI - License

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.

Prerequisite

  • Required Python >= 3.6
  • Required AWS CLI v2
  • Assume you have already setup AWS SSO for your organization

Main Use Case

pip install yawsso
  • Do your per normal SSO login and, have at least one active SSO session cache:
aws sso login --profile dev
  • To sync for all named profiles in config (i.e. lazy consensus), then just:
yawsso
  • To sync default profile and all named profiles, do:
yawsso --default
  • To sync default profile only, do:
yawsso --default-only
  • To sync for selected named profile, do:
yawsso -p dev
  • To sync for multiple selected named profiles, do:
yawsso -p dev prod
  • To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod
  • To sync for all named profiles start with prefix pattern lab*, do:
(zsh)
yawsso -p 'lab*'

(bash)
yawsso -p lab*
  • To sync for all named profiles start with lab* as well as dev and prod, do:
yawsso -p 'lab*' dev prod
  • Print help to see other options:
yawsso -h
  • Then, continue per normal with your daily tools. i.e.
    • cdk deploy ...
    • terraform apply ...
    • cw ls -p dev groups
    • awsbw -L -P dev
    • sqsmover -s main-dlq -d main-queue
    • ecs-cli ps --cluster my-cluster

Additional Use Case

Rename Profile on Sync

  • Say, you have the following profile in your $HOME/.aws/config:
[profile dev]
sso_start_url = https://myorg.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
cli_pager =
  • You want to populate access token as, say, profile name foo in $HOME/.aws/credentials:
[foo]
region = ap-southeast-2
aws_access_key_id = XXX
aws_secret_access_key = XXX
aws_session_token = XXX
...
  • Do like so:
yawsso -p dev:foo
  • Then, you can export AWS_PROFILE=foo and use foo profile!

Export Tokens

  • Use -e flag if you want a temporary copy-paste-able time-gated access token for an instance or external machine.

🤚 PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES:

  • Please note that, it uses default profile if no additional arguments pass.
yawsso -e
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
  • This use case is especially tailored for those who use default profile and, who would like to PIPE commands as follows.
aws sso login && yawsso -e | pbcopy
  • Otherwise, for a named profile, do:
yawsso -p dev -e
  • Or, right away export credentials into the current shell environment variables, do:
yawsso -p dev -e | source /dev/stdin

Note: ☝️ are mutually exclusive with the following 👇 auto copy into your clipboard. Choose one, a must!

  • If you have pyperclip package installed, yawsso will copy access tokens to your clipboard instead.
yawsso -e
Credentials copied to your clipboard for profile 'default'
  • You may pip install pyperclip or, together with yawsso as follows.
pip install 'yawsso[all]'

Login

  • You can also use yawsso subcommand login to SSO login then sync all in one go.

🙋‍♂️ NOTE: It uses default profile if optional argument --profile is absent

yawsso login -h
yawsso login
  • Otherwise you can pass the login profile as follows:
yawsso login --profile dev
  • Due to lazy consensus design, yawsso will sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use --this flag to limit as follows.

👉 Login using default profile and sync only upto this default profile

yawsso login --this

👉 Login using named profile dev and sync only upto this dev profile

yawsso login --profile dev --this

👉 Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.

yawsso login --profile dev:foo

Login then Export token

  • Exporting access token also support with login subcommand as follows:

👉 Login using default profile, sync only upto this default profile and, print access token

yawsso login -e

👉 Login using named profile dev, sync only upto this dev profile and, print access token

yawsso login --profile dev -e

Develop

  • Create virtual environment, activate it and then:
make install
make test
python -m yawsso --trace version
  • Create issue or pull request welcome

License

MIT License

License: MIT

About

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

11 tags

Packages

No packages published

Languages

  • Python 98.2%
  • Makefile 1.3%
  • HCL 0.5%