Skip to content
This repository has been archived by the owner on Jun 9, 2024. It is now read-only.

containerscrew/aws-sso-auth

Repository files navigation

logo

aws-sso-auth

Fetch your local ~/.aws/credentials using AWS SSO

Build with ❤ in Rust

GitHub code size in bytes License Release GitHub Releases Stats

Table of Contents generated with DocToc

Pipeline badges

Test Status Build Status Git Leaks Status Coverage

Introduction

This tool will help you download your AWS organization's account credentials using AWS SSO. What we previously set manually with IAM users (aws_access_key_id and aws_secret_access_key), we now have automatically using AWS SSO. In this case ONLY Google Workspaces has been tested as external IDP. More info in supported IDP, just below

In short, we want to have the credentials of our AWS accounts/roles, using AWS SSO, stored in our ~/.aws/credentials to be able to work daily with our tools (terraform, aws cli...)

This tool requires human interaction, since the authorization request must be manually approved from the browser.

Requirements

  • Our default browser that we work with must be authenticated with our IDP. In this case, gmail if we use Google Workspaces.

Supported platforms

OS ARM64 AMD64
Mac
Linux

Supported IDP

  • Google Workspaces

If using other IDP with AWS SSO in your organization, and this tool don't work, please provide feedback in this repo. Open an issue and I will try to reproduce it!

Installation

Quick installation (latest version)

curl --proto '=https' --tlsv1.2 -sSfL https://raw.githubusercontent.com/containerscrew/aws-sso-auth/main/scripts/install.sh | bash

Using cargo

Install rust toolchain:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
cargo install aws-sso-auth --git https://github.com/containerscrew/aws-sso-auth

Build locally

git clone https://github.com/containerscrew/aws-sso-auth
cd aws-sso-auth/
cargo build --release
./target/release/aws-sso-auth

If you need to install specific version, go to https://github.com/containerscrew/aws-sso-auth/releases and download the binary

Usage

Setup configuration

aws-sso-auth config --start-url https://XXXX.awsapps.com/start --aws-region eu-west-1 --profile-name mycompany

This command will save a file in ~/.aws/aws-sso-auth.json with the previous configuration

Start fetching credentials

aws-sso-auth start

Or with flags:

aws-sso-auth start -w 5 -r 40
  • workers: Number of async/thread AWS API calls. + threads == + speed. Recommended: 5/8 max to avoid AWS API 429 errors TooManyRequestsException. Default: 6
  • retries: Number of retries when AWS API return errors. Default: 60

This will open your default local browser where you have your IDP authenticated. In my case, I used Google as external IDP with AWS SSO

Adjust the number of concurrent threads and retries depending on the number of accounts you have. If you only have 10 accounts (for example), it wouldn't make much sense to maybe use 20 workers and 100 retries, right?

If everything went well, you must authorize the request. Something like that:

Example authentication window

Debug logging

aws-sso-auth -l debug start
  • --log-level: Log level. Default: info. Possible values: info, warn, trace, debug, error

Check version

aws-sso-auth --version

Help command

aws-sso-auth --help

All the credentials will be saved in your $HOME/.aws/credentials with the following pattern: [AccountName@RoleName] you are assuming

Take a look inside ~/.aws/credentials

cat ~/.aws/credentials

The configuration file should be something like this:

Example of credentials file

[Account1@administrator]
aws_secret_access_key=XXXX
region=eu-west-1
aws_access_key_id=XXXX
aws_session_token=XXXX

[Account2@read-only]
aws_secret_access_key=XXXX
region=eu-west-1
aws_access_key_id=XXXX
aws_session_token=XXXX

Switching accounts in your terminal

Zsh/Bash shell

Copy the following function in your ~/.zshrc or ~/.bashrc:

aws-profile () {
        PROFILE=$(cat ~/.aws/credentials|grep "^\["|sed "s/]$//"|sed "s/^\[//"| fzf)
        export AWS_PROFILE=$PROFILE
}

Then, source the file if needed:

source ~/.zshrc or source ~/.bashrc

Fish shell

Copy the following function inside ~/.config/fish/function/aws-profile.fish

function aws-profile
    set -gx AWS_PROFILES $(cat ~/.aws/credentials | sed -n -e 's/^\[\(.*\)\]/\1/p' | fzf)
    if test -n "$AWS_PROFILES"
        set -xg AWS_PROFILE $AWS_PROFILES
        echo "Selected profile: $AWS_PROFILES"
    else
        echo "No profile selected"
    end
end

Then source the fish configuration:

source ~/.config/fish/config.fish

Setting AWS_PROFILE

Type aws-profile in your terminal, and you will see all the accounts you have credentials in your $HOME/.aws/credentials

fzf is needed as a dependency for the interactive account switcher

Official documentation

Examples

Executing start command Final result

TO DO (not implemented yet)

  • Multiple AWS SSO account configurations inside aws-sso-auth.json Imagine you are working in a consultant, and you have multiple customers with AWS SSO, and you want to save all their config (start-url, region) inside the config file.
  • If you have 200 accounts, only 123 (max), will be fetched
  • Select which account credentials (with prefix) do you want to fetch (maybe you don't want to fetch all accounts)
  • Testing and mocking AWS API calls
  • Codecoverage pipeline not working
  • Changelog with release-please
  • Create Homebrew Formula
  • Documentation in code functions
  • Customize how account credentials are saved: [AccountName@RoleName] for [PUT-YOUR-LOGIC-HERE]

Contribution

Pull requests are welcome! Any code refactoring, improvement, implementation. I just want to learn Rust! I'm a rookie

LICENSE

LICENSE