synfinatic / aws-sso-cli Goto Github PK
View Code? Open in Web Editor NEWA powerful tool for using AWS Identity Center for the CLI and web console.
Home Page: https://synfinatic.github.io/aws-sso-cli/
License: GNU General Public License v3.0
A powerful tool for using AWS Identity Center for the CLI and web console.
Home Page: https://synfinatic.github.io/aws-sso-cli/
License: GNU General Public License v3.0
When using UrlAction: clip
, restore the previous contents of the clipboard. Relatively easy to add for AWS SSO login, but a bit harder with the console
command since there's no way to detect it has been loaded. Arguably we should be consistent?
1Password does this after a ~30sec delay? Add notification? https://github.com/gen2brain/beeep
Current color scheme may not work well for some people who are color blind or use different terminal settings.
For large number of accounts & roles, the typical AWS meta data is pretty limited and often leaves a lot to be desired unless companies are really good with naming their accounts & roles.
After some thought, it seems like the best way of solving this is allowing tags
to be assigned to accounts and/or roles so that you can quickly filter based on environment (lab, prod, staging), BU's, teams, etc and then select among the valid role(s) for the account(s).
Ideally these tags should be easy to share across teams so everyone doesn't have to curate their own list.
If you first choose Role <rolename>
then you get a list of ARN's in different accounts to select from, but no meta data. Would be really nice if we picked the AccountName (or Email or AccountAlias?) and presented that as a comment to aid in selection since people may not know what they want by the AccountID directly
Not seeing all the tags as being available at the top level?
right now only json store technically works
users should be able to override the default fields via the config file, not just via the CLI
Lets you select the first item, but doesn't drill down
Would be great if we could sign rpm/deb packages but pkg doesn't support that today. Could always use the native tools in docker create signed packages? Not sure if it is worth it unless I also have a repo hosting.
when users run aws-cli exec
they get a new shell with the necessary AWS ENV vars set, but none of the existing variables are great for integration into your prompt (account_id + rolename is VERY LONG). would be great to be able to associate an alias like "prod:admin" for when someone is in the production account logged in as the Administrator role.
The console command generates a URL for accessing the console on top of the URL that may be handled for SSO.
It probably is too confusing to auto-open some URL's and print others/etc. So console should use the same method as the SSO.
If you have a role with a unique tag Test: Foo
and then use that tag to select it via exec
as => Test Foo
then you can't actually select the Role because the description is the Role, but you selected Foo
.
Users shouldn't be forced to start a new shell/execute a command, but should be able to do the eval $(aws-sso ...) trick when they specify all the CLI args.
Hey, I'm trying to execute as help suggested but with the short agrs isn't working
$ aws-sso.exe exec -A 123456789 -R AdministratorAccess
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
level=fatal msg="Error running command: Please specify both --account and --role"
I need to specify de role with the arg --role to make it work:
$ aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws sts get-caller-identity
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
{
"UserId": "XXXXXXXXXXXXXXXX",
"Account": "123456789 ",
"Arn": "arn:aws:sts::123456789 :assumed-role/AWSReservedSSO_AdministratorAccess_31ccd94aa023cc84/[email protected]"
}
Right now we have to wait for the cache to expire or list --force-refresh
for the config.yaml to be reloaded. Instead we can track the modification time of the config.yaml in the cache and auto-refresh when it changes.
if you have an existing aws API creds AWS_SECRET_API_KEY
and AWS_ACCESS_KEY_ID
generate the URL without requiring doing it's own assume role
Too many different data structures for AWS SSO, Config & Cache. Need to unify everything around the Cache.
We can use our Role creds to hit the AWS Federated login endpoint to generate a URL which can be used to auto-login to the AWS web Console.
Ideally, users should be able to auto-open in private/incognito mode:
chrome -incognito
firefox -private -url xxxx
(on mac: open -na "Google Chrome" --args -incognito http://www.example.com
)
But Safari sucks and requires Applescript? https://apple.stackexchange.com/questions/416297/open-an-url-in-safari-with-private-browsing
sadly doesn't look like open-golang supports this kind of feature today: skratchdot/open-golang#23
knowing how many days/hours/min/sec would probably be useful
Running the list
command, results in the Expires
column always empty even when there is an active session.
Hey,
I'm using your software to setup aws-sso and get cretentials to log into eks. The software I'm using tries to refresh the credentials once they have been expired.
I left my computer powered on with this software running and when I opened signed in again I saw this in my browser:
All of this are requests of authorizations pending for allowing them in AWS, is there any way to not spawn a new browser tab if still open the latest?
Feature request:
As far as I can see the package does not support SSO with MFA atm ๐
This is only a feature request, that makes the package support MFA
Feel free to comment to start a discussion on the topic ๐๐ผ
Read on MFA here : https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-mfa.html
Need to do testing, but right now I assume this is a bug on my end causing the list to re-order when the user presses up/down arrow.
aws-sso still seems slow after selecting a role because of the need to talk to AWS. Can we do some of this in the background via a goroutine to help make things feel more snappy?
It is out dated and kinda ugly with the extra >>
would be great if you could easily select from the last 5-10 used roles and use that instead of doing the whole query thing
Does mean we can't rely on the last modified time of the cache file anymore.
typing two spaces in a row causes a crash:
./dist/aws-sso-1.2.0 exec
Please use `exit` or `Ctrl-D` to quit.
> AccountID 193057370237 panic: runtime error: index out of range [3] with length 2 [recovered]
panic: runtime error: index out of range [3] with length 2
goroutine 1 [running]:
github.com/alecthomas/kong.catch(0xc000509c30)
/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/kong.go:366 +0xc5
panic(0x46419e0, 0xc0004b20a8)
/usr/local/Cellar/go/1.16.5/libexec/src/runtime/panic.go:965 +0x1b9
main.argsToMap(0xc00034a000, 0x4, 0x4, 0xc000508f78, 0x0, 0x106, 0xc000508f58, 0x401daf3)
/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:237 +0x5d3
main.completeTags(0xc000010508, 0xc000010538, 0xc00034a000, 0x4, 0x4, 0x3, 0xc00034a000, 0x4)
/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:105 +0x5d
main.(*TagsCompleter).Complete(0xc00034a140, 0xc0004b2090, 0x18, 0x18, 0x56, 0x4623600, 0x1, 0xc0000c2040)
/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:66 +0x1c7
github.com/c-bata/go-prompt.(*CompletionManager).Update(...)
/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/completion.go:68
github.com/c-bata/go-prompt.(*Prompt).Run(0xc000302c60)
/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/prompt.go:99 +0x663
main.(*ExecCmd).Run(0xc000001d48, 0xc00007af40, 0x0, 0x0)
/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/exec_cmd.go:82 +0x40a
reflect.Value.call(0x45e8720, 0xc000001d48, 0x213, 0x467666d, 0x4, 0xc0002fe570, 0x1, 0x1, 0x1, 0x0, ...)
/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:476 +0x8e7
reflect.Value.Call(0x45e8720, 0xc000001d48, 0x213, 0xc0002fe570, 0x1, 0x1, 0x0, 0x1, 0xc000300ac8)
/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:337 +0xb9
github.com/alecthomas/kong.callMethod(0x467629e, 0x3, 0x464a2a0, 0xc000001d48, 0x199, 0x45e8720, 0xc000001d48, 0x213, 0xc0002e38f0, 0x16, ...)
/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/callbacks.go:71 +0x4ba
github.com/alecthomas/kong.(*Context).RunNode(0xc00016c200, 0xc00029a1c0, 0xc00019fd28, 0x1, 0x1, 0x22, 0xc0002e33b0)
/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:697 +0x545
github.com/alecthomas/kong.(*Context).Run(0xc00016c200, 0xc00019fd28, 0x1, 0x1, 0x0, 0x0)
/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:714 +0x99
main.main()
/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/main.go:150 +0x8f0
Support role chaining so you can assume roles in other accounts or roles that are not defined via AWS SSO/Permission Sets. This is similar to the ~/.aws/config
source_profile
option, but that does not support AWS SSO!
Docs: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
And: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html
Should support deleting any individual creds, not just the SSO token which is used to get new IAM STS creds
Hi, I would like to integrate aws-sso-cli with lens in order to retrieve SSO tokens to log into our EKS.
To do this i need to run:
aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws eks get-token --cluster-name my-cluster-name
but
--cluster-name is been interpreted as an arg for aws-sso I would like to suggest changing this behaviour to allow named parameters being passed to the command.
aws-sso exec -A 123456789 --role=AdministratorAccess aws eks get-token --cluster-name aea-my-cluster-name
aws-sso.exe: error: unknown flag --cluster-name
is there any other way to do this?
should be able to set specify the AWS_DEFAULT_REGION
on a per account and SSO basis.
I have multiple accounts in our ORG and most of them are working fine with this app but we have 2 that starts with a 0, I'm having problems with both when I try to get credentials:
C:\Users\xxx>aws-sso-beta exec --role AdministratorAccess -A "032043643619" --level=debug
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxx/aws-sso/store.json" func=main.main file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:131"
level=debug msg="Fetching STS token from AWS SSO" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:220"
level=fatal msg="Unable to get role credentials for AdministratorAccess" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:226" error=": No access\n\tstatus code: 403, request id: "
Might be interesting to generate / update the necessary config? ideally would have to parse the config file which could get annoying?
Right now the completer implements everything as a flat list which is wrong. Instead users should be first prompted to select a tag name, then the corresponding tag value. After this, the remaining tag names are available to be selected - until you have a single ARN. Or the user should be able to select ARN as the tag name and select from the complete list.
going from AccountAlias => Alias => [list of roles]
As we use the arrow keys to go up / down the list of roles, the order changes
if you have AWS_PROFILE
it is carried over to the new shell and then you have both. probably best to just detect and clear the env or abort?
Should investigate how we can call exec
inside of an existing exec (renew vars) without manually print/copy/paste into shell.
Right now it kinda sucks that if you've already called exec
once, you have to either unset your vars manually or exit the shell (possibly losing shell history)
All my code uses /
instead of \
.
Would be nice to not be prompted for a password until you try to access AWS SSO.
Right now I'm relying too much on the config file to contain a list of roles for the tags. Instead the config file with role/tags should be merely a decorator and AWSSSO authorative. Then:
Via
for a role. #38Also consider how / when to require users to specify the entire ARN in the config.
AWS session management in the browser can cause problems so it's useful to be able to open the console in a private tab/incognito mode.
We already store the expire time in a variable, would be nice to tell people how much time they have left. then they could include that in their shell prompt :)
Basically go-prompt is blocking CTRL-C even after you have made a selection and Prompt.Run() has returned. The result is that if you try CTRL-C during AWS SSO / OIDC login/authentication, rather than the tool exiting like the user expects, they just see ^C
printed in the terminal. The only way out is to either:
users should be able to encrypt the json store and type a password?
right now we always auto-open. should give people the functionality to click on url in console or just put in clipboard.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.