Open fitzoh opened 1 year ago
Thanks for creating this feature request, I could see how it would be helpful to have this functionality. I'll mark this issue for further review by the team, and in the meantime others can add a 👍 to this issue or comment here to share any more details on use cases.
@tim-finnigan Any updates on when the team will be able to review the PR?
Just bumping this to mention there's a PR open to resolve this coming up on a year open without review: https://github.com/aws/aws-cli/pull/7847
Also very interested in the functionality described here and implemented in #7847
Dear AWS, with all due respect, this is "must have" for a large organization that wants to automate onboarding CLI users to https://aws.amazon.com/iam/identity-center/
Meanwhile, I suppose we can use workarounds like $AWS_CONFIG_FILE
or https://github.com/pixelb/crudini. But feels grodo.
Meanwhile, I suppose we can use workarounds like
$AWS_CONFIG_FILE
or https://github.com/pixelb/crudini. But feels grodo.
I wound up implementing the missing features with crudini
. In addition to Identity Center, I needed to support a --legacy
option to use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
My implementation was to delete any [profile {PROFILE}]
or [sso-session {SESSION}]
sections from ~/.aws/config
and then create only the sections needed for Identity Center vs --legacy
-- making it easy to switch between both options.
crudini --del {SECTION}
[profile {PROFILE}]
, I used aws configure set
. [sso-session {SESSION}]
, I used crudini --set
Therefore:
aws configure unset {SECTION} [{KEY}] [{VALUE}]
would handle requirement 1 and keep me entirely in the realm of aws configure
Thanks. Not so grodo after all.
I was able to automate the setup using a shell script like:
echo "sso-session-name
https://sso-alias.awsapps.com/start
us-east-1
sso:account:access" | aws configure sso-session
However, would be nice to have the option to either set the variables using aws configure
or passing it as parameter to the aws configure sso-session
command
I wrote a script to configure all AWS IAM Identity Center (SSO) accounts and roles automatically. It requires AWS CLI v2 and jq. Download the aws_configure_all_sso.sh
script here: https://codeberg.org/dedevsecops/aws
needing to do something similar to @evanstucker-hates-2fa to get a fairly simple non-interactive setup that isn't full of traps and annoyances for new users. Primarily need to be able to generate a profile with a known name that can be reference from makefile. The current tool makes this obnoxiously hard. In particular no easy was to get the sso_account_id
other than digging around for access token in cache and hitting API as above.
Describe the feature
As mentioned in this comment, you cannot use
aws configure set
to setsso-session
parameters in the AWS config file.The CLI should provide a mechanism to non-interactively set these values
Use Case
I'm trying to set up command line tools for multiple users in an organization, making it easy to use AWS SSO for their tooling. I would like to be able to give them a script to run to add SSO config to their config files vs manual instructions.
Proposed Solution
Update
aws configure
to work withsso-session
prefixes like this:(As shown by @ezzatron in https://github.com/aws/aws-cli/pull/7364#issuecomment-1329854689).
Alternatively, update
aws configure sso-session
to allow non-interactive operation by allowing flags instead of passing in values interactively (this might make sense as a separate issue)Other Information
No response
Acknowledgements
CLI version used
2.9.6
Environment details (OS name and version, etc.)
Mac OS Ventura