Open fitzoh opened 1 year ago
tim-finnigan
commented
1 year ago Thanks for creating this feature request, I could see how it would be helpful to have this functionality. I'll mark this issue for further review by the team, and in the meantime others can add a 👍 to this issue or comment here to share any more details on use cases.
eytanhanig
commented
11 months ago @tim-finnigan Any updates on when the team will be able to review the PR?
fitz-vivodyne
commented
7 months ago Just bumping this to mention there's a PR open to resolve this coming up on a year open without review: https://github.com/aws/aws-cli/pull/7847
raylas
commented
7 months ago Also very interested in the functionality described here and implemented in #7847
ccmcbeck
commented
6 months ago Dear AWS, with all due respect, this is "must have" for a large organization that wants to automate onboarding CLI users to https://aws.amazon.com/iam/identity-center/
Meanwhile, I suppose we can use workarounds like $AWS_CONFIG_FILE or https://github.com/pixelb/crudini. But feels grodo.
ccmcbeck
commented
6 months ago Meanwhile, I suppose we can use workarounds like
$AWS_CONFIG_FILEor https://github.com/pixelb/crudini. But feels grodo.
I wound up implementing the missing features with crudini. In addition to Identity Center, I needed to support a --legacy option to use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
My implementation was to delete any [profile {PROFILE}] or [sso-session {SESSION}] sections from ~/.aws/config and then create only the sections needed for Identity Center vs --legacy -- making it easy to switch between both options.
crudini --del {SECTION}[profile {PROFILE}], I used aws configure set. [sso-session {SESSION}], I used crudini --setTherefore:
aws configure unset {SECTION} [{KEY}] [{VALUE}] would handle requirement 1 and keep me entirely in the realm of aws configureThanks. Not so grodo after all.
andreluiznsilva
commented
5 months ago I was able to automate the setup using a shell script like:
echo "sso-session-name
https://sso-alias.awsapps.com/start
us-east-1
sso:account:access" | aws configure sso-sessionHowever, would be nice to have the option to either set the variables using aws configure or passing it as parameter to the aws configure sso-session command
evanstucker-hates-2fa
commented
5 months ago I wrote a script to configure all AWS IAM Identity Center (SSO) accounts and roles automatically. It requires AWS CLI v2 and jq. Download the aws_configure_all_sso.sh script here: https://codeberg.org/dedevsecops/aws
silasdavis
commented
3 months ago needing to do something similar to @evanstucker-hates-2fa to get a fairly simple non-interactive setup that isn't full of traps and annoyances for new users. Primarily need to be able to generate a profile with a known name that can be reference from makefile. The current tool makes this obnoxiously hard. In particular no easy was to get the sso_account_id other than digging around for access token in cache and hitting API as above.
Describe the feature
As mentioned in this comment, you cannot use
aws configure setto setsso-sessionparameters in the AWS config file.The CLI should provide a mechanism to non-interactively set these values
Use Case
I'm trying to set up command line tools for multiple users in an organization, making it easy to use AWS SSO for their tooling. I would like to be able to give them a script to run to add SSO config to their config files vs manual instructions.
Proposed Solution
Update
aws configureto work withsso-sessionprefixes like this:(As shown by @ezzatron in https://github.com/aws/aws-cli/pull/7364#issuecomment-1329854689).
Alternatively, update
aws configure sso-sessionto allow non-interactive operation by allowing flags instead of passing in values interactively (this might make sense as a separate issue)Other Information
No response
Acknowledgements
CLI version used
2.9.6
Environment details (OS name and version, etc.)
Mac OS Ventura