How to use new SSO modules

[bkolodny-bkcs]

I don't know where to find this information, and I realize that this may not be where I need to post this, so if I should be asking this somewhere else, please let me know.

I am trying to find documentation on how to use the new SSO and SSOIDC modules. I'm assuming that it is similar to the aws2 cli that can connect to AWS SSO for temporary credentials, but I can't figure out how to configure my profiles.

I have my aws2 sso working just fine.

I think it would be helpful to have a post on how to configure the profiles for the powershell version.

[matteo-prosperi]

Hello, I think the sequence of commands for SSO to work would be:

• Register-SSOOIDCClient
• Start-SSOOIDCDeviceAuthorization
• New-SSOOIDCToken
• Get-SSORoleCredential But I haven't tried myself.

We plan to add full support for SSO to AWS Tools for PowerShell similarly to how it is available for the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html). I don't have a timeline to share though.

[pcgeek86]

We're an AWS Premier Partner (Mphasis Stelligent), and we are looking to utilize AWS SSO for our internal AWS account management. We utilize the AWS PowerShell SDK and need an authentication flow between AWS SSO and PowerShell. Thank you.

[bkolodny-bkcs]

How do I use Register-SSOOIDCClient? I am trying Register-SSOOIDCClient -ClientName Sandbox -ClientType public -Region us-east-1 and I get: Register-SSOOIDCClient : Credential profile [nexus-master-sndbx] is not valid. Please ensure the profile contains a valid combination of properties. And when I try Register-SSOOIDCClient -ClientName Sandbox -ClientType public -Region us-east-1 -ProfileName nexus-master-sndbx I get: Register-SSOOIDCClient : Credential profile [nexus-master-sndbx] is not valid. Please ensure the profile contains avalid combination of properties. By the way nexus-master-sndbx is the profile I use with aws2, and it works all the time.

[matteo-prosperi]

Hi, sorry for not answering earlier but we haven't started the SSO integration so I don't have much information. Today I was trying SSO and I was able to get a little bit more used to this service. You shouldn't need a profile at all to use SSO. You can try to simply pass in anonymous credentials:

Register-SSOOIDCClient -ClientName Sandbox -ClientType public -Credential ([Amazon.Runtime.AnonymousAWSCredentials]::new())

I was able to retrieve credentials in C# with the following code, it should be possible to adapt it to PowerShell with minimal changes:

            CreateTokenResponse createTokenResponse;

            using (var ssoOidcClient = new AmazonSSOOIDCClient(new AnonymousAWSCredentials(), new AmazonSSOOIDCConfig { RegionEndpoint = RegionEndpoint.USWest2 }))
            {
                var registerClientResponse = await ssoOidcClient.RegisterClientAsync(new RegisterClientRequest
                {
                    ClientName = "TestClient1",
                    ClientType = "public"
                });

                var startDeviceAuthResponse = await ssoOidcClient.StartDeviceAuthorizationAsync(new StartDeviceAuthorizationRequest
                {
                    ClientSecret = registerClientResponse.ClientSecret,
                    ClientId = registerClientResponse.ClientId,
                    StartUrl = "https://d-0123456789.awsapps.com/start"
                });

                Console.WriteLine($"Authenticate at {startDeviceAuthResponse.VerificationUriComplete}");

                var expiration = DateTime.UtcNow.AddSeconds(startDeviceAuthResponse.ExpiresIn);
                var pollingInterval = TimeSpan.FromSeconds(startDeviceAuthResponse.Interval);

                while (true)
                {
                    try
                    {
                        createTokenResponse = await ssoOidcClient.CreateTokenAsync(new CreateTokenRequest
                        {
                            ClientId = registerClientResponse.ClientId,
                            ClientSecret = registerClientResponse.ClientSecret,
                            DeviceCode = startDeviceAuthResponse.DeviceCode,
                            Code = startDeviceAuthResponse.UserCode,
                            GrantType = "urn:ietf:params:oauth:grant-type:device_code"
                        });
                    }
                    catch (AuthorizationPendingException e)
                    {
                        if (DateTime.UtcNow.Add(pollingInterval) > expiration)
                        {
                            throw;
                        }
                        await Task.Delay(TimeSpan.FromSeconds(startDeviceAuthResponse.Interval));
                        continue;
                    }
                    catch (SlowDownException e)
                    {
                        pollingInterval = pollingInterval.Add(TimeSpan.FromSeconds(5));
                        if (DateTime.UtcNow.Add(pollingInterval) > expiration)
                        {
                            throw;
                        }
                        await Task.Delay(TimeSpan.FromSeconds(startDeviceAuthResponse.Interval));
                        continue;
                    }
                    break;
                }
            }

            using (var ssoClient = new AmazonSSOClient(new AnonymousAWSCredentials(), new AmazonSSOConfig { RegionEndpoint = RegionEndpoint.USWest2 }))
            {
                var accountId = "012345678901";
                var getRoleCredentialsResponse = await ssoClient.GetRoleCredentialsAsync(new GetRoleCredentialsRequest
                {
                    AccessToken = createTokenResponse.AccessToken,
                    AccountId = accountId ,
                    RoleName = "TestRole1"
                });

                Console.WriteLine("Credentials:");
                Console.WriteLine(accountId);
                Console.WriteLine(getRoleCredentialsResponse.RoleCredentials.SecretAccessKey);
                Console.WriteLine(getRoleCredentialsResponse.RoleCredentials.SessionToken);
            }

Please note that this is only a test, this is NOT production-quality code!

These links were useful to figure out how to do this: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_Operations.html https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_Operations.html https://aws.amazon.com/blogs/security/how-to-create-and-manage-users-within-aws-sso/

[benkehoe]

You can also reference the CLI's implementation (in Python):

• Here you'll find the following (the entrypoint is the fetch_token method):
  • RegisterClient, which gets you a client id+secret
  • StartDeviceAuthorization with the id+secret, it gives you a device code and a URL to an auth page,
  • Polling CreateToken with the id+secret and device code. Once user authenticates you get back a token.
• Here is dispatching the URL to a browser, outputting the URL+code in case that fails.
• Here is calling GetRoleCredentials. Note that you can find what accounts the user has access to with ListAccounts, and what roles inside a given account with ListAccountRoles

[ghost]

Inspired by the comments above, I have created a PowerShell module for this at https://github.com/efab9c6f2b4c49578f8e619e27f6b3fb/AWSSSOHelper

[ryguy77]

Has any one been able to successfully log in via the new powershell tools? I seem to be missing something, I keep getting an issue (Unsupported GrantType) when creating the new token.

[e0c615c8e4d846ef817cd5063a88716c]

Has any one been able to successfully log in via the new powershell tools? I seem to be missing something, I keep getting an issue (Unsupported GrantType) when creating the new token.

I created a module here - feel free to inspect the code to see how it works, but essentially there's what seems to be a fairly arbitrary parameter required:

-Credential ([Amazon.Runtime.AnonymousAWSCredentials]::new())

[ashishdhingra]

Hi @bkolodny-bkcs,

Good afternoon.

I was going through the backlog issues and came across this one. Please confirm if guidance provided by @matteo-prosperi works and if we could close this issue.

Thanks, Ashish

[ryguy77]

Yes you can close the issue. Thank you

On Thu, Sep 3, 2020 at 3:16 PM Ashish Dhingra notifications@github.com wrote:

Hi @bkolodny-bkcs https://github.com/bkolodny-bkcs,

Good afternoon.

I was going through the backlog issues and came across this one. Please confirm if guidance provided by @matteo-prosperi https://github.com/matteo-prosperi works and if we could close this issue.

Thanks, Ashish

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/aws/aws-tools-for-powershell/issues/91#issuecomment-686704806, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIF4S65HOSTZMFZ64E4ZWNTSD7TRRANCNFSM4JTXJA3Q .