awslabs / awsprocesscreds

Process credential providers for AWS SDKs and Tools
Apache License 2.0
132 stars 40 forks source link

Support for AWS SSO? #26

Open lorengordon opened 6 years ago

lorengordon commented 6 years ago

When logging in through AWS SSO, it can retrieve temporary keys for users to copy/paste into their shell or a config file. This isn't ideal; it's still difficult to use on a routine basis from the command line as you need to get the credentials out of the browser. Seems like something this package could help with, yes?

It appears that AWS SSO works by adding a SAML identity provider within the configured accounts. I would think it ought to be possible then to use a package like this to interface with SSO to retrieve the credentials and make them available via credential_process. Does that already work and I'm just not seeing how? Or, any idea how to go about adding that support?

JordonPhillips commented 5 years ago

This is definitely something we're interested in supporting, but I can't give a specific timeline for when it will be ready.

obijan42 commented 5 years ago

It seems totally customer-hostile to have an AWS CLI not work with an AWS service. For every other (competing!) IDP there is support, but not for the AWS one.
Going to see if I can hack something together myself.

dan-lind commented 5 years ago

+1

drankard commented 5 years ago

Any updates on this issue ??

mattmcf commented 5 years ago

+1

drj42 commented 4 years ago

I'll echo the sentiments of @obijan42. I've wasted considerable time tonight trying to figure out how to auth on the cli without this copy/paste loop - which is just not practical for routine use. It didn't even occur to me that this impractical method would really be the only way to combine sso with the aws cli.

Its shocking to me that there isn't a CLI based auth flow for temporary credentials, and I think this is in direct tension with the advice we see in AWS documentation and from AWS personnel - which instructs us to avoid IAM users and long-lived access keys in favor of SSO, roles and rotating credentials in a multi account setup. Nothing makes me want to reach for long-lived access keys and IAM users more than this cumbersome alternate scenario.

At least one of AWS's competitors in the top-tier cloud provider space does it exactly right, out of the box, and has for years (Google it :P). This is a huge quality of life loser for AWS, I really hope you consider making it a higher priority.

mattmcf commented 4 years ago

For what it’s worth. The aws2 cli is now out in beta, which support aws sso commands and auth.

There’s also support for the aws sso service in some aws sdk’s now (ruby for example).

ericvilla commented 3 years ago

Hi @lorengordon, it's been a while since this issue is open but - as @mattmcf stated - AWS CLI v2 has support for AWS SSO, allowing you to log into your Portal URL, providing you AWS SSO User's credentials. Through the aws configure sso command you'll be able to create Named Profiles associated to the AWS IAM Roles you want to access, and that your user is allowed to access. For what concerns support to AWS SSO - IMO - the overall AWS CLI v2 user-experience could be improved, and that's what my team is trying to address. We're working on an Open Source project that manages credentials in your local-environment to access a complex Cloud Environment. If it makes sense to you, give a look at Leapp project

pydemo commented 3 years ago

It's a bit quirky (it opens browser) but it saves keys to file using python/selenium automation: automate-AWS-SSO

nash-az commented 2 years ago

+1

jaroszan commented 1 year ago

+1