Open simpson-ross opened 1 month ago
In https://github.com/common-fate/granted/pull/530 support was added to read sso-session from the AWS config file, which allows the use of multiple users within a single AWS SSO system.
sso-session
The granted CLI doesn't know about sso-session, so getting it to work is tedious. Here are the steps I followed to manage two users, user1 and user2:
granted
user1
user2
[sso-session]
granted sso populate ...
sso_session = user1
granted sso-tokens clear --all
It would be great if granted sso generate could take an optional sso-session parameter and, if set, append it to the generated profiles:
granted sso generate
$ granted sso generate --sso-region us-east-1 --sso-session user1 https://foo.awsapps.com/start [i] listing available profiles from AWS IAM Identity Center... 100% |█████████████████████████████████████████████████████████████████████████████████████████████| (22/22, 2 it/s) [profile Prod.Developer] sso_start_url = https://foo.awsapps.com/start sso_region = us-east-1 sso_account_id = 111111111111 common_fate_generated_from = aws-sso sso_role_name = Developer sso_session = user1
In https://github.com/common-fate/granted/pull/530 support was added to read
sso-session
from the AWS config file, which allows the use of multiple users within a single AWS SSO system.The
granted
CLI doesn't know aboutsso-session
, so getting it to work is tedious. Here are the steps I followed to manage two users,user1
anduser2
:[sso-session]
stanza to the AWS config foruser1
.granted sso populate ...
, logging in to AWS withuser1
.sso_session = user1
to each generated profile.granted sso-tokens clear --all
to remove the existing "default" session.user2
, adding a different prefix to the generated role namesIt would be great if
granted sso generate
could take an optionalsso-session
parameter and, if set, append it to the generated profiles: