yawsso
Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.
See also Release v1.0.0 Notes
Prerequisite
- Required
Python >= 3.7 - Required AWS CLI v2
- Assume you have already setup AWS SSO for your organization
Main Use Case
-
Install latest from PyPI like so:
pip install yawsso -
Do your per normal SSO login and, have at least one active SSO session cache:
aws sso login --profile dev -
To sync for all named profiles in config (i.e. lazy consensus), then just:
yawsso -
To sync default profile and all named profiles, do:
yawsso --default -
To sync default profile only, do:
yawsso --default-only -
To sync for selected named profile, do:
yawsso -p dev -
To sync for multiple selected named profiles, do:
yawsso -p dev prod -
To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod -
To sync for all named profiles start with prefix pattern
lab*, do:(zsh) yawsso -p 'lab*'
(bash) yawsso -p lab*
- To sync for all named profiles start with `lab*` as well as `dev` and `prod`, do:yawsso -p 'lab*' dev prod
- Print help to see other options:
```commandline
yawsso -h- Then, continue per normal with your daily tools. i.e.
cdk deploy ...terraform apply ...cw ls groupsawsbw -L -P devsqsmover -s main-dlq -d main-queueecs-cli ps --cluster my-clusterawscurl -H "Accept: application/json" --profile dev --region ap-southeast-2 "https://api..."
Additional Use Cases
Rename Profile on Sync
-
Say, you have the following profile in your
$HOME/.aws/config:[profile dev] sso_start_url = https://myorg.awsapps.com/start sso_region = ap-southeast-2 sso_account_id = 123456789012 sso_role_name = AdministratorAccess region = ap-southeast-2 output = json cli_pager = -
You want to populate access token as, say, profile name
fooin$HOME/.aws/credentials:[foo] region = ap-southeast-2 aws_access_key_id = XXX aws_secret_access_key = XXX aws_session_token = XXX ... -
Do like so:
yawsso -p dev:foo -
Then, you can
export AWS_PROFILE=fooand usefooprofile!
Export Tokens
PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES.
π€ START FROM VERSION
1.0.0,yawsso -eEXPORT TOKENS IN ROT13 ENCODED STRING.
-
Use
-eflag if you want a temporary copy-paste-able time-gated access token for an instance or external machine. -
Please note that, it uses
defaultprofile if no additional arguments pass.yawsso -e | yawsso decrypt export AWS_ACCESS_KEY_ID=xxx export AWS_SECRET_ACCESS_KEY=xxx export AWS_SESSION_TOKEN=xxx -
This use case is especially tailored for those who use
defaultprofile and, who would like to PIPE commands as follows.aws sso login && yawsso -e | yawsso decrypt | pbcopy -
Otherwise, for a named profile, do:
yawsso -p dev -e | yawsso decrypt -
Or, right away export credentials into the current shell environment variables, do:
yawsso -p dev -e | yawsso decrypt | source /dev/stdin
Note: βοΈ are mutually exclusive with the following π auto copy into your clipboard. Choose one, a must!
-
If you have
pyperclippackage installed,yawssowill copy access tokens to your clipboard instead.yawsso -e Credentials copied to your clipboard for profile 'default' -
You may
pip install pyperclipor, together withyawssoas follows.pip install 'yawsso[all]'
Login
- You can also use
yawssosubcommandloginto SSO login then sync all in one go.
πββοΈ NOTE: It uses
defaultprofile orAWS_PROFILEenvironment variable if optional argument--profileis absent
yawsso login -h
yawsso login-
Otherwise you can pass the login profile as follows:
yawsso login --profile dev -
Due to lazy consensus design,
yawssowill sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use--thisflag to limit as follows.
π Login using default profile and sync only upto this default profile
yawsso login --thisπ Login using named profile dev and sync only upto this dev profile
yawsso login --profile dev --thisπ Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.
yawsso login --profile dev:foo
Login then Export token
- Exporting access token also support with login subcommand as follows:
π Login using default profile, sync only upto this default profile and, print access token
yawsso login -e | yawsso decryptπ Login using named profile dev, sync only upto this dev profile and, print access token
yawsso login --profile dev -e | yawsso decrypt
Auto Login then Sync
- Like
login, you may useyawssosubcommandautoto SSO login then sync all in one go. - It will check if SSO session has expired and, if so,
yawssowill attempt to auto login again.
yawsso auto -h
(either)
yawsso auto --profile dev
(or)
export AWS_PROFILE=dev
yawsso autoSet Region
- You can also set region from the config file to the shared credentials file
- Do like so:
yawsso -r -p devyawsso -r -p dev:fooyawsso -r auto --profile devEncryption
yawsso can encrypt and decrypt some arbitrary string from stdin using ROT13 (a simple letter substitution cipher) as follows.
echo 'Hello this is a test' | yawsso encrypt
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | yawsso decrypt
Hello this is a test
(or Pipe through some text corpus)
cat test.txt | yawsso encrypt
(or on Windows)
type test.txt | yawsso encryptThis is the same as using trivial Unix tr command as follows.
echo 'Hello this is a test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hello this is a testHence, you could also decode yawsso exported tokens using tr command, like so.
yawsso -p dev -e | tr 'A-Za-z' 'N-ZA-Mn-za-m'Develop
- Create virtual environment, activate it and then:
make install
make test
python -m yawsso --trace version(Windows)
python -m venv venv
.\venv\Scripts\activate
pip install ".[dev,test]" .
pytest
python -m yawsso --trace version- Create issue or pull request welcome
License
MIT License
