Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.
See also Release v1.0.0 Notes
Python >= 3.7
Install latest from PyPI like so:
pip install yawsso
Do your per normal SSO login and, have at least one active SSO session cache:
aws sso login --profile dev
To sync for all named profiles in config (i.e. lazy consensus), then just:
yawsso
To sync default profile and all named profiles, do:
yawsso --default
To sync default profile only, do:
yawsso --default-only
To sync for selected named profile, do:
yawsso -p dev
To sync for multiple selected named profiles, do:
yawsso -p dev prod
To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod
To sync for all named profiles start with prefix pattern lab*
, do:
(zsh)
yawsso -p 'lab*'
(bash) yawsso -p lab*
- To sync for all named profiles start with `lab*` as well as `dev` and `prod`, do:
yawsso -p 'lab*' dev prod
- Print help to see other options:
```commandline
yawsso -h
cdk deploy ...
terraform apply ...
cw ls groups
awsbw -L -P dev
sqsmover -s main-dlq -d main-queue
ecs-cli ps --cluster my-cluster
awscurl -H "Accept: application/json" --profile dev --region ap-southeast-2 "https://api..."
Say, you have the following profile in your $HOME/.aws/config
:
[profile dev]
sso_start_url = https://myorg.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
cli_pager =
You want to populate access token as, say, profile name foo
in $HOME/.aws/credentials
:
[foo]
region = ap-southeast-2
aws_access_key_id = XXX
aws_secret_access_key = XXX
aws_session_token = XXX
...
Do like so:
yawsso -p dev:foo
Then, you can export AWS_PROFILE=foo
and use foo
profile!
PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES.
π€ START FROM VERSION
1.0.0
,yawsso -e
EXPORT TOKENS IN ROT13 ENCODED STRING.
Use -e
flag if you want a temporary copy-paste-able time-gated access token for an instance or external machine.
Please note that, it uses default
profile if no additional arguments pass.
yawsso -e | yawsso decrypt
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
This use case is especially tailored for those who use default
profile and, who would like to PIPE commands as follows.
aws sso login && yawsso -e | yawsso decrypt | pbcopy
Otherwise, for a named profile, do:
yawsso -p dev -e | yawsso decrypt
Or, right away export credentials into the current shell environment variables, do:
yawsso -p dev -e | yawsso decrypt | source /dev/stdin
Note: βοΈ are mutually exclusive with the following π auto copy into your clipboard. Choose one, a must!
If you have pyperclip
package installed, yawsso
will copy access tokens to your clipboard instead.
yawsso -e
Credentials copied to your clipboard for profile 'default'
You may pip install pyperclip
or, together with yawsso
as follows.
pip install 'yawsso[all]'
yawsso
subcommand login
to SSO login then sync all in one go.πββοΈ NOTE: It uses
default
profile orAWS_PROFILE
environment variable if optional argument--profile
is absent
yawsso login -h
yawsso login
Otherwise you can pass the login profile as follows:
yawsso login --profile dev
Due to lazy consensus design, yawsso
will sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use --this
flag to limit as follows.
π Login using default profile and sync only upto this default profile
yawsso login --this
π Login using named profile dev and sync only upto this dev profile
yawsso login --profile dev --this
π Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.
yawsso login --profile dev:foo
π Login using default profile, sync only upto this default profile and, print access token
yawsso login -e | yawsso decrypt
π Login using named profile dev, sync only upto this dev profile and, print access token
yawsso login --profile dev -e | yawsso decrypt
login
, you may use yawsso
subcommand auto
to SSO login then sync all in one go.yawsso
will attempt to auto login again.yawsso auto -h
(either)
yawsso auto --profile dev
(or)
export AWS_PROFILE=dev
yawsso auto
yawsso -r -p dev
yawsso -r -p dev:foo
yawsso -r auto --profile dev
yawsso
can encrypt and decrypt some arbitrary string from stdin
using ROT13 (a simple letter substitution cipher) as follows.
echo 'Hello this is a test' | yawsso encrypt
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | yawsso decrypt
Hello this is a test
(or Pipe through some text corpus)
cat test.txt | yawsso encrypt
(or on Windows)
type test.txt | yawsso encrypt
This is the same as using trivial Unix tr
command as follows.
echo 'Hello this is a test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hello this is a test
Hence, you could also decode yawsso
exported tokens using tr
command, like so.
yawsso -p dev -e | tr 'A-Za-z' 'N-ZA-Mn-za-m'
make install
make test
python -m yawsso --trace version
(Windows)
python -m venv venv
.\venv\Scripts\activate
pip install ".[dev,test]" .
pytest
python -m yawsso --trace version
MIT License