For those using AWS SSO - what is your setup with ...
# random
For those using AWS SSO - what is your setup with SST? If you're not using AWS SSO - what are you waiting for!
I’m using shell script to generate AWS credentials. Script runs before start/deploy actions. Credentials refresh is required every hour, sso login every 12. I would love to hear about different solutions for sso…
do you have any plans to integrate SSO with SST?
Doing the exact same thing, thinking about integrating with SSO to refresh for you
Super curios about this as well. I currently just copy creds from the web console, cause I don't want to rely on the 3rd party tools to manage this. For anyone using SSO that hasn't yet, pls go upvote this issue, so it can be integrated with CDK/SST/other sdks:
This is the script I'm using
Copy code

# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`

export AWS_PROFILE=$1

request_credentials() {
  temp_identity=$(aws --profile "$profile" sts get-caller-identity)
  account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5)
  assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2)
  session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3)
  sso_region=$(aws --profile "$profile" configure get sso_region)

  if [[ $sso_region == 'us-east-1' ]]; then
    aws sts assume-role \
      --profile $profile \
      --role-arn $role_arn \
      --role-session-name $session_name

echo "=> requesting temporary credentials"

if [ $? -ne 0 ]; then
  echo "Requesting sso login"
  aws sso login --profile "$profile"

  if [ $? -ne 0 ]; then
    exit 1


echo "=> updating ~/.aws/credentials as profile $profile"

access_key_id=$(echo $credentials | jq -r .Credentials.AccessKeyId)
secret_access_key=$(echo $credentials | jq -r .Credentials.SecretAccessKey)
session_token=$(echo $credentials | jq -r .Credentials.SessionToken)

aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_access_key"
aws configure set --profile "$profile" aws_session_token "$session_token"

echo "[OK] done"
Yeah lol keeping a close eye on that thread
Great script thanks for sharing, definitely better than just copying creds 😅 I dono why its taking them so long to implement it... Its the second most upvoted issued on gh and there seems to be no one looking at it..... I'm wondering if this is going to be implemented in cdkv2
haha I’m using same script with small modification
it was failing for me when SSO login was required, had to run it twice
problem I have is that after 1 hour with ‘sst start’ running, I modify infrastructure and SST offers me to deploy changes, it will fail because of expired credentials. I have to restart sst
I made the same fix!
we're living the same life - been doing this for the past year but I think we're going to implement it natively in sst
We just use aws-vault havent had any issues with it 🙂
I use Leapp, works perfectly for IAM User, IAM Role and AWS SSO. Just click on which profile you want, punch in your MFA and you’re off. It just writes to a single credentials profile under the hood, so SST just sees the
credentials profile.
Biggest problem with Leapp is you can only define one SSO login if you want to use SSO for your personal & work accounts you cant use Leapp 😕 Thats why I switched to aws-vault
Ah gotcha, we generally just use an IAM user (per person) in our main account, and then cross-account roles for all the client accounts. Haven’t personally used SSO but saw Leapp supported it.
I don’t understand what’s the benefit of SSO over
cli 😳
I'd say the biggest thing is on the AWS end (I haven't used IAM for a while so a I maybe wrong). But SSO allows you to: • Create groups/users/permission sets once and then apply them across accounts • Login to any account/role via one login portal • Enforce things like MFA by default and enable features like context aware MFA • Ensure that developers don't use long lived credentials
My company is doing this: It works really well.
I was able to start using SST in a new account with no effort.
And it's great for demos because I can sso into accounts without exposing keys or anything.
If this was built into SST how would you guys expect it to work? Would you pass in AWS_SSO_PROFILE or something? I can't figure out of there's a standard for this
I would like sst to accept profile in the command as well. I use AWS SSO, along with
and I commonly forget to export my profile first.
so I run these commands:
Copy code
aws sso login --profile sso-jon-stuff
cdk-sso-sync sso-jon-stuff
export AWS_PROFILE=sso-jon-stuff
npx sst start
nice script, thanks @thdxr.
You can run
AWS_PROFILE=sso-jon-stuff npx sst start
too if it’s easier to remember (I prefer this to having a dedicated
argument, as it works the same as other AWS CLI tools)
would it possible to keep current AWS_PROFILE env variable name, and detect that the profile indeed is sso (should have sso_account and sso_role_name defined)?
Yeah that's what the CLI does
We should mirror that
We use: (GH) (forked and republished in our private registry for security reasons) And a tiny script:
Copy code
function aws-set-profile() {
    export AWS_PROFILE="$1"
    export AWS_DEFAULT_PROFILE="$1"
    export AWS_EB_PROFILE="$1"

function aws-login() {
  if ! [ -x "$(command -v aws)" ]; then
    echo "Error: aws cli not installed, please install with: brew install awscli"
    return 1

  aws-set-profile "$PROFILE_TO_LOGIN_TO"
  echo "Logging in to: $PROFILE_TO_LOGIN_TO"
  aws sso login --profile "$PROFILE_TO_LOGIN_TO"
  ssocred "$PROFILE_TO_LOGIN_TO"
Quite similar to your script.
@Akos I hope the maintainer of that npm package has MFA enabled 😬
Ah, we have AWS SSO hooked up to our G Suite SAML and we require 2FA on Google so we don't use AWS's MFA.
^ I do the same
But think @Dan Greaves means that hopefully that package doesn't get hacked
Oh, yeah, sorry, misunderstood. That's why we forked it, reviewed the code, and republished it from source to our private registry 🙂 No taking chances with AWS credentials.