thdxr
11/23/2021, 2:31 AMSlawomir Stec
11/23/2021, 2:37 AMSlawomir Stec
11/23/2021, 2:39 AMthdxr
11/23/2021, 2:51 AMChad (cysense)
11/23/2021, 2:51 AMthdxr
11/23/2021, 2:51 AM#!/bin/bash
# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
profile=$1
export AWS_PROFILE=$1
request_credentials() {
temp_identity=$(aws --profile "$profile" sts get-caller-identity)
account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5)
assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2)
session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3)
sso_region=$(aws --profile "$profile" configure get sso_region)
if [[ $sso_region == 'us-east-1' ]]; then
sso_region_string=''
else
sso_region_string="${sso_region}/"
fi
role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}"
credentials=$(
aws sts assume-role \
--profile $profile \
--role-arn $role_arn \
--role-session-name $session_name
)
}
echo "=> requesting temporary credentials"
request_credentials
if [ $? -ne 0 ]; then
echo "Requesting sso login"
aws sso login --profile "$profile"
if [ $? -ne 0 ]; then
exit 1
fi
request_credentials
fi
echo "=> updating ~/.aws/credentials as profile $profile"
access_key_id=$(echo $credentials | jq -r .Credentials.AccessKeyId)
secret_access_key=$(echo $credentials | jq -r .Credentials.SecretAccessKey)
session_token=$(echo $credentials | jq -r .Credentials.SessionToken)
aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_access_key"
aws configure set --profile "$profile" aws_session_token "$session_token"
echo "[OK] done"
thdxr
11/23/2021, 2:52 AMChad (cysense)
11/23/2021, 2:55 AMSlawomir Stec
11/23/2021, 2:58 AMSlawomir Stec
11/23/2021, 2:59 AMSlawomir Stec
11/23/2021, 2:59 AMthdxr
11/23/2021, 3:01 AMthdxr
11/23/2021, 3:02 AMGarret Harp
11/23/2021, 3:04 AMDan Greaves
11/23/2021, 3:14 AMdefault
credentials profile.Garret Harp
11/23/2021, 3:18 AMDan Greaves
11/23/2021, 3:19 AMDamjan
11/23/2021, 8:09 AMaws-vault
cli 😳Chad (cysense)
11/23/2021, 9:57 AMMatt Morgan
11/23/2021, 1:21 PMMatt Morgan
11/23/2021, 1:22 PMMatt Morgan
11/23/2021, 1:22 PMthdxr
11/23/2021, 3:10 PMJon Holman
11/23/2021, 9:56 PMcdk-sso-sync
and I commonly forget to export my profile first.Jon Holman
11/23/2021, 10:01 PMaws sso login --profile sso-jon-stuff
cdk-sso-sync sso-jon-stuff
export AWS_PROFILE=sso-jon-stuff
npx sst start
nice script, thanks @thdxr.Dan Greaves
11/23/2021, 10:02 PMAWS_PROFILE=sso-jon-stuff npx sst start
too if it’s easier to remember (I prefer this to having a dedicated --profile
argument, as it works the same as other AWS CLI tools)Slawomir Stec
11/24/2021, 1:53 AMthdxr
11/24/2021, 1:11 PMthdxr
11/24/2021, 1:11 PMAkos
11/24/2021, 1:25 PMfunction aws-set-profile() {
export AWS_PROFILE="$1"
export AWS_DEFAULT_PROFILE="$1"
export AWS_EB_PROFILE="$1"
}
function aws-login() {
if ! [ -x "$(command -v aws)" ]; then
echo "Error: aws cli not installed, please install with: brew install awscli"
return 1
fi
PROFILE_TO_LOGIN_TO="${1:-$AWS_PROFILE}"
aws-set-profile "$PROFILE_TO_LOGIN_TO"
echo "Logging in to: $PROFILE_TO_LOGIN_TO"
aws sso login --profile "$PROFILE_TO_LOGIN_TO"
ssocred "$PROFILE_TO_LOGIN_TO"
}
Quite similar to your script.Dan Greaves
11/24/2021, 7:45 PMAkos
11/24/2021, 8:38 PMthdxr
11/24/2021, 8:40 PMthdxr
11/24/2021, 8:40 PMAkos
11/24/2021, 8:41 PM