For those using AWS SSO - what is your setup with SST? If you're not using AWS SSO - what are you waiting for!

I’m using shell script to generate AWS credentials. Script runs before start/deploy actions. Credentials refresh is required every hour, sso login every 12. I would love to hear about different solutions for sso…

Doing the exact same thing, thinking about integrating with SSO to refresh for you

Super curios about this as well. I currently just copy creds from the web console, cause I don't want to rely on the 3rd party tools to manage this. For anyone using SSO that hasn't yet, pls go upvote this issue, so it can be integrated with CDK/SST/other sdks: https://github.com/aws/aws-cdk/issues/5455

This is the script I'm using

#!/bin/bash

# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`

profile=$1
export AWS_PROFILE=$1

request_credentials() {
  temp_identity=$(aws --profile "$profile" sts get-caller-identity)
  account_id=$(echo $temp_identity | jq -r .Arn | cut -d: -f5)
  assumed_role_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f2)
  session_name=$(echo $temp_identity | jq -r .Arn | cut -d/ -f3)
  sso_region=$(aws --profile "$profile" configure get sso_region)

  if [[ $sso_region == 'us-east-1' ]]; then
    sso_region_string=''
  else
    sso_region_string="${sso_region}/"
  fi
  role_arn="arn:aws:iam::${account_id}:role/aws-reserved/sso.amazonaws.com/${sso_region_string}${assumed_role_name}"
  credentials=$(
    aws sts assume-role \
      --profile $profile \
      --role-arn $role_arn \
      --role-session-name $session_name
  )
}

echo "=> requesting temporary credentials"
request_credentials

if [ $? -ne 0 ]; then
  echo "Requesting sso login"
  aws sso login --profile "$profile"

  if [ $? -ne 0 ]; then
    exit 1
  fi

  request_credentials
fi

echo "=> updating ~/.aws/credentials as profile $profile"

access_key_id=$(echo $credentials | jq -r .Credentials.AccessKeyId)
secret_access_key=$(echo $credentials | jq -r .Credentials.SecretAccessKey)
session_token=$(echo $credentials | jq -r .Credentials.SessionToken)

aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_access_key"
aws configure set --profile "$profile" aws_session_token "$session_token"

echo "[OK] done"

Great script thanks for sharing, definitely better than just copying creds 😅 I dono why its taking them so long to implement it... Its the second most upvoted issued on gh and there seems to be no one looking at it..... I'm wondering if this is going to be implemented in cdkv2

haha I’m using same script with small modification

I made the same fix!

We just use aws-vault havent had any issues with it 🙂

I use Leapp, works perfectly for IAM User, IAM Role and AWS SSO. Just click on which profile you want, punch in your MFA and you’re off. It just writes to a single credentials profile under the hood, so SST just sees the

default

credentials profile.

Biggest problem with Leapp is you can only define one SSO login if you want to use SSO for your personal & work accounts you cant use Leapp 😕 Thats why I switched to aws-vault

Ah gotcha, we generally just use an IAM user (per person) in our main account, and then cross-account roles for all the client accounts. Haven’t personally used SSO but saw Leapp supported it.

I don’t understand what’s the benefit of SSO over

aws-vault

cli 😳

I'd say the biggest thing is on the AWS end (I haven't used IAM for a while so a I maybe wrong). But SSO allows you to: • Create groups/users/permission sets once and then apply them across accounts • Login to any account/role via one login portal • Enforce things like MFA by default and enable features like context aware MFA • Ensure that developers don't use long lived credentials

My company is doing this: https://github.com/aws/aws-cdk/issues/5455#issuecomment-713643500. It works really well.

If this was built into SST how would you guys expect it to work? Would you pass in AWS_SSO_PROFILE or something? I can't figure out of there's a standard for this

I would like sst to accept profile in the command as well. I use AWS SSO, along with

cdk-sso-sync

and I commonly forget to export my profile first.

You can run

AWS_PROFILE=sso-jon-stuff npx sst start

too if it’s easier to remember (I prefer this to having a dedicated

--profile

argument, as it works the same as other AWS CLI tools)

would it possible to keep current AWS_PROFILE env variable name, and detect that the profile indeed is sso (should have sso_account and sso_role_name defined)?

Yeah that's what the CLI does

We use: https://www.npmjs.com/package/aws-sso-credentials-getter (GH) (forked and republished in our private registry for security reasons) And a tiny script:

function aws-set-profile() {
    export AWS_PROFILE="$1"
    export AWS_DEFAULT_PROFILE="$1"
    export AWS_EB_PROFILE="$1"
}

function aws-login() {
  if ! [ -x "$(command -v aws)" ]; then
    echo "Error: aws cli not installed, please install with: brew install awscli"
    return 1
  fi
  PROFILE_TO_LOGIN_TO="${1:-$AWS_PROFILE}"

  aws-set-profile "$PROFILE_TO_LOGIN_TO"
  echo "Logging in to: $PROFILE_TO_LOGIN_TO"
  aws sso login --profile "$PROFILE_TO_LOGIN_TO"
  ssocred "$PROFILE_TO_LOGIN_TO"
}

Quite similar to your script.

@Akos I hope the maintainer of that npm package has MFA enabled 😬

Ah, we have AWS SSO hooked up to our G Suite SAML and we require 2FA on Google so we don't use AWS's MFA.

^ I do the same

Oh, yeah, sorry, misunderstood. That's why we forked it, reviewed the code, and republished it from source to our private registry 🙂 No taking chances with AWS credentials.