[v2] aws sso commands should allow opting out of automatically opening a browser

[mmerickel]

Is your feature request related to a problem? Please describe.
I'm using a remote shell via SSH to a machine that has a GUI (macOS). When performing aws configure sso or aws sso login it dumps out the url and code to enter into a browser myself. However, the browser has already opened on the remote machine even though I cannot easily access it (nor want to). AWS does not allow me to use the url and code from the console in this scenario to login from my host machine because it was already used by the remote, unseen, browser.

Describe the solution you'd like
A CLI flag like --no-browser to avoid launching the default browser on the system, allowing me to use the url and code myself manually.

Describe alternatives you've considered
A CLI interactive prompt asking whether you'd like to open the default browser. I like this too, and think it should exist before automatically opening another window on my system, but I feel like CLI flags should always exist as well.

[kdaily]

Hi @mmerickel, it looks like this request is similar to #5061. If so, I'll link it there and mark it as a duplicate. Thanks!

[mmerickel]

I think my ticket was a bit more detailed and is actually about machines that do have a browser versus machines that don't. However the final feature implemented should definitely satisfy both use cases. The referenced issue also does not mention aws configure sso, only aws sso login.

[joguSD]

@mmerickel This is definitely a reasonable feature request to have something explicit to say "don't open a browser". We went back and forth on whether or not we should open a browser at all, should it be the default, etc. when implementing this initially and opted to try and be smart and always try to open the browser with some fallback text.

Because we use webbrowser stdlib module: https://docs.python.org/2/library/webbrowser.html
It should be possible to set the BROWSER env var to something else that acts like a no-op as a workaround. For example, you could try using true:

BROWSER=true aws sso login

Let me know if that works for you in the interim.

[mmerickel]

@joguSD this approach does work perfectly for me. Thank you for that. It appears the code does not know whether it opened the browser or not - if it did then there could be a lot of improved messaging here.

[jghal]

My organization has multiple proxies and gives us multiple domain accounts for different roles, it's almost never the case that my default browser is either logged into the domain account I need to use for the SSO login or using the proxy to meet source IP CIDR firewall rules. I can't get that ENV variable to work on Windows. I have to wait for the CLI to open my default browser and frantically ESC then CTRL-W and hope I caught it in time, then open my other browser that will work for the login.

Even though you have support for using elinks when on a headless connection to a linux machine, I've never seen elinks not fail on cert validation of the SSO login URL. For a while I was having to sudo chmod -x $(which elinks) to do the SSO login, but the BROWSER env variable seems to work on Linux. But having a proper set of CLI arguments would be preferred for cross-platform consistenty.

[huntsfromshadow]

This is an issue for me. For some reason my AV has decided that anytime a browser is launched in WSL it's a 'suspicious behavior'.
It would be easier just have aws/cli (and amplify) just not launch a browser and let me open the browser manually while the antivirus finally figures out the issue on their side.

[onitake]

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

[kdaily]

Also see #5533.

[n2qz]

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

BROWSER=/usr/bin/echo is great because it produces the full URL for easy one-step copy and paste to a desktop browser. Thanks for the hint!

[AMMullan]

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

BROWSER=/usr/bin/echo is great because it produces the full URL for easy one-step copy and paste to a desktop browser. Thanks for the hint!

That's super useful - not to figure out what it is for Windows users, we have a few of them and this would be quite useful...

[jghal]

not to figure out what it is for Windows users,

I would think that just having a real CLI argument like --no-browser so that it just prints out the URL and code would be the simplest way.

That would work for all platforms.

[sidewinder12s]

I also just tried setting an environment variable BROWSER=/usr/bin/echo and my machine still opens a URL. This is actually possibly causing breakage for some of my users as they have a remote workstation with a GUI, but they might only be SSH'd in and not using the GUI or are using X11 Forwarding.

 aws --version
aws-cli/2.0.48 Python/3.7.3 Linux/5.4.0-65-generic exe/x86_64.ubuntu.18

Related: #5058 (comment)

Setting DISPLAY to nothing or empty appears to properly get the AWS CLI to not pop open a browser, though I am not sure if there are any knock on effects to doing that

[nhruch]

For Windows:

If you have Cygwin installed, the Linux approach works.
BROWSER=true aws configure sso

Cheers,
Nick

[tobiasandorfer]

Hi,
any updates on the --no-browser flag?
Feels like jumping through hoops on windows, and no success doing it so far.
Regards
Tobias

[lmayorga1980]

I tried the BROWSER=false but not luck

docker run --rm -v ~\.aws:/root/.aws -v /c/MYDIRECTORY:/root/tmp -e AWS_CA_BUNDLE="/root/tmp/cacert.pem" -e BROWSER=false -it amazo
n/aws-cli sso login --profile=myprofile1
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

GZSH-CODE

[mmerickel]

@lmayorga1980 the hack is to use BROWSER=true not false.

#5301 (comment)

[lmayorga1980]

I tried the BROWSER=/usr/bin/echo and got the URL. I guess from there I can use a python wrapper script that does the redirection and submitting the forms.

docker run --rm -v ~\.aws:/root/.aws -v /c/MYDIRECTORY:/root/tmp -e AWS_CA_BUNDLE="/root/tmp/cacert.pem" -e BROWSER=/usr/bin/echo -it amazon/aws-cli sso login

https://device.sso.us-east-1.amazonaws.com/?user_code=DQRT-CODE

[volphy]

I can confirm that BROWSER=true hack works for Debian Buster (no GUI) running in Oracle VirtualBox,

Nevertheless, I still think that adding the --no-browser option would make sense for AWS CLI v2.

[lmayorga1980]

Any options for a headless(no-browser) environment?

[lmayorga1980]

Any workarounds for this?

[dcloud9]

Our use case is to use AWS SSO as our source of auth and assume IAM roles (Permission Sets) for SaaS-based CICD pipeline.
The env BROWSER=/bin/true works, but I still need to open the link and key in the generated code.
Does anyone know a workaround for this or a "headless" fix is completely impossible?
If so, we'll just use the sts assume-role with --external-id.

[lmayorga1980]

@dcloud9 I will provide a gist of my workaround without awscli using python, selenium, chromedriver

[nicornk]

Would you be able to share the gist?

[matthewhembree]

It would be very useful to have an official flag, just for the sake of following the convention that options/flags are documented (e.g. manpage or help/--help).

The particular pain that this causes for me is that I'm migrating from traditional IAM user access accounts and a new SSO enabled organization accounts. Getting logged out of my IAM session is frustrating.

I'm glad I found the BROWSER=true hack.

[abjoerne]

Would be very valuable to have some "do-not-open" parameter here. My case is that I am using Firefox with "multi account containers" and for practical reasons my SSO-logins are living in a dedicated container.

[kennethredler]

@abjoerne I'm using containers and the BROWSER=true aws sso login trick works like a charm for me. 👍

[abjoerne]

Yes thanks, have been using it. Just added the use-case since it is a workaround and AWS have made assumptions that everyone is using the default browser for logging into AWS SSO. And you have to remember to use it, and tell others...

[tim-finnigan]

Closing this as the PR linked above was merged (#6743)

Parameter added here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/sso.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/login.html

--no-browser (boolean) Disables automatically opening the verfication URL in the default browser.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[patrickdk77]

This hack managed to save me, as the sso login page has no logout option, and everytime it automatically opens the browser it's logging in as the wrong user, since it refuses to open the url in the other browser, or aws refuses to give me a logout option so I can change the user. Annoying it's been 3 years now and this isn't in the latest aws-cli version, help text when you use -h