Add granted sso populate/generate commands

[misterjoshua]

This change introduces two new granted commands to help users manage their AWS Config with accounts and roles found through AWS SSO:

granted sso generate [--prefix <prefix>] [--region <region>] <start url>

This command finds a list of accounts and roles available in AWS SSO and outputs an AWS Config with generated profile names and SSO configurations to the standard output. This is useful for users who want to copy and paste or post-process the generated AWS Config.

This command allows the user to specify an optional --prefix so that the generated profile names begin with the given prefix, reducing profile naming conflicts for users who must regularly log into many different SSOs. This command also allows the user to specify the region in which AWS SSO is deployed with --region.

$ granted sso generate --prefix sso1- https://example.awsapps.com/start/
If browser is not opened automatically, please open link:
https://device.sso.us-east-1.amazonaws.com/?user_code=LNBT-NHNW

Awaiting authentication in the browser...
[profile sso1-Root-AWSAdministratorAccess]
sso_start_url = https://example.awsapps.com/start/
sso_region = us-east-1
sso_account_id = 9999999999999
sso_role_name = AWSAdministratorAccess

[profile sso1-Root-AWSPowerUserAccess]
sso_start_url = https://example.awsapps.com/start/
sso_region = us-east-1
sso_account_id = 9999999999999
sso_role_name = AWSPowerUserAccess

[profile sso1-Sandbox-Developer-Name-AWSAdministratorAccess]
sso_start_url = https://example.awsapps.com/start/
sso_region = us-east-1
sso_account_id = 9999999999999
sso_role_name = AWSAdministratorAccess

Note: The instructions and status messages shown above are in stderr, so they are not included in piped or redirected output by default.

granted sso populate [--prefix <prefix>] [--region <region>] <start url>

Similar to granted sso generate, this command finds a list of accounts and roles available in AWS SSO, but after, it merges the profiles into the user's existing AWS Config file, replacing conflicting old profiles with new profiles.

Fixes #173

[tom-sherman]

Similar to granted sso generate, this command finds a list of accounts and roles available in AWS SSO and merges the profiles into the user's existing AWS Config file.

How does it resolve conflicts?

[misterjoshua]

How does it resolve conflicts?

Conflicting old profiles are replaced by the new ones derived from SSO.

[JoshuaWilkes]

Thanks for the contribution!

This all looks good to me, we will get a few extra eyes on it then I think we can get it merged in for the next release. 🚀

[misterjoshua]

Thanks for the contribution!

This all looks good to me, we will get a few extra eyes on it then I think we can get it merged in for the next release. 🚀

@JoshuaWilkes Great, thank you! Please drop me a mention if the review yields any change requests, as it's easier for me to see those notifications. :)

[chrnorm]

@misterjoshua this is fantastic, welcome to the Common Fate community and thankyou so much for the contribution here!

The code changes look good, I also asked the community Slack for some feedback on these changes. A couple of members have shared details on how they are templating their ~/.aws/config files. I've opened a discussion so that we have a thread to track further improvements on this and added their use cases to it: #249. I'm expecting that this will be an ongoing discussion thread on how we can make things easier when it comes to config file management, so will be good to have things in one place to refer to.