learn AWS SSO
The aws sso
CLI commands require the --access-token
parameter. First login via sso (e.g. aws sso login --profile root-AWSAdministratorAccess
), then run the following to get.
# get cached aws sso accessToken
function aws-access-token() { cat $(ls -1d ~/.aws/sso/cache/* | grep -v botocore) | jq -r "{accessToken} | .[]" }
list account assignments (AWS::SSO::Assignment)
aws sso-admin list-account-assignments \
--instance-arn 'arn:aws:sso:::instance/ssoins-72234101455cbc87' \
--account-id '529276214230' \
--permission-set-arn 'arn:aws:sso:::permissionSet/ssoins-72234101455cbc87/ps-51eacb02632f0b26'
{
"AccountAssignments": [
{
"AccountId": "529276214230",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-72234101455cbc87/ps-51eacb02632f0b26",
"PrincipalType": "USER",
"PrincipalId": "906770ec60-e34082a0-033a-4dd2-90cb-9107804545e9"
},
{
"AccountId": "529276214230",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-72234101455cbc87/ps-51eacb02632f0b26",
"PrincipalType": "USER",
"PrincipalId": "906770ec60-9d6f0b65-701c-4650-b95c-7dab0f6046d7"
}
]
}