Skip to content

rileyseaburg/codetether-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
aws-sso-bedrock-to-vault.sh
aws-sso-bedrock-to-vault.sh
 
 

Repository files navigation

AWS SSO Bedrock → Vault

A small utility that refreshes AWS SSO credentials and stores Amazon Bedrock access in a HashiCorp Vault KV store, in the shape that CodeTether and other tools expect.

If you authenticate to AWS with IAM Identity Center (AWS SSO) and you want short-lived Bedrock credentials available to a tool through Vault — without ever writing long-lived access keys to a config file — this script is for you.

What the script does

Given one AWS CLI SSO profile, aws-sso-bedrock-to-vault.sh will:

  1. Make sure a Vault is reachable at VAULT_ADDR (defaults to http://127.0.0.1:8200). If it is not reachable and you point it at the bundled Docker Compose file, it will start a local Vault container for you.

  2. Check that your AWS SSO session is still valid; if not, it runs aws sso login --profile <your-profile> for you.

  3. Export temporary credentials for that profile via aws configure export-credentials.

  4. Call aws bedrock list-foundation-models in the selected region to confirm those credentials actually have Bedrock access.

  5. Write the credentials into Vault at:

    secret/codetether/providers/<provider-id>

    with fields:

    aws_access_key_id
aws_secret_access_key
aws_session_token
region

    <provider-id> defaults to bedrock.

Requirements

You need these on your PATH:

  • aws (AWS CLI v2)
  • vault (HashiCorp Vault CLI)
  • jq
  • docker — only if you want the script to auto-start a local Vault container

You also need:

  • A working AWS CLI SSO profile in ~/.aws/config
  • A Vault you can write to (a dev-mode Vault at 127.0.0.1:8200 works fine)

One-time setup

1. Configure your AWS SSO profile

This repo does not create an AWS profile for you. Create one with the AWS CLI:

aws configure sso

Pick a profile name you will remember (the examples below use bedrock).

AWS docs if you need them:

2. Make sure Vault is running

You have two options.

Option A — You already run Vault somewhere. Export its address and token:

export VAULT_ADDR="https://vault.example.internal"
export VAULT_TOKEN="hvs.xxxxx"

Option B — Use a local dev Vault. The simplest way is a one-shot Docker container:

docker run -d --rm --name vault-dev \
  -p 8200:8200 \
  -e VAULT_DEV_ROOT_TOKEN_ID=root \
  -e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \
  hashicorp/vault:latest

Then point the Vault CLI at it:

export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="root"

When VAULT_ADDR is the default http://127.0.0.1:8200 and you do not set VAULT_TOKEN, the script assumes the dev-mode root token.

3. Clone this repo

git clone https://github.com/rileyseaburg/codetether-tools.git
cd codetether-tools
chmod +x aws-sso-bedrock-to-vault.sh

Usage

Store Bedrock SSO credentials in Vault

Basic invocation (profile named bedrock, writes to secret/codetether/providers/bedrock):

./aws-sso-bedrock-to-vault.sh --profile bedrock

Expected output on success:

Stored refreshed AWS Bedrock credentials in Vault:
  path: secret/codetether/providers/bedrock
  profile: bedrock
  region: us-east-2

Pick a different region or provider id

./aws-sso-bedrock-to-vault.sh \
  --profile bedrock \
  --region us-east-1 \
  --provider-id bedrock

If you do not pass --region, the script uses the region configured on the AWS profile, and falls back to us-east-2 if that is empty.

Store credentials for multiple AWS accounts

Use a different --provider-id for each one. They become separate Vault keys:

./aws-sso-bedrock-to-vault.sh --profile bedrock-dev  --provider-id bedrock-dev
./aws-sso-bedrock-to-vault.sh --profile bedrock-prod --provider-id bedrock-prod

That writes to:

secret/codetether/providers/bedrock-dev
secret/codetether/providers/bedrock-prod

Verify what is stored in Vault

vault kv get secret/codetether/providers/bedrock

You should see aws_access_key_id, aws_secret_access_key, aws_session_token, and region.

Refreshing expired SSO credentials

SSO session tokens are short-lived. When they expire, just run the script again:

./aws-sso-bedrock-to-vault.sh --profile bedrock

It will detect the expired session, run aws sso login for you, and overwrite the Vault secret with a fresh set of temporary credentials. Nothing about your Vault path changes, so any consumer that reads from secret/codetether/providers/bedrock will pick up the new creds on its next read.

A convenient pattern is a shell alias:

alias bedrock-refresh='/path/to/codetether-tools/aws-sso-bedrock-to-vault.sh --profile bedrock'

Command-line flags

Flag Description Default
--profile Required. Name of the AWS CLI SSO profile to export credentials from.
--provider-id Sub-path under VAULT_SECRETS_PATH where the secret is written. bedrock
--region AWS region used to verify Bedrock access and stored as region in Vault. profile → us-east-2
-h, --help Print usage and exit.

Environment overrides

Variable Description Default
AWS_PROFILE Used when --profile is not passed.
PROVIDER_ID Used when --provider-id is not passed. bedrock
VAULT_ADDR Vault address the script talks to. http://127.0.0.1:8200
VAULT_TOKEN Vault token. Auto-set to root only when using the default local address. (unset)
VAULT_MOUNT KV mount name in Vault. secret
VAULT_SECRETS_PATH Path under the mount where provider secrets live. codetether/providers
COMPOSE_FILE Docker Compose file used to auto-start a local Vault. ../keycloak/docker-compose.yml relative to the script

The final Vault path is always:

${VAULT_MOUNT}/${VAULT_SECRETS_PATH}/${PROVIDER_ID}

Troubleshooting

Missing required command: aws / vault / jq Install the missing tool and make sure it is on your PATH.

Vault is not reachable at ... Either start Vault (see setup step 2), or point VAULT_ADDR/VAULT_TOKEN at a Vault you can reach.

AWS SSO session for profile '...' is missing or expired Expected. The script will run aws sso login for you; follow the browser flow it opens.

The exported AWS credentials do not have valid Bedrock access in region '...' The SSO role you logged in as does not have bedrock:ListFoundationModels (or Bedrock is not enabled in that region). Either choose a different profile / role, or pick a region where your account has Bedrock enabled via --region.

AWS_ACCESS_KEY_ID was not exported for profile '...' aws configure export-credentials returned nothing. Usually means the SSO login step did not actually succeed — re-run the script and complete the browser flow, or run aws sso login --profile <name> manually and retry.

Security notes

  • This repo intentionally contains no AWS account IDs, SSO start URLs, role names, tokens, or credentials.
  • The script only ever writes temporary SSO-issued credentials to Vault. It does not create or store long-lived IAM access keys.
  • Treat the Vault you write these secrets to the same way you would treat any AWS credential store. A dev-mode Vault with the root token is fine on your laptop; do not use that configuration on shared infrastructure.

License

MIT

About

Refresh AWS SSO Bedrock credentials into HashiCorp Vault for CodeTether

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages