This repository contains a basic Github Codespaces configuration that is purpose-built for AWS Control Tower / SSO Organizations. The goal is to go from clicking "Create Codespace" to working in the target AWS account / role with the fewest actions possible, while maintaining security best-practices.
This repo leverages common-fate/granted for credential management. Most features of granted are working properly; however, the Firefox extension is currently not.
See an example Codespace setup below:
-
Fork or copy the code from this repo
-
Add two Codespace Secrets
Note: If codespace secrets are unset / unavailable, the script will prompt for these values
AWS_SSO_URL
- ex. https://yourorg.awsapps.com/startAWS_REGION
- ex. us-east-1- (optional)
AUTORUN
- Default behavior if
AUTORUN
is not set is for the script to run upon attaching to the codespace - Set to
false
to prevent the script from invoking - The
awslogin
command can be run to manually invoke the script, regardless of AUTORUN value
- Default behavior if
-
Launch the Codespace!
The login process is effectively:
- Run
aws sso login
using the start URL provided - Pass the oauth prompt to the codespaces browser redirect
- Grant access in the local browser
- Run
granted populate
to generate the list of all accounts/roles - Provide a password to locally encrypt the AWS config, if you wish
- Run
assume
to select an account/role - Run
assume -ar
to open the current role in-browser