# AWS SSO Configuration

This notebook guides you through setting up AWS SSO for easier admin CLI access. When done, you will be able to log into your AWS account from the cli with something like this:

```shell
export AWS_PROFILE=just-my-links
aws sso login
```

While not necessary to do it this way, it makes it easier to use AWS from your CLI. You do need CLI access to AWS if you are going to be running Terraform locally (which is very helpful for development).

Note that this is *only a good idea* for the admin account you use to inspect and interact with AWS in the course of ops duties. You do not want to (and in fact can't) use this process for CI/CD.

To do this you first need to

- Have or create an AWS account (you will need to supply a payment method though the expectation is that usage will be low enough to not get billed.)
- Log into your AWS account via the UI.
  - Ideally as part of account creation you created a superuser non-root account that you are using. Avoid using the root user whenever possible!
- Navigate to *IAM Identity Center* and click *Enable*

Now we want to set up an sso user.

The following will all be in CloudShell console in the browser. Code is denoted in markdown specifically for that reason - it is not meant to be run locally on your machine since you have not set up your cli to connect to aws yet. Instead, copy and paste it into Cloudshell within the AWS console in your browser.

When Identity Center is enabled you should be able to run this to see an instance of an organization:

```shell
aws sso-admin list-instances
```

The following assumes that you have just one instance above. If not you will want to identify what the correct one is (probably the one with "sso" in the arn) and use its arn instead of the dynamically queried one below

Lets record our instance arn, account id, and identity store id into variables within the current CLI session just so we have rapid access to them
```shell
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' --output text)
IDENTITY_STORE_ID=$(aws sso-admin list-instances --query 'Instances[0].IdentityStoreId' --output text)
```

Note the `IDENTITY_STORE_ID` above. Your sso instance has a url that you will visit to log in, you will need to note it. It will be something like `https://d-00000000bba.awsapps.com/start/#` you can get it with
```shell
echo "https://$IDENTITY_STORE_ID.awsapps.com/start/#"
```

You'll need this for sso configuration further down

Then create an admin permission set:
```shell
aws sso-admin create-permission-set \
  --instance-arn "$INSTANCE_ARN" \
  --name "AdministratorAccess" \
  --description "Provides full access to AWS services and resources" \
  --session-duration "PT8H"
```
Note the permission set arn noted above you will use it. Assuming it is the only one (it should be), you can set it manually the variable below or just run this

```shell
PERMISSION_SET_ARN=$(aws sso-admin list-permission-sets-provisioned-to-account \
                        --instance-arn "$INSTANCE_ARN" \
                        --account-id "$ACCOUNT_ID" \
                        --output text \
                        --query "PermissionSets[0]")
```

We then want to attach the admin access policy to this permission set.

Use this to determine if the first found permission set is indeed the admin permission set - it will say "AdministratorAccess"

```shell
aws sso-admin describe-permission-set \
  --instance-arn "$INSTANCE_ARN" \
  --permission-set-arn "$PERMISSION_SET_ARN"
```

Then if so, attach the admin policy:

```shell
aws sso-admin attach-managed-policy-to-permission-set \
  --instance-arn "$INSTANCE_ARN"
  --permission-set-arn "$PERMISSION_SET_ARN" \
  --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
```

Create an sso user for yourself. **Use your own values for email and name!** I don't want to be getting your reset links.
```shell
MY_EMAIL=gmauer@gmail.com
MY_GIVEN_NAME=George
MY_FAMILY_NAME=Mauer
aws identitystore create-user \
  --identity-store-id "$IDENTITY_STORE_ID" \
  --user-name "$MY_EMAIL" \
  --name "GivenName=$MY_GIVEN_NAME,FamilyName=$MY_FAMILY_NAME" \
  --emails "Value=$MY_EMAIL,Type=Primary" \
  --display-name "$MY_GIVEN_NAME $MY_FAMILY_NAME"
```

Now lets assign admin access to this user. Note that the below looks up the id of the user created above by username. If you have it you can just sub it in

```shell
aws sso-admin create-account-assignment \
  --instance-arn "$INSTANCE_ARN" \
  --target-id "$ACCOUNT_ID" \
  --target-type AWS_ACCOUNT \
  --permission-set-arn "$PERMISSION_SET_ARN" \
  --principal-type USER \
  --principal-id $(aws identitystore list-users --identity-store-id $"$IDENTITY_STORE_ID" --filters "AttributePath=UserName,AttributeValue=$MY_EMAIL" --query 'Users[0].UserId' --output text)
```

Finally, you will need to set up a password for this user. *This is not doable through the CLI*.
- Check your email, you will likely have to click a link to confirm it.
- Go to the IAM Identity Center
- Navigate to Users
- Select your user
- Click the "Reset Password" button

You may select the appropriate thing at this point but a straightforward recommendation is to select "generate a one-time password" and copy it to be used when logging in

For this next part you'll need the sso login url we calculated above from the `IDENTITY_STORE_ID` and your new user email/password. 

*The following is in the local CLI* and you should have to do it only once:

In [None]:
!aws configure sso

During login, reset your password [using your password manager](https://1password.com/) and ideally set up MFA. Click through menues to eventually get the AWS apps account screen. This is very useful for managing multiple aws accounts. Here you can log into a specific account as a user or view sso keys, however we're just going to set up a profile locally so you can click off of this screen.

For the following you'll need the `ACCOUNT_ID` from above and the SSO login url you just use. Create an entry in [~/.aws/config](~/.aws/config) that looks like this:

```toml
[profile just-my-links]
sso_start_url = FILL_IN_YOUR_SSO_LINK
sso_account_id = FILL_IN_YOUR_ACCOUNT_ID
sso_region = us-east-1
sso_role_name = AdministratorAccess
sso_session_name = default
output = json
region = us-east-1
```

You may then login with SSO by first setting your aws profile to use the `just-my-links` profile

In [None]:
%env AWS_PROFILE=just-my-links

env: AWS_PROFILE=just-my-links


And finally you can log in

In [None]:
!aws sso login

A browser window will open and you will be prompted to click through a series of screens (remember to use your password manager!). You may also visit the above link manually and click through.

You will now be connected to your aws account. Note that the way `aws sso` works, your login is per-profile, not per-cli-session. You don't need to manage aws keys environment variables or anything like that. So long as the profile used is the above, you will be logged in as long as your sso session lasts. Running the following should show you your logged in user identity.

In [5]:
!aws sts get-caller-identity

{
    "UserId": "AROASDT4T2PCFCLRY32IU:gmauer@gmail.com",
    "Account": "145216492484",
    "Arn": "arn:aws:sts::145216492484:assumed-role/AWSReservedSSO_AdministratorAccess_7d6c5139d9951c91/gmauer@gmail.com"
}


This session will last as we configured in the permission set (8h above) and as long as your `aws` environment knows which profile to use (typically by ensuring the `AWS_PROFILE` environment variable is set) you will be logged in.

Be careful with this, your local cli now has admin access!