Export credentials as JSON, for use as an AWS CLI external process #5
Conversation
Allow the -j/--json option so these credentials can be sourced into the AWS CLI as referenced here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
|
@ajkerrigan thanks ! Sounds good, I'll have a look very soon 👌 |
awssso/saml.py
Outdated
| self._sts = boto3.client('sts') | ||
| def __init__(self, aws_profile, encoded_payload): | ||
| self._session = boto3.Session(profile_name=aws_profile) | ||
| self._sts = self._session.client('sts') |
There was a problem hiding this comment.
I don't think this change is needed since the sts client does not use existing credentials ; any particular reason for this?
There was a problem hiding this comment.
Yes, this change lets you use credential_process for one profile, but use a separate profile as an anchor point for the STS call. Otherwise boto3 goes down a recursive rabbit hole of credential_process. I see you made some other related comments, so we can chat more there!
There was a problem hiding this comment.
I've run some tests and using something like this works
self._sts = boto3.client('sts', aws_access_key_id='', aws_secret_access_key='', aws_session_token='')
There was a problem hiding this comment.
Oh good call, I like that. I was going to suggest creating an explicit awssso_samlhelper profile, where the credentials wouldn't even need to be valid. Your way seems cleaner 👍
awssso/cli.py
Outdated
| @@ -139,13 +139,15 @@ def login(args): | |||
| ], answers=params, raise_keyboard_interrupt=True) | |||
|
|
|||
| payload = sso.get_saml_payload(params['instance_id'], params['profile_id']) | |||
| saml = SAMLHelper(payload) | |||
| saml = SAMLHelper(aws_profile, payload) | |||
|
Currently I see few things to improve this feature:
|
|
On caching, I think this can wait. |
|
I'm definitely with you on the first point, I like your suggested improvements to make SAMLHelper's starting credentials more obvious and focused. Caching (ideally in keyring) seems like a solid improvement, but probably as part of a separate change. That would affect all uses ( As for the interactive MFA input, this is busted right now because the CLI is swallowing I/O. I need to look at that, hopefully fixing it isn't too deep a hole. |
|
@ajkerrigan thanks a lot for your help and feedback, I'll publish a new release including this feature very soon and open issues for the problems we discussed about. |
|
Thanks @wnkz for the quick review/improvement/merge :) |
Hi there @wnkz , thanks a lot for this excellent utility!
I've been testing it out locally and it makes AWS SSO from the CLI much more pleasant. I made some local tweaks so that I can use
aws-ssoin thecredential_processsection of the AWS CLI configuration as described here. Would you be interested in having that merged back upstream (either as-is, or with any modifications you think are necessary)?