4

I am currently using the awscli version 2 to obtain temporary credentials at the command line. This seems to require a browser to be involved. This will not work everywhere like on a server for example. I would like to be able to obtain temporary credentials at the command line for my user account using AWS SSO. Is this possible. From what I can tell from the SDK documentation here and the awscli version 2 utility, there does not seem to be a way to do this.

The "device code" OAuth2 grant type is explicitly meant for browserless authentication as mentioned here But the AWS SSO SDK doesn't seem to be able to support this.

Would appreciate any ideas/thoughts/help on this issue.

Thank You, Vish

llinvokerl
  • 1,029
  • 10
  • 25
Vish
  • 827
  • 11
  • 21

2 Answers2

1

I would say that theoretically the answer would be yes but you would have to create a CLI/Script authentication process for your IdP. AWS SSO looks for and uses an active OIDC token to fetch profile credentials. If your IdP provides an API where you can script the authentication to the IdP and perform the token exchange to the AWS SSO service and obtain the credential data you need, you could write it out to the proper cache file for CLI to pick up. This answer is heavily dependent on the IdP you use, but if you use http libraries in language of your choice to perform the tasks of your web browser ( or possibly a text browser like Lynx ) you should be able to get what you are looking for. You would have to dive deep into the AWS API Documentation and sort out the workflow that is needed but it's pretty much just a SAML interface as best I can tell. What I found to be interesting is that you can have multiple credential caches meaning that you have the capability to script across multiple SSO providers ( multiple organizations ) and I built myself a Python library to help enable this better.

Brian
  • 11
  • 1
0

Source: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

To manually add AWS SSO support to a named profile, you must add the following keys and values to the profile definition in the file ~/.aws/config (Linux or macOS) or %USERPROFILE%/.aws/config (Windows).

sso_start_url
The URL that points to the organization's AWS SSO user portal.

sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region
The AWS Region that contains the AWS SSO portal host. This is separate from, and can be a different region than the default CLI region parameter.

sso_region = us_west-2
sso_account_id
The AWS account ID that contains the IAM role that you want to use with this profile.

sso_account_id = 123456789011
sso_role_name
The name of the IAM role that defines the user's permissions when using this profile.

sso_role_name = ReadAccess
The presence of these keys identify this profile as one that uses AWS SSO to authenticate the user.

You can also include any other keys and values that are valid in the .aws/config file, such as region, output, or s3. However, you can't include any credential related values, such as role_arn or aws_secret_access_key. If you do, the AWS CLI produces an error.

   So a typical AWS SSO profile in .aws/config might look similar to the following example.

[profile my-dev-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json```
D. Richard
  • 460
  • 3
  • 12
  • Appreciate the response. I have set that up. It is the browserless MFA token entry I am trying to accomplish now – Vish Mar 27 '20 at 02:22
  • 1
    @Vish, have you got a solution? If yes, will you please kind enough to share? Looks like there is no non-interactive ways for this. Thanks – Manoj Oct 06 '20 at 05:44