Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.
See also Release v1.0.0 Notes
- Required
Python >= 3.7 - Required AWS CLI v2
- Assume you have already setup AWS SSO for your organization
- Install latest from PyPI like so:
pip install yawsso
- Do your per normal SSO login and, have at least one active SSO session cache:
aws sso login --profile dev
- To sync for all named profiles in config (i.e. lazy consensus), then just:
yawsso
- To sync default profile and all named profiles, do:
yawsso --default
- To sync default profile only, do:
yawsso --default-only
- To sync for selected named profile, do:
yawsso -p dev
- To sync for multiple selected named profiles, do:
yawsso -p dev prod
- To sync for default profile as well as multiple selected named profiles, do:
yawsso --default -p dev prod
- To sync for all named profiles start with prefix pattern
lab*, do:
(zsh)
yawsso -p 'lab*'
(bash)
yawsso -p lab*
- To sync for all named profiles start with
lab*as well asdevandprod, do:
yawsso -p 'lab*' dev prod
- Print help to see other options:
yawsso -h
- Then, continue per normal with your daily tools. i.e.
cdk deploy ...terraform apply ...cw ls groupsawsbw -L -P devsqsmover -s main-dlq -d main-queueecs-cli ps --cluster my-clusterawscurl -H "Accept: application/json" --profile dev --region ap-southeast-2 "https://api..."
- Say, you have the following profile in your
$HOME/.aws/config:
[profile dev]
sso_start_url = https://myorg.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
cli_pager =
- You want to populate access token as, say, profile name
fooin$HOME/.aws/credentials:
[foo]
region = ap-southeast-2
aws_access_key_id = XXX
aws_secret_access_key = XXX
aws_session_token = XXX
...
- Do like so:
yawsso -p dev:foo
- Then, you can
export AWS_PROFILE=fooand usefooprofile!
PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES.
π€ START FROM VERSION
1.0.0,yawsso -eEXPORT TOKENS IN ROT13 ENCODED STRING.
-
Use
-eflag if you want a temporary copy-paste-able time-gated access token for an instance or external machine. -
Please note that, it uses
defaultprofile if no additional arguments pass.
yawsso -e | yawsso decrypt
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx
- This use case is especially tailored for those who use
defaultprofile and, who would like to PIPE commands as follows.
aws sso login && yawsso -e | yawsso decrypt | pbcopy
- Otherwise, for a named profile, do:
yawsso -p dev -e | yawsso decrypt
- Or, right away export credentials into the current shell environment variables, do:
yawsso -p dev -e | yawsso decrypt | source /dev/stdin
Note: βοΈ are mutually exclusive with the following π auto copy into your clipboard. Choose one, a must!
- If you have
pyperclippackage installed,yawssowill copy access tokens to your clipboard instead.
yawsso -e
Credentials copied to your clipboard for profile 'default'
- You may
pip install pyperclipor, together withyawssoas follows.
pip install 'yawsso[all]'
- You can also use
yawssosubcommandloginto SSO login then sync all in one go.
πββοΈ NOTE: It uses
defaultprofile orAWS_PROFILEenvironment variable if optional argument--profileis absent
yawsso login -h
yawsso login
- Otherwise you can pass the login profile as follows:
yawsso login --profile dev
- Due to lazy consensus design,
yawssowill sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use--thisflag to limit as follows.
π Login using default profile and sync only upto this default profile
yawsso login --this
π Login using named profile dev and sync only upto this dev profile
yawsso login --profile dev --this
π Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.
yawsso login --profile dev:foo
- Exporting access token also support with login subcommand as follows:
π Login using default profile, sync only upto this default profile and, print access token
yawsso login -e | yawsso decrypt
π Login using named profile dev, sync only upto this dev profile and, print access token
yawsso login --profile dev -e | yawsso decrypt
- Like
login, you may useyawssosubcommandautoto SSO login then sync all in one go. - It will check if SSO session has expired and, if so,
yawssowill attempt to auto login again.
yawsso auto -h
(either)
yawsso auto --profile dev
(or)
export AWS_PROFILE=dev
yawsso auto
- You can also set region from the config file to the shared credentials file
- Do like so:
yawsso -r -p dev
yawsso -r -p dev:foo
yawsso -r auto --profile dev
yawsso can encrypt and decrypt some arbitrary string from stdin using ROT13 (a simple letter substitution cipher) as follows.
echo 'Hello this is a test' | yawsso encrypt
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | yawsso decrypt
Hello this is a test
(or Pipe through some text corpus)
cat test.txt | yawsso encrypt
(or on Windows)
type test.txt | yawsso encrypt
This is the same as using trivial Unix tr command as follows.
echo 'Hello this is a test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Uryyb guvf vf n grfg
echo 'Uryyb guvf vf n grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hello this is a test
Hence, you could also decode yawsso exported tokens using tr command, like so.
yawsso -p dev -e | tr 'A-Za-z' 'N-ZA-Mn-za-m'
- Create virtual environment, activate it and then:
make install
make test
python -m yawsso --trace version
(Windows)
python -m venv venv
.\venv\Scripts\activate
pip install ".[dev,test]" .
pytest
python -m yawsso --trace version
- Create issue or pull request welcome
MIT License
