README
¶
SetList (originally aws-config-creator)
Command line tool to automatically generate a .aws/config file based on AWS SSO permission sets in your org.
When working in an organization that uses AWS SSO, there are often multiple
permission sets (like IAM roles) that can be assumed by people. This tool
looks through all permission sets and account assignments and generates
an .aws/config file containing these roles that can be assumed.
Permissions Required
This tool requires some readonly permissions from your AWS organization account. They are:
organizations:ListAccountssso:ListInstancessso:ListPermissionSetsProvisionedToAccountsso:DescribePermissionSet
Usage
Add -v or --verbose to see more output about which operations are
happening.
Create a basic .aws/config file
$ setlist --sso-session acme \
--sso-region us-east-1 \
--profile admin
Writing 43 entries to aws.config...done.
The resulting file will contain a set of profiles in the format: [profile AWS_ACCOUNT_ID:PERMISSION_SET_NAME]
For example: [profile 0123456789012-AdministratorAccess]
Create a friendly .aws/config file
$ setlist --sso-session acme \
--sso-region us-east-1 \
--profile admin \
--mapping "0123456789012=acme,98765432101=acmelite"
Writing 86 entries to aws.config...done.
By supplying a --mapping flag with a comma-delimited list of key=value pairs corresponding to AWS Account ID and its nickname, the tool will create the basic .aws/config profiles and then create a separate set of profiles that follow the format [profile NICKNAME-PERMISSIONSETNAME]. For example: [profile acme-AdministratorAccess]. This removes the need for your users to remember the 12-digit AWS Account ID, but also allows for backward-compatibility for those people that like using the AWS Account ID in the profile name.
Contributing
- Fork the repository.
- Make your change.
task fmttask testtask build- Make a Pull Request.
Roadmap
- Create a Lambda function artifact that can be run on a schedule, outputting the latest
.aws/configto an S3 bucket so that it is always available, especially to those users without the permissions to run this tool.
License
Documentation
¶
Index ¶
- Constants
- func ListAccounts(ctx context.Context, client *organizations.Client) ([]types.Account, error)
- func ParseNicknameMapping(mapping string) map[string]string
- func PermissionSets(ctx context.Context, client *ssoadmin.Client, instanceArn string, ...) ([]types.PermissionSet, error)
- func SsoInstance(ctx context.Context, client *ssoadmin.Client) (types.InstanceMetadata, error)
- type ConfigFile
- type FileBuilder
- type Profile
Constants ¶
const DefaultNicknamePrefix string = "NoNickname"
const SSOAccountIdKey string = "sso_account_id"
const SSORegionKey string = "sso_region"
const SSORegistrationScopesKey string = "sso_registration_scopes"
const SSORegistrationScopesValue string = "sso:account:access"
const SSORoleNameKey string = "sso_role_name"
const SSOSessionAttrKey string = "sso_session"
const SSOSessionSectionKey string = "sso-session"
const SSOStartUrlKey string = "sso_start_url"
Variables ¶
This section is empty.
Functions ¶
func ListAccounts ¶
func ParseNicknameMapping ¶
func PermissionSets ¶
func SsoInstance ¶
get the SSO instance ARN (there's only one allowed)
Types ¶
type ConfigFile ¶
type ConfigFile struct {
SessionName string
IdentityStoreId string
FriendlyName string
Region string
Profiles []Profile
NicknameMapping map[string]string
}
func (ConfigFile) HasNickname ¶
func (c ConfigFile) HasNickname(accountId string) bool
func (*ConfigFile) StartURL ¶
func (c *ConfigFile) StartURL() string
type FileBuilder ¶
type FileBuilder struct {
Config ConfigFile
}
func NewFileBuilder ¶
func NewFileBuilder(configFile ConfigFile) FileBuilder
Source Files
Directories