setlist

package module
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2026 License: MIT Imports: 16 Imported by: 0

README

setlist

SetList (formerly aws-config-creator)

Setlist is a CLI tool and Go library that automates the creation of AWS config files for organizations using AWS SSO. It parses AWS Organizations and Permission Sets to build a complete .aws/config file with all permission sets provisioned across your AWS member accounts.

Why Setlist?

Managing AWS credentials across multiple AWS accounts with SSO can be challenging. While AWS provides the aws sso configure command, it's tedious to use when you have:

  • Multiple AWS accounts in your organization
  • Multiple permission sets per account
  • Teams that need consistent configuration

Setlist solves this by automatically generating a complete .aws/config file with profiles for all accounts and permission sets you have access to, saving you time and preventing configuration errors.

Installation

Download Binary

Download the latest release from the GitHub Releases page.

Build from Source
# Clone the repository
git clone https://github.com/scottbrown/setlist.git
cd setlist

# Install Task (if not already installed)
brew install go-task

# Build the binary
task build

# The binary will be available at .build/setlist

Usage

Prerequisites
  1. AWS CLI installed
  2. AWS SSO configured for your organization
  3. AWS credentials with permissions to access AWS Organizations and SSO Admin APIs

Permissions Required

This tool requires some readonly permissions from your AWS organization account. They are:

  1. organizations:ListAccounts
  2. sso:ListInstances
  3. sso:ListPermissionSets
  4. sso:ListPermissionSetsProvisionedToAccount
  5. sso:DescribePermissionSet

You can view these in the application by running:

setlist --permissions
Basic Usage
# Generate AWS config using the organization's SSO instance
setlist --sso-session myorg --sso-region us-east-1 --output ~/.aws/config
Using an AWS Profile
# Use an existing AWS profile to authenticate
setlist --sso-session myorg --sso-region us-east-1 --profile admin --output ~/.aws/config
Using Account Nicknames
# Map account IDs to friendly names
setlist --sso-session myorg --sso-region us-east-1 \
  --mapping "123456789012=prod,210987654321=staging" \
  --output ~/.aws/config
Print to stdout
# Output to stdout instead of a file
setlist --sso-session myorg --sso-region us-east-1 --stdout
Using a Friendly Name for SSO URL
# Use a friendly name instead of the identity store ID
setlist --sso-session myorg \
  --sso-region us-east-1 \
  --sso-friendly-name my-company \
  --output ~/.aws/config

By supplying a --mapping flag with a comma-delimited list of key=value pairs corresponding to AWS Account ID and its nickname, the tool will create the basic .aws/config profiles and then create a separate set of profiles that follow the format [profile NICKNAME-PERMISSIONSETNAME]. For example: [profile acme-AdministratorAccess]. This removes the need for your users to remember the 12-digit AWS Account ID, but also allows for backward-compatibility for those people that like using the AWS Account ID in the profile name.

Verbose Logging
# Enable verbose output to see what setlist is doing
setlist --sso-session myorg --sso-region us-east-1 --verbose --stdout

# Use JSON log format for structured logging
setlist --sso-session myorg --sso-region us-east-1 --verbose --log-format json --stdout
Listing Permission Sets
# List all permission sets available in the SSO instance
setlist --list-permission-sets --sso-region us-east-1

Configuration File

Setlist supports a YAML configuration file as an alternative to specifying flags on every invocation. By default, it looks for ~/.setlist.yaml. You can specify a custom path with --config.

Precedence: Command-line flags override config file values. Config file values override flag defaults.

Example ~/.setlist.yaml
sso-session: myorg
sso-region: us-east-1
profile: admin
mapping: "123456789012=prod,210987654321=staging"
output: ~/.aws/config
stdout: false
sso-friendly-name: my-company
verbose: true
log-format: plain

All keys are optional — only specify the ones you want as defaults. Keys match flag names exactly (hyphenated).

Usage with Config File
# Uses values from ~/.setlist.yaml
setlist --stdout

# Override a config file value with a flag
setlist --sso-session other-org --stdout

# Use a custom config file path
setlist --config /path/to/config.yaml --stdout

Configuration Options

Flag Short Description Required
--sso-session -s Nickname for the SSO session (e.g., organization name) Yes
--sso-region -r AWS region where AWS SSO resides Yes
--profile -p AWS profile to use for authentication No
--mapping -m Comma-delimited account nickname mapping (format: id=nickname) No
--output -o Output file path (default: ./aws.config) No
--stdout Write config to stdout instead of a file No
--sso-friendly-name Alternative name for the SSO start URL No
--list-accounts List all available AWS accounts No
--list-permission-sets List all available permission sets in the SSO instance No
--verbose -v Enable verbose logging output No
--log-format Log output format: "plain" (default) or "json" No
--include-accounts Comma-delimited list of account IDs to include No
--exclude-accounts Comma-delimited list of account IDs to exclude No
--include-permission-sets Comma-delimited list of permission set names to include No
--exclude-permission-sets Comma-delimited list of permission set names to exclude No
--config -c Path to config file (default: ~/.setlist.yaml) No
--check-update Check if a newer version of the tool is available No
--permissions Print the required AWS permissions and exit No

Library Usage

Setlist can be used as a Go library. The setlist.Generate() function provides a high-level API for generating config files programmatically:

package main

import (
    "context"
    "fmt"

    "github.com/scottbrown/setlist"

    "github.com/aws/aws-sdk-go-v2/config"
    "github.com/aws/aws-sdk-go-v2/service/organizations"
    "github.com/aws/aws-sdk-go-v2/service/ssoadmin"
)

func main() {
    ctx := context.Background()
    cfg, _ := config.LoadDefaultConfig(ctx, config.WithRegion("us-east-1"))

    configFile, err := setlist.Generate(ctx, setlist.GenerateInput{
        SSOClient:   ssoadmin.NewFromConfig(cfg),
        OrgClient:   organizations.NewFromConfig(cfg),
        SessionName: "myorg",
        Region:      "us-east-1",
    })
    if err != nil {
        panic(err)
    }

    builder := setlist.NewFileBuilder(configFile)
    payload, _ := builder.Build()
    payload.WriteTo(fmt.Stdout)
}

Generated Config Format

Setlist generates an AWS config file with:

  1. A default section specifying the SSO session
  2. An SSO session section with start URL, region, and registration scopes
  3. Profile sections for each account and permission set combination

Example:

[default]
# Generated on: 2025-02-27T10:15:30 UTC
sso_session = myorg

[sso-session myorg]
sso_start_url = https://d-12345abcde.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

# Administrator access. Session Duration: PT12H
[profile 123456789012-AdministratorAccess]
sso_session = myorg
sso_account_id = 123456789012
sso_role_name = AdministratorAccess

# Administrator access. Session Duration: PT12H
[profile prod-AdministratorAccess]
sso_session = myorg
sso_account_id = 123456789012
sso_role_name = AdministratorAccess

Lambda Deployment

Setlist can be deployed as an AWS Lambda function that generates config files on a schedule and uploads them to S3. This is useful for keeping a shared config file up to date automatically.

Building the Lambda
task lambda-build
SAM Template

A SAM template (template.yaml) is provided. Deploy with:

# Build the Lambda binary
task lambda-build

# Deploy with SAM
sam deploy --guided \
  --parameter-overrides \
    SSOSession=myorg \
    SSORegion=us-east-1 \
    S3Bucket=my-config-bucket \
    S3Key=aws.config
Environment Variables
Variable Description Required
SSO_SESSION Nickname for the SSO session Yes
SSO_REGION AWS region where AWS SSO resides Yes
S3_BUCKET S3 bucket for the generated config file Yes
S3_KEY S3 object key for the config file Yes
SSO_FRIENDLY_NAME Alternative name for the SSO start URL No
NICKNAME_MAPPING Comma-delimited account nickname mapping No
INCLUDE_ACCOUNTS Comma-delimited list of account IDs to include No
EXCLUDE_ACCOUNTS Comma-delimited list of account IDs to exclude No
INCLUDE_PERMISSION_SETS Comma-delimited list of permission set names to include No
EXCLUDE_PERMISSION_SETS Comma-delimited list of permission set names to exclude No
Required IAM Permissions

The Lambda execution role needs:

  • organizations:ListAccounts
  • sso:ListInstances
  • sso:ListPermissionSets
  • sso:ListPermissionSetsProvisionedToAccount
  • sso:DescribePermissionSet
  • s3:PutObject on the target S3 bucket/key

Common Use Cases

Team Onboarding

Simplify the onboarding process for new team members by providing a single command that generates a complete AWS config with all the accounts and permission sets they need access to.

Credentials Refresh

When permission sets change in your AWS Organization, quickly regenerate your config file to include the new permission sets without manual configuration.

CI/CD Pipelines

Use Setlist in CI/CD pipelines to ensure consistent AWS configuration across different environments.

Automated Config Updates

Deploy as a Lambda function to automatically regenerate and upload shared config files to S3 on a schedule.

Troubleshooting

Permission Issues

If you encounter permission errors, ensure your AWS credentials have access to:

  • organizations:ListAccounts
  • sso:ListInstances
  • sso:ListPermissionSets
  • sso:ListPermissionSetsProvisionedToAccount
  • sso:DescribePermissionSet
Region Configuration

The --sso-region parameter must specify the region where your AWS SSO instance is deployed, not necessarily the region where your resources are located.

Output File Permissions

Ensure you have write permissions to the output file location.

Development

Prerequisites
  • Go 1.24 or newer
  • Task
Setup Development Environment
# Clone the repository
git clone https://github.com/scottbrown/setlist.git
cd setlist

# Run tests
task test

# Build for development
task build
Running Tests
# Run all tests
task test

# Run security checks
task check
Building Releases
# Build a release version
task release VERSION=v1.2.3
Project Structure
  • cmd/: CLI entry point
  • cmd/lambda/: Lambda function entry point
  • *.go: Core library for AWS interactions and config generation
  • .github/workflows/: CI/CD pipeline definitions
  • template.yaml: SAM template for Lambda deployment
  • go.mod, go.sum: Go module definitions
  • taskfile.yml: Task automation definitions

Contributing

Contributions are welcome! Here's how to contribute:

  1. Fork the repository
  2. Create a feature branch: git checkout -b my-new-feature
  3. Make your changes and add tests if applicable
  4. Run tests to ensure everything passes: task test
  5. Commit your changes: git commit -am 'Add some feature'
  6. Push to the branch: git push origin my-new-feature
  7. Submit a pull request

Releases

Each release comes with a software bill of materials (SBOM). It is generated using CycloneDX-GoMod using the following command:

cyclonedx-gomod mod -licenses -json -output bom.json

Releases are typically automated via Github Actions whenever a new tag is pushed to the default branch.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

  • Thanks to all contributors who have helped improve Setlist
  • Built with Cobra and AWS SDK for Go v2

Documentation

Overview

Default AWS SSO configuration constants used for generating properly formatted config files with standard attributes.

Package setlist provides utilities for managing AWS SSO configurations.

It simplifies the process of generating AWS CLI configuration files for organizations using AWS SSO by parsing AWS Organizations and Permission Sets to build a complete .aws/config file with all permission sets provisioned across AWS member accounts.

The package includes functionality for AWS API interactions, config file generation, nickname mapping for accounts, and structured error handling.

Index

Constants

View Source 
const DefaultNicknamePrefix string = "NoNickname"

DefaultNicknamePrefix defines the prefix used for accounts without explicit nicknames.

View Source 
const (
	// GithubAPI is the URL to check for the latest release
	GithubAPI = "https://api.github.com/repos/scottbrown/setlist/releases/latest"
)
View Source 
const SSOAccountIdKey string = "sso_account_id"

SSOAccountIdKey is the key used for specifying the AWS account ID in a profile.

View Source 
const SSORegionKey string = "sso_region"

SSORegionKey is the attribute key for specifying the AWS region.

View Source 
const SSORegistrationScopesKey string = "sso_registration_scopes"

SSORegistrationScopesKey defines the key for SSO registration scopes.

View Source 
const SSORegistrationScopesValue string = "sso:account:access"

SSORegistrationScopesValue defines the default value for SSO registration scopes.

View Source 
const SSORoleNameKey string = "sso_role_name"

SSORoleNameKey is the key used for defining the IAM role name.

View Source 
const SSOSessionAttrKey string = "sso_session"

SSOSessionAttrKey is the attribute key for storing the SSO session name.

View Source 
const SSOSessionSectionKey string = "sso-session"

SSOSessionSectionKey is the key used for defining an SSO session in configuration files.

View Source 
const SSOStartUrlKey string = "sso_start_url"

SSOStartUrlKey is the attribute key for the AWS SSO start URL.

Variables

View Source 
var AccountIdPattern = regexp.MustCompile("^[0-9]{12}$")
View Source 
var ErrEmptyString = errors.New("cannot be an empty string")
View Source 
var ErrInvalidAWSAccountIdLength = fmt.Errorf("invalid length for AWS account id")
View Source 
var ErrMutuallyExclusiveFilters = errors.New("include and exclude filters are mutually exclusive")
View Source 
var ErrWrongFormat = errors.New("invalid format")
View Source 
var VERSION = "1.2.1"

VERSION defines the current version of the Setlist application. This is displayed in the CLI help output and used in release artifacts.

Functions

func AllPermissionSets added in v1.3.0 

func AllPermissionSets(ctx context.Context, client SSOAdminClient, instanceArn string) ([]types.PermissionSet, error)

AllPermissionSets retrieves all permission sets defined in an SSO instance. It paginates through the ListPermissionSets API to collect all ARNs, then calls DescribePermissionSet for each to get the full details.

func FilterAccounts added in v1.3.0 

func FilterAccounts(accounts []orgtypes.Account, include, exclude []AWSAccountId) ([]orgtypes.Account, error)

FilterAccounts filters a list of AWS accounts based on include and exclude lists. If include is non-empty, only accounts in the include list are returned. If exclude is non-empty, accounts in the exclude list are removed. Setting both include and exclude is an error.

func FilterPermissionSets added in v1.3.0 

func FilterPermissionSets(permissionSets []ssotypes.PermissionSet, include, exclude []string) ([]ssotypes.PermissionSet, error)

FilterPermissionSets filters a list of permission sets based on include and exclude lists. If include is non-empty, only permission sets whose name appears in the include list are returned. If exclude is non-empty, permission sets whose name appears in the exclude list are removed. Setting both include and exclude is an error.

func ListAccounts 

func ListAccounts(ctx context.Context, client OrganizationsClient) ([]types.Account, error)

ListAccounts retrieves all accounts within an AWS Organization using the provided Organizations client. It handles pagination automatically to ensure all accounts are retrieved, even when the organization contains a large number of accounts. The function respects context cancellation for proper timeout handling.

func ListPermissionsRequired added in v1.2.0 

func ListPermissionsRequired() []string

ListPermissionsRequired returns a slice of AWS IAM permission strings that are required for this application to function correctly. These permissions are needed to access AWS Organizations and SSO Admin APIs.

func ParseNicknameMapping 

func ParseNicknameMapping(mapping string) (map[string]string, error)

ParseNicknameMapping parses a comma-delimited string of account ID to nickname mappings into a map. The expected format is "accountID1=nickname1,accountID2=nickname2". This enables users to reference AWS accounts by friendly names rather than numeric IDs. The function validates the format and returns appropriate errors for malformed input.

func ParsePermissionSetList added in v1.3.0 

func ParsePermissionSetList(s string) ([]string, error)

ParsePermissionSetList parses a comma-delimited string of permission set names into a slice of strings. Empty tokens are skipped and whitespace is trimmed.

func PermissionSets 

func PermissionSets(ctx context.Context, client SSOAdminClient, instanceArn string, accountId string) ([]types.PermissionSet, error)

PermissionSets retrieves the list of permission sets provisioned to an account.

func SsoInstance 

func SsoInstance(ctx context.Context, client SSOAdminClient) (types.InstanceMetadata, error)

SsoInstance retrieves the AWS SSO instance metadata from the AWS account. AWS SSO allows only a single instance per organization, so this function returns the first (and only) instance found. It validates that required fields exist in the response and returns an error if the SSO service is not properly configured.

Types

type AWSAccountId added in v1.3.0 

type AWSAccountId string

func NewAWSAccountId added in v1.3.0 

func NewAWSAccountId(id string) (AWSAccountId, error)

func ParseAccountIdList added in v1.3.0 

func ParseAccountIdList(s string) ([]AWSAccountId, error)

ParseAccountIdList parses a comma-delimited string of AWS account IDs into a slice of AWSAccountId. Each ID is validated against the expected 12-digit format.

func (AWSAccountId) String added in v1.3.0 

func (aai AWSAccountId) String() string

type ConfigFile 

type ConfigFile struct {
	SessionName     string            // Name of the SSO session
	IdentityStoreId IdentityStoreId   // The unique identity store ID
	FriendlyName    string            // Alt name used for the SSO instance
	Region          Region            // AWS region
	Profiles        []Profile         // List of AWS profiles
	NicknameMapping map[string]string // Mapping of account IDs to nicknames
}

ConfigFile represents the structure of an AWS CLI configuration file, including session details, profiles, and nickname mappings. It contains all the information needed to generate a complete AWS config file for use with AWS SSO authentication.

func Generate added in v1.3.0 

func Generate(ctx context.Context, input GenerateInput) (ConfigFile, error)

Generate orchestrates the full config file generation workflow. It retrieves the SSO instance, lists and filters accounts, gathers permission sets, and assembles a ConfigFile ready for output.

func (ConfigFile) HasNickname 

func (c ConfigFile) HasNickname(accountId string) bool

HasNickname determines whether an account has a mapped nickname.

func (*ConfigFile) StartURL 

func (c *ConfigFile) StartURL() string

StartURL constructs the AWS SSO start URL based on the IdentityStoreId or FriendlyName.

type FileBuilder 

type FileBuilder struct {
	Config ConfigFile
}

FileBuilder is responsible for generating an INI-formatted configuration file based on the provided AWS SSO configuration. It handles creating sections for the default profile, SSO session, and individual profiles.

func NewFileBuilder 

func NewFileBuilder(configFile ConfigFile) FileBuilder

NewFileBuilder creates a new FileBuilder instance with the given configuration.

func (*FileBuilder) Build 

func (f *FileBuilder) Build() (*ini.File, error)

Build generates an INI file based on the configuration. It adds a default section, an SSO section, and profile sections for each configured profile. If a nickname mapping exists, it creates an additional profile section for the nickname.

type GenerateInput added in v1.3.0 

type GenerateInput struct {
	SSOClient             SSOAdminClient
	OrgClient             OrganizationsClient
	SessionName           string
	Region                string
	FriendlyName          string
	NicknameMapping       string
	IncludeAccounts       string
	ExcludeAccounts       string
	IncludePermissionSets string
	ExcludePermissionSets string
}

GenerateInput holds all the parameters needed to generate an AWS config file.

type HTTPDoer added in v1.3.0 

type HTTPDoer interface {
	Do(req *http.Request) (*http.Response, error)
}

HTTPDoer is an interface for making HTTP requests.

type IdentityStoreId added in v1.3.0 

type IdentityStoreId string

func NewIdentityStoreId added in v1.3.0 

func NewIdentityStoreId(id string) (IdentityStoreId, error)

func (IdentityStoreId) String added in v1.3.0 

func (i IdentityStoreId) String() string

type OrganizationsClient added in v1.2.0 

type OrganizationsClient interface {
	ListAccounts(ctx context.Context, params *organizations.ListAccountsInput, optFns ...func(*organizations.Options)) (*organizations.ListAccountsOutput, error)
}

Define interface for the Organizations client to make testing easier

type Profile 

type Profile struct {
	Name            ProfileName
	Description     ProfileDescription
	SessionDuration SessionDuration
	SessionName     SessionName
	AccountId       AWSAccountId
	RoleName        RoleName
}

Profile represents an AWS SSO profile configuration. It stores information about a permission set, including its metadata and the account it belongs to. This is used to generate AWS CLI profile configurations in the output file.

type ProfileDescription added in v1.3.0 

type ProfileDescription string

func NewProfileDescription added in v1.3.0 

func NewProfileDescription(desc string) (ProfileDescription, error)

func (ProfileDescription) String added in v1.3.0 

func (pd ProfileDescription) String() string

type ProfileName added in v1.3.0 

type ProfileName string

func NewProfileName added in v1.3.0 

func NewProfileName(name string) (ProfileName, error)

func (ProfileName) String added in v1.3.0 

func (pn ProfileName) String() string

type Region added in v1.3.0 

type Region string

func NewRegion added in v1.3.0 

func NewRegion(region string) (Region, error)

func (Region) String added in v1.3.0 

func (r Region) String() string

type ReleaseInfo added in v1.3.0 

type ReleaseInfo struct {
	TagName     string    `json:"tag_name"`
	Name        string    `json:"name"`
	PublishedAt time.Time `json:"published_at"`
	HTMLURL     string    `json:"html_url"`
}

ReleaseInfo represents the GitHub API response for a release

type RoleName added in v1.3.0 

type RoleName string

func NewRoleName added in v1.3.0 

func NewRoleName(name string) (RoleName, error)

func (RoleName) String added in v1.3.0 

func (rn RoleName) String() string

type SSOAdminClient added in v1.2.0 

type SSOAdminClient interface {
	ListInstances(ctx context.Context, params *ssoadmin.ListInstancesInput, optFns ...func(*ssoadmin.Options)) (*ssoadmin.ListInstancesOutput, error)
	ListPermissionSets(ctx context.Context, params *ssoadmin.ListPermissionSetsInput, optFns ...func(*ssoadmin.Options)) (*ssoadmin.ListPermissionSetsOutput, error)
	ListPermissionSetsProvisionedToAccount(ctx context.Context, params *ssoadmin.ListPermissionSetsProvisionedToAccountInput, optFns ...func(*ssoadmin.Options)) (*ssoadmin.ListPermissionSetsProvisionedToAccountOutput, error)
	DescribePermissionSet(ctx context.Context, params *ssoadmin.DescribePermissionSetInput, optFns ...func(*ssoadmin.Options)) (*ssoadmin.DescribePermissionSetOutput, error)
}

Define interface for the SSO Admin client to make testing easier

type SessionDuration added in v1.3.0 

type SessionDuration string

func NewSessionDuration added in v1.3.0 

func NewSessionDuration(duration string) (SessionDuration, error)

func (SessionDuration) String added in v1.3.0 

func (sd SessionDuration) String() string

type SessionName added in v1.3.0 

type SessionName string

func NewSessionName added in v1.3.0 

func NewSessionName(name string) (SessionName, error)

func (SessionName) String added in v1.3.0 

func (sn SessionName) String() string

type UpdateInfo added in v1.3.0 

type UpdateInfo struct {
	CurrentVersion string
	LatestVersion  string
	ReleaseURL     string
	ReleaseDate    time.Time
}

UpdateInfo contains information about an available update

func CheckForUpdates added in v1.3.0 

func CheckForUpdates(ctx context.Context, client HTTPDoer) (*UpdateInfo, error)

CheckForUpdates compares the current version with the latest release and returns information about a newer version if available

Source Files

View all Source files

Directories

Path Synopsis
cmd
Package main provides the command-line interface (CLI) entry point for the Setlist application.
 Package main provides the command-line interface (CLI) entry point for the Setlist application.
lambda command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.