README
¶
AWS SSO CLI
Other Pages:
- Quick Start & Installation Guide
- Running aws-sso
- Configuration
- Frequently Asked Questions
- Compared to AWS Vault
- Releases
- Changelog
About
AWS SSO CLI is a secure replacement for using the aws configure sso wizard with a focus on security and ease of use for organizations with many AWS Accounts and/or users with many IAM Roles to assume. It shares a lot in common with aws-vault, but is more focused on the AWS SSO use case instead of static API credentials. Check out this page for more information on how these two tools compare.
AWS SSO CLI requires your AWS account(s) to be setup with AWS SSO! If your organization is using the older SAML integration (typically you will have multiple tiles in OneLogin/Okta) then this won't work for you.
What does AWS SSO CLI do?
Overview
AWS SSO CLI makes it easy to manage your shell environment variables allowing
you to access the AWS API & web console using CLI tools. Unlike the official
AWS tooling, the aws-sso command does not require manually creating named
profiles in your ~/.aws/config (or anywhere else for that matter) for each
and every role you wish to assume and use.
aws-sso focuses on making it easy to select a role via CLI arguments or
via an interactive auto-complete experience with automatic and user-defined
metadata (tags) and exports the necessary AWS STS Token credentials
to your shell environment in a variety of ways.
As part of the goal of improving the end-user experience with AWS SSO, it also supports using multiple AWS Web Console sessions and many other quality of life improvements!
Key Features
- Enhanced security over stock AWS tooling
- Auto-discover your AWS SSO roles and manage
your
~/.aws/configfile - Support selecting an IAM role via
$AWS_PROFILE, CLI (with auto-completion) or interactive search - Ability to select roles based on user-defined and auto-discovered tags
- Support for multiple active AWS Console sessions
- Guided setup to help you configure
aws-ssothe first time you run - Advanced configuration available to adjust colors and generate named profiles via templates
- Easily see how much longer your STS credentials are valid for
- Written in GoLang, so only need to install a single binary (no dependencies)
- Supports Linux, MacOS, and Windows
Demo
Here's a quick demo showing how to select a role to assume in interactive mode and then run commands in that context (by default it starts a new shell).
Want to see more? Check out the other demos.
Security
Unlike the official AWS cli tooling, all authentication tokens and credentials used for accessing AWS and your SSO provider are encrypted on disk using your choice of secure storage solution. All encryption is handled by the 99designs/keyring library which is also used by aws-vault.
Credentials encrypted by aws-sso and not via the standard AWS CLI tool:
- AWS SSO ClientID/ClientSecret --
~/.aws/sso/cache/botocore-client-id-<region>.json - AWS SSO AccessToken --
~/.aws/sso/cache/<random>.json - AWS Profile Access Credentials --
~/.aws/cli/cache/<random>.json
As you can see, not only does the standard AWS CLI tool expose the temporary AWS access credentials to your IAM roles, but more importantly the SSO AccessToken which can be used to fetch IAM credentials for any role you have been granted access!
What is not encrypted?
- Contents of user defined
~/.aws-sso/config.yaml - Meta data associated with the AWS Roles fetched via AWS SSO in
~/.aws-sso/cache.json- Email address tied to the account (root user)
- AWS Account Alias
- AWS Role ARN
What next?
The following pages will help get you started:
License
AWS SSO CLI is licnsed under the GPLv3.
Directories