Aws-cli: Add support for AWS Single Sign-On
AWS recently released a SSO service that integrates with Organizations and the AWS Directory Service:
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
Currently, the only way to consume this service is via a browser. Shortcuts are provided to copy and paste shell commands to export the appropriate environment variables, but this is unacceptable. Users should not need to use a web browser to authenticate with CLI tools.
Other tools such as aws-adfs exist to do this for ADFS, Octa, etc, but there are not currently any for AWS SSO. Since this is a first-party AWS service, aws-cli should support it.
brandond
All 43 comments
@brandond, Thank you for reaching out. This seems like a reasonable feature request marking the label as such. Can you tell me more how you would like this feature to work or provide an example. Thanks.
justnance
on 16 Jul 2018
Other tools in this space use interactive prompts, much like the aws configure command. The work flow is generally something along the lines of:
- Prompt for username
- Prompt for password
- Prompt for MFA code (if necessary)
- Make login call to SSO service, enumerate available roles, retrieve SAML assertion
- Parse SAML assertion to discover available roles
- Prompt to select role
- Make STS:AssumeRoleWithSAML call
- Store temporary credentials returned by STS to profile (~/.aws/credentials)
I haven't been able to find any documentation on APIs for configuring or consuming SSO, but a quick look at the developer tool network log in my browser indicates that there is a REST service behind the console.
brandond
on 17 Jul 2018
@brandond, Thank you for your feedback. It sound reasonable and this issue will remain labeled as feature request. Thanks.
justnance
on 21 Jul 2018
+1 to this, would make our lives much easier
hassankhan
on 2 Nov 2018
We need CLI support. Right now our devs are stuck logging in and out of the SSO screen to get credentials every hour.
ghost
on 6 Nov 2018
+1 For this feature
angusfz
on 13 Nov 2018
+1 For this feature
Kim725
on 13 Nov 2018
+1 For this feature
jonatasalves-hotmart
on 14 Nov 2018
100% required.
Zordrak
on 23 Jan 2019
+1
Photon0gen
on 8 Feb 2019
+1 for this feature. AWS SSO became available in our region (Sydney), but sadly it doesn't look like we can use it until the aws cli supports gaining access programatically.
akr257
on 2 Mar 2019
+1 for this. This would make a huge business impact. Atleast for us.
hammerheadgit
on 2 Mar 2019
+1
theTestTube
on 12 Mar 2019
It's been months. Where is the support for AWS SSO? If it's going to be a competitor to Okta, Keycloak, or ADFS, it needs CLI methods to access credentials.
et304383
on 21 Mar 2019
+1 having AWS Landing Zone with integrated SSO and can't use CLI with it, is no good product solution ... please add this feature
cargauer
on 11 Apr 2019
+1
davidrdark
on 17 Apr 2019
+1
supergicko
on 17 Apr 2019
+1 but consider also SAML IdPs which require you to login via web
jtheuer
on 30 Apr 2019
+1
Codeseer
on 24 May 2019
+1
Yes please, this would save a lot of time and hassle.
jamestharpe
on 24 May 2019
+1
mechanicalpete
on 17 Jun 2019
+1 +1 +1
mkarnati-chwy
on 27 Jun 2019
+1
dan-lind
on 5 Jul 2019
AWS-CLI _and_ AWS-SDK support would be nice
ORESoftware
on 12 Jul 2019
+1
m6a-UdS
on 12 Jul 2019
+1 we still updating our credentials files every hour with keys from the browser
C-Kenny
on 17 Jul 2019
+1
avanbecelaere
on 30 Jul 2019
We need CLI support. Right now our devs are stuck logging in and out of the SSO screen to get credentials every hour.
This was driving me crazy, until AWS implement a new feature it is possible to extend this to up to 12 hours to make it less burdensome.
reidca
on 14 Aug 2019
+100
ccsalway
on 19 Aug 2019
+600
DaveOps83
on 19 Aug 2019
+1
mo-saeed
on 20 Aug 2019
Would be good also to add support for cloud-formation and python sdk.
mo-saeed
on 20 Aug 2019
@reidca 鈥撀燿oes this help?
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html
arthur-burkart-simplisafe
on 26 Aug 2019
longer session duration is nice, but would be great if we could programmatically authenticate without the need to go through a browser; helps automate and simplify local dev.
matwerber1
on 11 Sep 2019
So I got tired of waiting and made a small tool for this. It's still very early and could be improved but it has worked for me for the last couple of weeks.
Have a look and tell me what you think: github.com/wnkz/aws-sso.
Hope this can help some of you as well.
wnkz
on 15 Sep 2019
This is the current challenge that prohibiting us from using SSO and keeping our developers staying on GCP. Most of our Dev's are using Windows Boxes w/ Visual Studio.
mark-bixler
on 16 Sep 2019
@brandond, Thank you for reaching out. This seems like a reasonable feature request marking the label as such. Can you tell me more how you would like this feature to work or provide an example. Thanks.
Hi @justnance, any progress update on this? This is a very critical piece for many, in determining whether they can utilize AWS Directory Service / SSO, or need to go a different route (e.g., Okta, etc). Hoping there may be light at the end of this tunnel _soon_...?
jesuskwice
on 16 Oct 2019
Is there a way to create permission sets for AWS SSO via CLI?
valayDave
on 28 Oct 2019
It is absolutely ridiculous that no one has responded to this in almost 18 months.
JohnVonNeumann
on 6 Nov 2019
finally, it's here with AWS CLI v2 preview. works great for me. thanks!
https://aws.amazon.com/blogs/developer/aws-cli-v2-now-supports-aws-single-sign-on/
icysharp
on 8 Nov 2019
Closing issue. It is now supported in AWS CLI v2 developer preview and instructions on how to configure it can be found in the v2 user guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
kyleknap
on 3 Dec 2019
Is there a way to do login programatically. We need to do this from a script to be able to connect to k8s cluster created in AWS control tower managed account.
danushkaf
on 9 Dec 2019
Mandatory browser interaction seems absurd. Are there any plans to improve this with any of the suggestions, like --no-browser, etc?
spanky-medal
on 9 Sep 2020
Related issues
ehammond
路
3Comments
hapx101
路
3Comments
vadimkim
路
3Comments
KimberleySDU
路
3Comments
ikim23
路
3Comments
Most helpful comment
Other tools in this space use interactive prompts, much like the
aws configurecommand. The work flow is generally something along the lines of:I haven't been able to find any documentation on APIs for configuring or consuming SSO, but a quick look at the developer tool network log in my browser indicates that there is a REST service behind the console.