Aws-cli: Provide way to get current credentials (AWS SDKs do not support SSO)

Created on 4 Jun 2020 · 6Comments · Source: aws/aws-cli

My team has set up AWS SSO and is starting to use aws sso login for most of their needs. Everything is working smoothly. However, it appears that AWS SDKs (e.g. Golang apps that call AWS APIs) do not support _reading_ the temporary SSO credentials stored in ~/.aws/cli/cache/~/.aws/sso/cache. (See https://github.com/aws/aws-sdk-go/issues/3186)

And as a result, my team is blocked from adopting AWS SSO because it only works with the AWS CLI but none one our existing tools.

Ideally, the various language-specific AWS SDKs would be able to pick up on the current AWS SSO credentials seamlessly. Honoring AWS_PROFILE or AWS_DEFAULT_PROFILE environment variables, and using the same credential lookup algorithm as the CLI. (I assume that's the on the roadmap eventually.)

However, getting that change fixed across all of the AWS SDKs, as well as them upstreamed into tools that rely on them, will take a long time. And it would be nice to unblock my team until then so they can just rely on aws sso login.

I can see the credential files on my local disk, e.g. ~/.aws/sso/cache/61368d38a2497e42a24a243072108001849d0b07.json. But it isn't clear how to map the current set of environment variables to which JSON file to load.

Could the CLI support some way of _returning_ whatever the credentials it is using? e.g.

# Return the SSO credentials file for the provided profile, or just use AWS_PROFILE, etc.
aws --profile staging-environment \
    sts get-caller-credentials

# Or even better: write the SSO credentials to ~/.aws/credentials. So other tools
# could just read from it.
aws sso write-credentials-to-disk --profile staging-environment

I don't know if there is a better approach here, as I'm do not know the specific differences between credential resolution in the AWS CLI vs. AWS SDKs. But hopefully there is some sort of workaround to make this scenario work?

configuration feature-request sso v2

Source

chrsmith

👍45 👀4

Most helpful comment

This is an important feature, please prioritize it. Many of the AWS SDKs do not work with SSO forcing a workaround. Most SDKs do support external credential_process handlers via configuration profile. It would be great if aws sso could output credentials in the supported format as a one liner. This would eliminate the need for a number of third-party tools that work around this, and the many AWS customers that are rewriting those tools so as not to expose their credentials.

aws sso get-profile-credentials --profile profileName could get the token from cache and return the STS creds for the given profile in the JSON format for credential_process.

Format for credential helpers to export: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

Example of a 3rd party tool, also has a list of other tools on the README: https://github.com/victorskl/yawsso

maestretti on 10 Jun 2020

👍24 👀1

All 6 comments

aws sso get-profile-credentials --profile profileName could get the token from cache and return the STS creds for the given profile in the JSON format for credential_process.

Format for credential helpers to export: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

Example of a 3rd party tool, also has a list of other tools on the README: https://github.com/victorskl/yawsso

maestretti on 10 Jun 2020

👍24 👀1

Are there any updates on this feature request?

aleksandrzhiliaev on 13 Aug 2020

👍3

In the meantime, aws-vault v6+ is a nice solution to circumvent this issue in your local environment.

See https://github.com/99designs/aws-vault/pull/549

ldormoy on 4 Sep 2020

I've created an npm package for updating the credentials from the command line for any users out there running node https://github.com/ryansonshine/aws-sso-creds-helper