Aws-cli: [v2] aws sso commands should allow opting out of automatically opening a browser

Hi @mmerickel, it looks like this request is similar to #5061. If so, I'll link it there and mark it as a duplicate. Thanks!

I think my ticket was a bit more detailed and is actually about machines that do have a browser versus machines that don't. However the final feature implemented should definitely satisfy both use cases. The referenced issue also does not mention aws configure sso, only aws sso login.

@mmerickel This is definitely a reasonable feature request to have something explicit to say "don't open a browser". We went back and forth on whether or not we should open a browser at all, should it be the default, etc. when implementing this initially and opted to try and be smart and always try to open the browser with some fallback text.

Because we use webbrowser stdlib module: https://docs.python.org/2/library/webbrowser.html
It should be possible to set the BROWSER env var to something else that acts like a no-op as a workaround. For example, you could try using true:

BROWSER=true aws sso login

Let me know if that works for you in the interim.

@joguSD this approach does work perfectly for me. Thank you for that. It appears the code does not know whether it opened the browser or not - if it did then there could be a lot of improved messaging here.

My organization has multiple proxies and gives us multiple domain accounts for different roles, it's almost never the case that my default browser is either logged into the domain account I need to use for the SSO login or using the proxy to meet source IP CIDR firewall rules. I can't get that ENV variable to work on Windows. I have to wait for the CLI to open my default browser and frantically ESC then CTRL-W and hope I caught it in time, then open my other browser that will work for the login.

Even though you have support for using elinks when on a headless connection to a linux machine, I've never seen elinks not fail on cert validation of the SSO login URL. For a while I was having to sudo chmod -x $(which elinks) to do the SSO login, but the BROWSER env variable seems to work on Linux. But having a proper set of CLI arguments would be preferred for cross-platform consistenty.

This is an issue for me. For some reason my AV has decided that anytime a browser is launched in WSL it's a 'suspicious behavior'.
It would be easier just have aws/cli (and amplify) just not launch a browser and let me open the browser manually while the antivirus finally figures out the issue on their side.

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

Also see #5533.

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

BROWSER=/usr/bin/echo is great because it produces the full URL for easy one-step copy and paste to a desktop browser. Thanks for the hint!

BROWSER=true does not work with the webbrowser Python module on my system.
https://docs.python.org/3.8/library/webbrowser.html states that it must be a full path.
BROWSER=/usr/bin/true or BROWSER/usr/bin/echo works.

BROWSER=/usr/bin/echo is great because it produces the full URL for easy one-step copy and paste to a desktop browser. Thanks for the hint!

That's super useful - not to figure out what it is for Windows users, we have a few of them and this would be quite useful...

not to figure out what it is for Windows users,

I would think that just having a real CLI argument like --no-browser so that it just prints out the URL and code would be the simplest way.

That would work for all platforms.