Boto3: Add support for AWS SSO

@mo-saeed - Thank you for your post. Marking this as a feature request.

@swetashre Thanks a lot, Do you think this can be done soon ? any estimation ?

How about https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sso.html ?

@s0enke your link is about SSO the service.
I think @mo-saeed is looking for awscli authentication via SSO - instead of the usual access-key-id/secret-access-key.
awscli v2 supports this now: https://aws.amazon.com/about-aws/whats-new/2019/11/use-the-aws-cli-v2-preview-with-aws-single-sign-on-to-increase-developer-productivity/

It would be awesome if this could be implemented!

Also chiming in on this because this is one of the only ways to use accounts with Control Tower. Currently having to manually re-auth every hour is painful :(

I am using AWS CLI V2 with SSO. I really need this feature.

I am using AWS CLI V2 with SSO. I really need this feature.

We removed all our persistent keys once AWS CLI supported SSO only to discover that the boto sdk has no concept of SSO login which is highly frustrating.

It would be great to get this support as soon as possible. The same is true of other SDKs it seems - I have the same issue with PowerShell.

Getting this current with aws cli v2 would be ideal for the same reasons others mentioned above.

Example working config for the cli but not with boto3 sdk:
[profile dev]
sso_start_url = https://COMPANY.awsapps.com/start
sso_region = us-east-1
sso_account_id = ACCOUNTID
sso_role_name = AccountAccess
region = us-east-1
output = json

Currently any cli profile defined like above that uses SSO throws the below exception:
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/botocore/auth.py", line 357, in add_auth raise NoCredentialsError botocore.exceptions.NoCredentialsError: Unable to locate credentials

Assuming this relates to:
https://github.com/boto/botocore/issues/1988
https://github.com/boto/botocore/issues/1923

I have created and shared a script as a workaround until the boto3 and the other SDKs support (cached) SSO authentication. This script simplifies updating ~/.aws/credentials for AWS SSO users. It will update the AWS credentials file by adding/updating the specified profile credentials using the AWS CLI v2 cached SSO login.

How long before this feature is added? We also have AWS Control Tower spawning new accounts. Adding groups and managing permission sets manually every-time is a nightmare.

We have moved to the aws cliv2 SSO method in our organization as well and have to manually update the credentials file after profile login with sso method.

I took at stab at writing a credential_process to solve this problem, which means you won't need to call scripts randomly, most applications are already smart enough to properly re-call the process when the credentials expire: https://github.com/flyinprogrammer/aws-sso-fetcher

it also does some caching so that sequential calls use a file until the credential expires.
It's pretty alpha software, but it seems to work ¯_(ツ)_/¯ Issues and feedback welcome.

I took at stab at writing a credential_process to solve this problem, which means you won't need to call scripts randomly, most applications are already smart enough to properly re-call the process when the credentials expire: https://github.com/flyinprogrammer/aws-sso-fetcher

https://github.com/boto/botocore/issues/1988#issuecomment-626771515 is a version of this in Python that also works for now just to make that more visible here.

aws-sso-credential-process (written by me) is the python tool referenced above. It uses the code from botocore v2, including the capability to open the web browser automatically (like aws sso login does) when you need to sign in again. It also includes a tool to more easily configure profiles for AWS SSO + credential_process. But it's not a single executable like the go version.

Many AWS customers use Okta as their primary idP. With yesterday's announcement it is more enticing to leverage AWS SSO (specially for AWS CLI v2), however, having to rely on the above workarounds is not something that will necessarily fly on large enterprise AWS customers. I think this should be prioritized. Thank you.

Boto3 itself can be still continue functioning with SSO login session by leveraging environment variables -- which takes precedent in finding credentials over shared credentials file. i.e. To guide users to export those environment variables found from SSO user portal after they have login through portal.

However, many tools (especially CLI-based) that depends on boto3 and, it is hard to instruct end-users to export those env variables before using the tool -- plus it is timed-constraint token and expires, thus user has to update those env var time-to-time, so none ideal use case. Inadvertently, most tools credentials check fall back to shared credentials file.

From https://github.com/aws/aws-cli/issues/4982 and few days I search for solution, before I ended up yawsso to sync v1 credentials from v2 SSO login session cache -- extending @sgtoj script, just to depends only on CLI v2 itself. So that I could keep going my daily ops support to users like terraform, cdk, cw, awsbw, etc.. While waiting to resolve this issue sooner in respective upstreams!

Support for loading credentials cached by aws sso login was shipped in 1.14.0.

~I upgraded, but still getting botocore.exceptions.NoCredentialsError: Unable to locate credentials~

Update: it works!

Confirmed 1.14.16 is working for me after ensuring I was on the right AWS_PROFILE. Cheers!

@mmerickel After tripping over the wrong AWS_PROFILE too many times I tried to make that easier on myself. https://gist.github.com/benkehoe/0d2985e56059437e489314d021be3fbe

Now SSO credential provider is supported with botocore v1 branch. So it can be used with boto3.
https://github.com/boto/botocore/pull/2070

The original request is still needed/missing, which is to be able to manage SSO Permission Sets. Currently the only way we know how to do this is in the browser directly.

I also add myself to @alittle-csdisco 's comment. In complex situations with AWS Organization with dozens, if not hundreds, of AWS accounts and thousand of users it is unthinkable to manage the assignment of roles manually via the web interface. Hours and hours of manual work, obviously prone to error, in the most delicate aspect of all account management. It is an epic lack of AWS.

This is in addition to the fact that AWS SSO does not support nested ADD groups. 🤦‍♂️

@swetashre this request is a year that is included in the feature requests. Is there hope that something will be done in the near future?

The whole discussion below went off-topic. @mo-saeed 's request was quite clear but completely ignored.

Guys, We have built a library which can automate most of the AWS SSO activities for now. That was the original request.

1. Get Groups
2. Get Users
3. Get Accounts
4. Create Permission Sets
5. Assign custom policy to a permission set
6. Update Permission sets
7. Associate user/groups to an Account with a particular permission set
8. Disassociate user/groups from an Account with a particular permission set

https://github.com/schubergphilis/awsssolib

Here is the pypi link:

https://pypi.org/project/awsssolib/

Sample snippet:

import os
from awsssolib.awsssolib import Sso
os.environ['AWS_ACCESS_KEY_ID']=''
os.environ['AWS_SECRET_ACCESS_KEY']=''
os.environ['AWS_DEFAULT_REGION']=''
os.environ['AWS_SESSION_TOKEN']=''
sso_connection = Sso('arn:aws:iam::<<account_id>>:role/<<role_name>>')
for group in sso_connection.groups:
     print(group.name)

The Role should have access to aws sso and sso-directory

Hope this helps all of you for now. :)
Merge requests are always welcomed :)

@mo-saeed

I think this issue can be closed, as AWS SSO has released APIs for assignment management and read access to the identity store, both of which are present in boto3:

• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sso-admin.html
• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html