DEV Community

Rafael Sales
Rafael Sales

Posted on • Edited on

Generating ~/.aws/credentials through AWS SSO via CLI

1. Configure AWS SSO via CLI

$ aws configure sso
SSO start URL [None]: https://mycompany.awsapps.com/start
SSO Region [None]: us-east-1
The only AWS account available to you is: 43294231752
Using the account ID 43294231752
The only role available to you is: DeveloperAccess
Using the role name "DeveloperAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json
CLI profile name [DeveloperAccess-43294231752]: mycompany

2. Find your role ARN

$ aws iam list-roles --profile mycompany
{
  "Roles": [
    {
      "Path": "/aws-reserved/sso.amazonaws.com/",
      "RoleName": "AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
      "RoleId": "D67DSAUSNJ3491KM",
      "Arn": "arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
      ...
    },
  ...
]

To find the role in the list, simply look for a role name matching the one you saw in the 1st step, "DeveloperAccess" in this case.

3. Try fetching the credentials using the Arn above

$ aws sts assume-role
  --profile mycompany
  --role-session-name YourNameHere
  --role-arn arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb

You should get a response like this

{
    "Credentials": {
        "AccessKeyId": "...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2020-06-06T16:48:03+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "...",
        "Arn": "..."
    }
}

4. Create a script to generate ~/.aws/credentials

I like to name this script aws_refresh_token.sh.
Also make sure to adjust the variables.

#!/bin/bash

# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
# The Role ARN can be found in the AWS Console -> IAM -> Roles or via AWS CLI -> `aws iam list-roles`

profile="mycompany"
role_arn="arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb"
user_name=$(git config user.name | sed 's/[^A-Za-z0-9+=,.@-]/-/g')

request_credentials() {
  credentials=$(
    aws sts assume-role \
      --profile $profile \
      --role-arn $role_arn \
      --role-session-name $user_name
  )
}
request_credentials

if [ $? -ne 0 ]; then
  aws sso login --profile "$profile"

  if [ $? -ne 0 ]; then
    exit 1
  fi

  request_credentials
fi

access_key_id=$(echo $credentials | perl -n -e'/"AccessKeyId": "([^,]+)"/ && print $1')
secret_key_id=$(echo $credentials | perl -n -e'/"SecretAccessKey": "([^,]+)"/ && print $1')
session_token=$(echo $credentials | perl -n -e'/"SessionToken": "([^,]+)"/ && print $1')

aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_key_id"
aws configure set --profile "$profile" aws_session_token "$session_token"

5. Testing

$ ./aws_refresh_token.sh

$ cat ~/.aws/credentials
[mycompany]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_session_token = ...

Top comments (4)

Collapse
 
urz9999 profile image
Alessandro Gaggia

Hi, good solution. We did something similar because we wanted to use AWS SSO and third party tools as well as SDKs together. We generate temporary credentials starting from Accounts and Roles retrieved from AWS SSO, then we save these temporary credentials in ~/.aws/credentials. Here is the link to github if you'd like to check it out and give some feedbacks. github.com/Noovolari/leapp

Cheers!

Collapse
 
rafaelsales profile image
Rafael Sales

Hey Alessandro,
Man, that's a really nice tool - I'll definitely start using it!
Thanks for sharing

Collapse
 
larsfronius profile image
Lars Fronius

FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to aws.amazon.com/blogs/security/anno...

Collapse
 
remigabillet profile image
Remi Gabillet

Thank you Rafael, this works beautifully!