GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → synfinatic → aws-sso-cli

synfinatic / aws-sso-cli

Licence: GPL-3.0 license
A powerful tool for using AWS SSO for the CLI and web console.

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects

Labels

cliawsiam-rolesecurity-toolsaws-sso

Projects that are alternatives of or similar to aws-sso-cli

bakery
(Not maintained anymore) Bakery - Centralised AWS identity and access management solution for multiple accounts
Stars: ✭ 50 (-58.68%)
Mutual labels:  iam-role
aws-peacock-management-console
Browser Extension to show account alias and change color of AWS Management Console, even if AWS SSO.
Stars: ✭ 46 (-61.98%)
Mutual labels:  aws-sso
kube-secrets-init
Kubernetes mutating webhook for `secrets-init` injection
Stars: ✭ 106 (-12.4%)
Mutual labels:  iam-role
awscredswrap
awscredswrap uses temporary credentials for the specified iam role to set a shell environment variable or execute a command.
Stars: ✭ 15 (-87.6%)
Mutual labels:  iam-role
cognises-flask
Flask Cognises: AWS Cognito group based authorization with user management
Stars: ✭ 16 (-86.78%)
Mutual labels:  iam-role
holochrome
Use your IAM role (from instance metadata) to open the AWS console
Stars: ✭ 102 (-15.7%)
Mutual labels:  iam-role
aws-sso-creds-helper
A command line util for using SSO credentials with AWS SDK on AWS CLI v2 until native support is released
Stars: ✭ 34 (-71.9%)
Mutual labels:  aws-sso
cdk-multi-profile-plugin
Adds multi profile/account, mfa and aws sso support to cdk apps
Stars: ✭ 41 (-66.12%)
Mutual labels:  aws-sso
terraform-aws-iam-assumed-roles
Terraform Module for Assumed Roles on AWS with IAM Groups Requiring MFA
Stars: ✭ 33 (-72.73%)
Mutual labels:  iam-role
aws-sso
Command Line tool for AWS SSO Credentials
Stars: ✭ 30 (-75.21%)
Mutual labels:  aws-sso
aws-iam-role
⚡ The easiest way to deploy and manage AWS IAM Roles, powered by Serverless Components.
Stars: ✭ 13 (-89.26%)
Mutual labels:  iam-role
terraform-aws-organization-access-group
Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member account
Stars: ✭ 16 (-86.78%)
Mutual labels:  iam-role
secrets-init
minimalistic init system for containers with AWS/GCP secrets support
Stars: ✭ 114 (-5.79%)
Mutual labels:  iam-role
aws-cloudformation-templates
CloudFormation Templates
Stars: ✭ 15 (-87.6%)
Mutual labels:  iam-role
terraform-aws-account
🌳 A sustainable Terraform Package which creates Account & IAM resources on AWS
Stars: ✭ 18 (-85.12%)
Mutual labels:  aws-sso

AWS SSO CLI

Tests Report Card Badge License Badge Codecov Badge

Other Pages:

About

AWS SSO CLI is a secure replacement for using the aws configure sso wizard with a focus on security and ease of use for organizations with many AWS Accounts and/or users with many IAM Roles to assume. It shares a lot in common with aws-vault, but is more focused on the AWS SSO use case instead of static API credentials. Check out this page for more information on how these two tools compare.

AWS SSO CLI requires your AWS account(s) to be setup with AWS SSO! If your organization is using the older SAML integration (typically you will have multiple tiles in OneLogin/Okta) then this won't work for you.

How to read these docs

In general, I do feature development in feature branches and then merge to the main branch when that feature is stable. I also tend to try to include any documentation changes in those pull requests. Once a release is ready, I tag the tip of main and do the release.

What that means is that the documentation you see here (tip of main) may include features that are not in the latest release. To view the docs for your release, please use the branch selector branch selector near the top of this page to choose the tag of the version of AWS SSO CLI that you are using.

What does AWS SSO CLI do?

Overview

AWS SSO CLI makes it easy to manage your shell environment variables allowing you to access the AWS API & web console using CLI tools. Unlike the official AWS tooling, the aws-sso command does not require manually creating named profiles in your ~/.aws/config (or anywhere else for that matter) for each and every role you wish to assume and use.

aws-sso focuses on making it easy to select a role via CLI arguments or via an interactive auto-complete experience with automatic and user-defined metadata (tags) and exports the necessary AWS STS Token credentials to your shell environment in a variety of ways.

As part of the goal of improving the end-user experience with AWS SSO, it also supports using multiple AWS Web Console sessions and many other quality of life improvements!

Key Features

  • Enhanced security over stock AWS tooling
  • Auto-discover your AWS SSO roles and manage your ~/.aws/config file
  • Support selecting an IAM role via $AWS_PROFILE, CLI (with auto-completion) or interactive search
  • Ability to select roles based on user-defined and auto-discovered tags
  • Support for multiple active AWS Console sessions
  • Guided setup to help you configure aws-sso the first time you run
  • Advanced configuration available to adjust colors and generate named profiles via templates
  • Easily see how much longer your STS credentials are valid for
  • Written in GoLang, so only need to install a single binary (no dependencies)
  • Supports Linux, MacOS, and Windows

Demo

Here's a quick demo showing how to select a role to assume in interactive mode and then run commands in that context (by default it starts a new shell).

asciicast

Want to see more? Check out the other demos.

Security

Unlike the official AWS cli tooling, all authentication tokens and credentials used for accessing AWS and your SSO provider are encrypted on disk using your choice of secure storage solution. All encryption is handled by the 99designs/keyring library which is also used by aws-vault.

Credentials encrypted by aws-sso and not via the standard AWS CLI tool:

  • AWS SSO ClientID/ClientSecret -- ~/.aws/sso/cache/botocore-client-id-<region>.json
  • AWS SSO AccessToken -- ~/.aws/sso/cache/<random>.json
  • AWS Profile Access Credentials -- ~/.aws/cli/cache/<random>.json

As you can see, not only does the standard AWS CLI tool expose the temporary AWS access credentials to your IAM roles, but more importantly the SSO AccessToken which can be used to fetch IAM credentials for any role you have been granted access!

What is not encrypted?

  • Contents of user defined ~/.aws-sso/config.yaml
  • Meta data associated with the AWS Roles fetched via AWS SSO in ~/.aws-sso/cache.json
    • Email address tied to the account (root user)
    • AWS Account Alias
    • AWS Role ARN

What next?

The following pages will help get you started:

License

AWS SSO CLI is licnsed under the GPLv3.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].