GithubHelp home page GithubHelp logo

synfinatic / aws-sso-cli Goto Github PK

View Code? Open in Web Editor NEW
407.0 6.0 49.0 2.43 MB

A powerful tool for using AWS Identity Center for the CLI and web console.

Home Page: https://synfinatic.github.io/aws-sso-cli/

License: GNU General Public License v3.0

Makefile 2.34% Go 96.60% Shell 1.06%
aws cli aws-sso security-tools iam-role credentials credentials-helper keychain temporary-credentials aws-identity-center

aws-sso-cli's People

Contributors

alezkv avatar dependabot[bot] avatar drboyer avatar drmikecrowe avatar ghthor avatar guildencrantz avatar jackjen avatar johngmyers avatar kevcube avatar monwolf avatar mouchar avatar pacovk avatar rgarrigue avatar skx avatar synfinatic avatar timothybondgr avatar zickzackv avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar

aws-sso-cli's Issues

Selecting Role first, returns a list of different ARNs with limited metadata

If you first choose Role <rolename> then you get a list of ARN's in different accounts to select from, but no meta data. Would be really nice if we picked the AccountName (or Email or AccountAlias?) and presented that as a comment to aid in selection since people may not know what they want by the AccountID directly

Can't `CTRL-C` after using go-prompt to select role

Basically go-prompt is blocking CTRL-C even after you have made a selection and Prompt.Run() has returned. The result is that if you try CTRL-C during AWS SSO / OIDC login/authentication, rather than the tool exiting like the user expects, they just see ^C printed in the terminal. The only way out is to either:

  1. Wait for the process to complete normally
  2. CTRL-Z to suspend + kill -9

Support alternate colors

Current color scheme may not work well for some people who are color blind or use different terminal settings.

ordering changes for roles

going from AccountAlias => Alias => [list of roles]

As we use the arrow keys to go up / down the list of roles, the order changes

Auto-refresh the cache when `config.yaml` changes

Right now we have to wait for the cache to expire or list --force-refresh for the config.yaml to be reloaded. Instead we can track the modification time of the config.yaml in the cache and auto-refresh when it changes.

Issue: -A and -R at same time not working

Hey, I'm trying to execute as help suggested but with the short agrs isn't working

$ aws-sso.exe exec -A 123456789 -R AdministratorAccess
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
level=fatal msg="Error running command: Please specify both --account and --role"

I need to specify de role with the arg --role to make it work:

$ aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws sts get-caller-identity
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
{
    "UserId": "XXXXXXXXXXXXXXXX",
    "Account": "123456789 ",
    "Arn": "arn:aws:sts::123456789 :assumed-role/AWSReservedSSO_AdministratorAccess_31ccd94aa023cc84/[email protected]"
}

Remember account/role history

would be great if you could easily select from the last 5-10 used roles and use that instead of doing the whole query thing

Does mean we can't rely on the last modified time of the cache file anymore.

AWS_PROFILE_ALIAS variable or something

when users run aws-cli exec they get a new shell with the necessary AWS ENV vars set, but none of the existing variables are great for integration into your prompt (account_id + rolename is VERY LONG). would be great to be able to associate an alias like "prod:admin" for when someone is in the production account logged in as the Administrator role.

sign rpm/deb packages

Would be great if we could sign rpm/deb packages but pkg doesn't support that today. Could always use the native tools in docker create signed packages? Not sure if it is worth it unless I also have a repo hosting.

Leading zero in account ID not working

I have multiple accounts in our ORG and most of them are working fine with this app but we have 2 that starts with a 0, I'm having problems with both when I try to get credentials:

C:\Users\xxx>aws-sso-beta exec --role AdministratorAccess  -A "032043643619" --level=debug
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxx/aws-sso/store.json" func=main.main file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:131"
level=debug msg="Fetching STS token from AWS SSO" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:220"
level=fatal msg="Unable to get role credentials for AdministratorAccess" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:226" error=": No access\n\tstatus code: 403, request id: "

Code Refactor

Too many different data structures for AWS SSO, Config & Cache. Need to unify everything around the Cache.

Use AWSSSO to discover roles, but config to decorate with tags

Right now I'm relying too much on the config file to contain a list of roles for the tags. Instead the config file with role/tags should be merely a decorator and AWSSSO authorative. Then:

  1. Use tags for account level for all roles in that account
  2. Allow users to add additional tags on a per role basis (they need to specify the ARN or just RoleName?)
  3. Allow users to add non-AWS SSO roles they can 2-step access via AssumeRole using Via for a role. #38

Also consider how / when to require users to specify the entire ARN in the config.

console has both `-u` and `-p`

The console command generates a URL for accessing the console on top of the URL that may be handled for SSO.

It probably is too confusing to auto-open some URL's and print others/etc. So console should use the same method as the SSO.

two spaces causes a crash

typing two spaces in a row causes a crash:

 ./dist/aws-sso-1.2.0 exec
Please use `exit` or `Ctrl-D` to quit.
> AccountID 193057370237 panic: runtime error: index out of range [3] with length 2 [recovered]
	panic: runtime error: index out of range [3] with length 2

goroutine 1 [running]:
github.com/alecthomas/kong.catch(0xc000509c30)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/kong.go:366 +0xc5
panic(0x46419e0, 0xc0004b20a8)
	/usr/local/Cellar/go/1.16.5/libexec/src/runtime/panic.go:965 +0x1b9
main.argsToMap(0xc00034a000, 0x4, 0x4, 0xc000508f78, 0x0, 0x106, 0xc000508f58, 0x401daf3)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:237 +0x5d3
main.completeTags(0xc000010508, 0xc000010538, 0xc00034a000, 0x4, 0x4, 0x3, 0xc00034a000, 0x4)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:105 +0x5d
main.(*TagsCompleter).Complete(0xc00034a140, 0xc0004b2090, 0x18, 0x18, 0x56, 0x4623600, 0x1, 0xc0000c2040)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:66 +0x1c7
github.com/c-bata/go-prompt.(*CompletionManager).Update(...)
	/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/completion.go:68
github.com/c-bata/go-prompt.(*Prompt).Run(0xc000302c60)
	/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/prompt.go:99 +0x663
main.(*ExecCmd).Run(0xc000001d48, 0xc00007af40, 0x0, 0x0)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/exec_cmd.go:82 +0x40a
reflect.Value.call(0x45e8720, 0xc000001d48, 0x213, 0x467666d, 0x4, 0xc0002fe570, 0x1, 0x1, 0x1, 0x0, ...)
	/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:476 +0x8e7
reflect.Value.Call(0x45e8720, 0xc000001d48, 0x213, 0xc0002fe570, 0x1, 0x1, 0x0, 0x1, 0xc000300ac8)
	/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:337 +0xb9
github.com/alecthomas/kong.callMethod(0x467629e, 0x3, 0x464a2a0, 0xc000001d48, 0x199, 0x45e8720, 0xc000001d48, 0x213, 0xc0002e38f0, 0x16, ...)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/callbacks.go:71 +0x4ba
github.com/alecthomas/kong.(*Context).RunNode(0xc00016c200, 0xc00029a1c0, 0xc00019fd28, 0x1, 0x1, 0x22, 0xc0002e33b0)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:697 +0x545
github.com/alecthomas/kong.(*Context).Run(0xc00016c200, 0xc00019fd28, 0x1, 0x1, 0x0, 0x0)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:714 +0x99
main.main()
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/main.go:150 +0x8f0

Add support for opening AWS Console via browser

We can use our Role creds to hit the AWS Federated login endpoint to generate a URL which can be used to auto-login to the AWS web Console.

Ideally, users should be able to auto-open in private/incognito mode:
chrome -incognito
firefox -private -url xxxx

(on mac: open -na "Google Chrome" --args -incognito http://www.example.com)

But Safari sucks and requires Applescript? https://apple.stackexchange.com/questions/416297/open-an-url-in-safari-with-private-browsing

sadly doesn't look like open-golang supports this kind of feature today: skratchdot/open-golang#23

Missing tags?

Not seeing all the tags as being available at the top level?

Figure out tags

For large number of accounts & roles, the typical AWS meta data is pretty limited and often leaves a lot to be desired unless companies are really good with naming their accounts & roles.

After some thought, it seems like the best way of solving this is allowing tags to be assigned to accounts and/or roles so that you can quickly filter based on environment (lab, prod, staging), BU's, teams, etc and then select among the valid role(s) for the account(s).

Ideally these tags should be easy to share across teams so everyone doesn't have to curate their own list.

Multiple tabs of authorization

Hey,

I'm using your software to setup aws-sso and get cretentials to log into eks. The software I'm using tries to refresh the credentials once they have been expired.
I left my computer powered on with this software running and when I opened signed in again I saw this in my browser:

image

All of this are requests of authorizations pending for allowing them in AWS, is there any way to not spawn a new browser tab if still open the latest?

Use goroutine to handle `doAuth`

aws-sso still seems slow after selecting a role because of the need to talk to AWS. Can we do some of this in the background via a goroutine to help make things feel more snappy?

Split Tag name from Value

Right now the completer implements everything as a flat list which is wrong. Instead users should be first prompted to select a tag name, then the corresponding tag value. After this, the remaining tag names are available to be selected - until you have a single ARN. Or the user should be able to select ARN as the tag name and select from the complete list.

`exec` inside of another exec

Should investigate how we can call exec inside of an existing exec (renew vars) without manually print/copy/paste into shell.

Right now it kinda sucks that if you've already called exec once, you have to either unset your vars manually or exit the shell (possibly losing shell history)

Help: exec with arguments

Hi, I would like to integrate aws-sso-cli with lens in order to retrieve SSO tokens to log into our EKS.

To do this i need to run:

aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws eks get-token --cluster-name my-cluster-name

but
--cluster-name is been interpreted as an arg for aws-sso I would like to suggest changing this behaviour to allow named parameters being passed to the command.

aws-sso exec -A 123456789  --role=AdministratorAccess aws eks get-token --cluster-name aea-my-cluster-name
aws-sso.exe: error: unknown flag --cluster-name

is there any other way to do this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.