synfinatic / aws-sso-cli Goto Github PK

if you have an existing aws API creds AWS_SECRET_API_KEY and AWS_ACCESS_KEY_ID generate the URL without requiring doing it's own assume role

If you first choose Role <rolename> then you get a list of ARN's in different accounts to select from, but no meta data. Would be really nice if we picked the AccountName (or Email or AccountAlias?) and presented that as a comment to aid in selection since people may not know what they want by the AccountID directly

synfinatic/onelogin-aws-role#41

Feature request:

As far as I can see the package does not support SSO with MFA atm 😊

This is only a feature request, that makes the package support MFA

Feel free to comment to start a discussion on the topic 👍🏼

Read on MFA here : https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-mfa.html

When using UrlAction: clip, restore the previous contents of the clipboard. Relatively easy to add for AWS SSO login, but a bit harder with the console command since there's no way to detect it has been loaded. Arguably we should be consistent?

1Password does this after a ~30sec delay? Add notification? https://github.com/gen2brain/beeep

If you have a role with a unique tag Test: Foo and then use that tag to select it via exec as => Test Foo then you can't actually select the Role because the description is the Role, but you selected Foo.

Basically go-prompt is blocking CTRL-C even after you have made a selection and Prompt.Run() has returned. The result is that if you try CTRL-C during AWS SSO / OIDC login/authentication, rather than the tool exiting like the user expects, they just see ^C printed in the terminal. The only way out is to either:

1. Wait for the process to complete normally
2. CTRL-Z to suspend + kill -9

Current color scheme may not work well for some people who are color blind or use different terminal settings.

Running the list command, results in the Expires column always empty even when there is an active session.

going from AccountAlias => Alias => [list of roles]

As we use the arrow keys to go up / down the list of roles, the order changes

AWS session management in the browser can cause problems so it's useful to be able to open the console in a private tab/incognito mode.

Right now we have to wait for the cache to expire or list --force-refresh for the config.yaml to be reloaded. Instead we can track the modification time of the config.yaml in the cache and auto-refresh when it changes.

Hey, I'm trying to execute as help suggested but with the short agrs isn't working

$ aws-sso.exe exec -A 123456789 -R AdministratorAccess
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
level=fatal msg="Error running command: Please specify both --account and --role"

I need to specify de role with the arg --role to make it work:

$ aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws sts get-caller-identity
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxxx/aws-sso/store.json"
{
    "UserId": "XXXXXXXXXXXXXXXX",
    "Account": "123456789 ",
    "Arn": "arn:aws:sts::123456789 :assumed-role/AWSReservedSSO_AdministratorAccess_31ccd94aa023cc84/[email protected]"
}

knowing how many days/hours/min/sec would probably be useful

would be great if you could easily select from the last 5-10 used roles and use that instead of doing the whole query thing

Does mean we can't rely on the last modified time of the cache file anymore.

right now only json store technically works

when users run aws-cli exec they get a new shell with the necessary AWS ENV vars set, but none of the existing variables are great for integration into your prompt (account_id + rolename is VERY LONG). would be great to be able to associate an alias like "prod:admin" for when someone is in the production account logged in as the Administrator role.

We already store the expire time in a variable, would be nice to tell people how much time they have left. then they could include that in their shell prompt :)

should be able to set specify the AWS_DEFAULT_REGION on a per account and SSO basis.

Would be nice to not be prompted for a password until you try to access AWS SSO.

Would be great if we could sign rpm/deb packages but pkg doesn't support that today. Could always use the native tools in docker create signed packages? Not sure if it is worth it unless I also have a repo hosting.

I have multiple accounts in our ORG and most of them are working fine with this app but we have 2 that starts with a 0, I'm having problems with both when I try to get credentials:

C:\Users\xxx>aws-sso-beta exec --role AdministratorAccess  -A "032043643619" --level=debug
level=warning msg="Using insecure json file for SecureStore: C:\\Users\\xxx/aws-sso/store.json" func=main.main file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:131"
level=debug msg="Fetching STS token from AWS SSO" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:220"
level=fatal msg="Unable to get role credentials for AdministratorAccess" func=main.GetRoleCredentials file="/mnt/d/Proyectos/aws-sso-cli/cmd/main.go:226" error=": No access\n\tstatus code: 403, request id: "

Too many different data structures for AWS SSO, Config & Cache. Need to unify everything around the Cache.

It is out dated and kinda ugly with the extra >>

Might be interesting to generate / update the necessary config? ideally would have to parse the config file which could get annoying?

Right now I'm relying too much on the config file to contain a list of roles for the tags. Instead the config file with role/tags should be merely a decorator and AWSSSO authorative. Then:

1. Use tags for account level for all roles in that account
2. Allow users to add additional tags on a per role basis (they need to specify the ARN or just RoleName?)
3. Allow users to add non-AWS SSO roles they can 2-step access via AssumeRole using Via for a role. #38

Also consider how / when to require users to specify the entire ARN in the config.

Need to do testing, but right now I assume this is a bug on my end causing the list to re-order when the user presses up/down arrow.

The console command generates a URL for accessing the console on top of the URL that may be handled for SSO.

It probably is too confusing to auto-open some URL's and print others/etc. So console should use the same method as the SSO.

Support role chaining so you can assume roles in other accounts or roles that are not defined via AWS SSO/Permission Sets. This is similar to the ~/.aws/config source_profile option, but that does not support AWS SSO!

Docs: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
And: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html

users should be able to override the default fields via the config file, not just via the CLI

typing two spaces in a row causes a crash:

 ./dist/aws-sso-1.2.0 exec
Please use `exit` or `Ctrl-D` to quit.
> AccountID 193057370237 panic: runtime error: index out of range [3] with length 2 [recovered]
	panic: runtime error: index out of range [3] with length 2

goroutine 1 [running]:
github.com/alecthomas/kong.catch(0xc000509c30)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/kong.go:366 +0xc5
panic(0x46419e0, 0xc0004b20a8)
	/usr/local/Cellar/go/1.16.5/libexec/src/runtime/panic.go:965 +0x1b9
main.argsToMap(0xc00034a000, 0x4, 0x4, 0xc000508f78, 0x0, 0x106, 0xc000508f58, 0x401daf3)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:237 +0x5d3
main.completeTags(0xc000010508, 0xc000010538, 0xc00034a000, 0x4, 0x4, 0x3, 0xc00034a000, 0x4)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:105 +0x5d
main.(*TagsCompleter).Complete(0xc00034a140, 0xc0004b2090, 0x18, 0x18, 0x56, 0x4623600, 0x1, 0xc0000c2040)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/select.go:66 +0x1c7
github.com/c-bata/go-prompt.(*CompletionManager).Update(...)
	/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/completion.go:68
github.com/c-bata/go-prompt.(*Prompt).Run(0xc000302c60)
	/Users/aturner/go/pkg/mod/github.com/c-bata/[email protected]/prompt.go:99 +0x663
main.(*ExecCmd).Run(0xc000001d48, 0xc00007af40, 0x0, 0x0)
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/exec_cmd.go:82 +0x40a
reflect.Value.call(0x45e8720, 0xc000001d48, 0x213, 0x467666d, 0x4, 0xc0002fe570, 0x1, 0x1, 0x1, 0x0, ...)
	/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:476 +0x8e7
reflect.Value.Call(0x45e8720, 0xc000001d48, 0x213, 0xc0002fe570, 0x1, 0x1, 0x0, 0x1, 0xc000300ac8)
	/usr/local/Cellar/go/1.16.5/libexec/src/reflect/value.go:337 +0xb9
github.com/alecthomas/kong.callMethod(0x467629e, 0x3, 0x464a2a0, 0xc000001d48, 0x199, 0x45e8720, 0xc000001d48, 0x213, 0xc0002e38f0, 0x16, ...)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/callbacks.go:71 +0x4ba
github.com/alecthomas/kong.(*Context).RunNode(0xc00016c200, 0xc00029a1c0, 0xc00019fd28, 0x1, 0x1, 0x22, 0xc0002e33b0)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:697 +0x545
github.com/alecthomas/kong.(*Context).Run(0xc00016c200, 0xc00019fd28, 0x1, 0x1, 0x0, 0x0)
	/Users/aturner/go/pkg/mod/github.com/alecthomas/[email protected]/context.go:714 +0x99
main.main()
	/Users/aturner/go/src/github.com/synfinatic/aws-sso-cli/cmd/main.go:150 +0x8f0

if you have AWS_PROFILE it is carried over to the new shell and then you have both. probably best to just detect and clear the env or abort?

We can use our Role creds to hit the AWS Federated login endpoint to generate a URL which can be used to auto-login to the AWS web Console.

Ideally, users should be able to auto-open in private/incognito mode:
chrome -incognito
firefox -private -url xxxx

(on mac: open -na "Google Chrome" --args -incognito http://www.example.com)

But Safari sucks and requires Applescript? https://apple.stackexchange.com/questions/416297/open-an-url-in-safari-with-private-browsing

sadly doesn't look like open-golang supports this kind of feature today: skratchdot/open-golang#23

right now we always auto-open. should give people the functionality to click on url in console or just put in clipboard.

Should support deleting any individual creds, not just the SSO token which is used to get new IAM STS creds

Not seeing all the tags as being available at the top level?

For large number of accounts & roles, the typical AWS meta data is pretty limited and often leaves a lot to be desired unless companies are really good with naming their accounts & roles.

After some thought, it seems like the best way of solving this is allowing tags to be assigned to accounts and/or roles so that you can quickly filter based on environment (lab, prod, staging), BU's, teams, etc and then select among the valid role(s) for the account(s).

Ideally these tags should be easy to share across teams so everyone doesn't have to curate their own list.

https://goreleaser.com/ ?

users should be able to encrypt the json store and type a password?

Users shouldn't be forced to start a new shell/execute a command, but should be able to do the eval $(aws-sso ...) trick when they specify all the CLI args.

Hey,

I'm using your software to setup aws-sso and get cretentials to log into eks. The software I'm using tries to refresh the credentials once they have been expired.
I left my computer powered on with this software running and when I opened signed in again I saw this in my browser:

All of this are requests of authorizations pending for allowing them in AWS, is there any way to not spawn a new browser tab if still open the latest?

https://github.com/WillAbides/kongplete and/or https://github.com/posener/complete ?

aws-sso still seems slow after selecting a role because of the need to talk to AWS. Can we do some of this in the background via a goroutine to help make things feel more snappy?

Right now the completer implements everything as a flat list which is wrong. Instead users should be first prompted to select a tag name, then the corresponding tag value. After this, the remaining tag names are available to be selected - until you have a single ARN. Or the user should be able to select ARN as the tag name and select from the complete list.

Should investigate how we can call exec inside of an existing exec (renew vars) without manually print/copy/paste into shell.

Right now it kinda sucks that if you've already called exec once, you have to either unset your vars manually or exit the shell (possibly losing shell history)

All my code uses / instead of \.

Hi, I would like to integrate aws-sso-cli with lens in order to retrieve SSO tokens to log into our EKS.

To do this i need to run:

aws-sso.exe exec -A 123456789 --role=AdministratorAccess aws eks get-token --cluster-name my-cluster-name

but
--cluster-name is been interpreted as an arg for aws-sso I would like to suggest changing this behaviour to allow named parameters being passed to the command.

aws-sso exec -A 123456789  --role=AdministratorAccess aws eks get-token --cluster-name aea-my-cluster-name
aws-sso.exe: error: unknown flag --cluster-name

is there any other way to do this?

Lets you select the first item, but doesn't drill down