Export SSO credentials programmatically after browser login

[MatteoGioioso]

Confirm by changing [ ] to [x] below:

• I've gone though the User Guide and the API reference
• I've searched for previous similar issues and didn't find any solution

Issue is about usage on:

• Service API : I want to do X using Y service, what should I do?
• CLI : passing arguments or cli configurations.
• Other/Not sure.

I would like to programmatically get AWS credentials with AWS SSO after login.

1. run aws sso login
2. complete the login process
3. export keys programmatically

First of all I cannot find a way to retrieve them, I have being trying with some script:

#!/usr/bin/env bash

# Set strict mode if inside a script.
if [ -n "${BASH_SOURCE[0]:-}" ]; then
	set -euo pipefail
fi

echo "Loading temporary access credentials for AWS profile ${AWS_PROFILE:-default}..."

# Figure out temporary credentials.
SSO_ROLE=$(aws sts get-caller-identity --query=Arn | cut -d'_' -f 2)
echo "Found found ${SSO_ROLE}"
SSO_ACCOUNT=$(aws sts get-caller-identity --query=Account --output text)
echo "Account ${SSO_ACCOUNT}"
SESSION_FILE=$(find "$HOME"/.aws/sso/cache -type f -regex ".*/cache/[a-z0-9]*.json" | head -n 1)
SSO_ACCESS_TOKEN=$(jq -r '.accessToken' "$SESSION_FILE")
CREDENTIALS=$(aws sso get-role-credentials --role-name="$SSO_ROLE" --account-id="$SSO_ACCOUNT" --access-token="$SSO_ACCESS_TOKEN")

# Export temporary credentials
AWS_ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.accessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.secretAccessKey')
AWS_SESSION_TOKEN=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.sessionToken')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

However this is highly unreliable, first because there is not only one file in the cache folder and also because the token contained in there does not seems to be working at all.

So how can I achieve this?

function exportAWSCredentials() { ... }

aws sso login

TRAP exportAWSCredentials EXIT

If this is not possible could we have this as a feature request? I could submit a PR.

Thanks

Platform/OS/Hardware/Device

aws-cli/2.1.27 Python/3.9.2 Linux/5.4.0-81-generic source/x86_64.ubuntu.18 prompt/off

Describe the question

Logs/output
Get full traceback and error logs by adding --debug to the command.

[stobrien89]

Hi @MatteoGioioso,

I think your script looks fine for the most part, but the role name needs to be the 'friendly name' of the role/permission set granted to your user (i.e. what's listed in your config file).

We do have a feature request open for this already, but I'd check out #4982 for some good discourse on the topic. A few community members have written similar tools/scripts for this functionality as well. Hope this helps!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.