You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Service API : I want to do X using Y service, what should I do?
CLI : passing arguments or cli configurations.
Other/Not sure.
I would like to programmatically get AWS credentials with AWS SSO after login.
run aws sso login
complete the login process
export keys programmatically
First of all I cannot find a way to retrieve them, I have being trying with some script:
#!/usr/bin/env bash
# Set strict mode if inside a script.
if [ -n "${BASH_SOURCE[0]:-}" ]; then
set -euo pipefail
fi
echo "Loading temporary access credentials for AWS profile ${AWS_PROFILE:-default}..."
# Figure out temporary credentials.
SSO_ROLE=$(aws sts get-caller-identity --query=Arn | cut -d'_' -f 2)
echo "Found found ${SSO_ROLE}"
SSO_ACCOUNT=$(aws sts get-caller-identity --query=Account --output text)
echo "Account ${SSO_ACCOUNT}"
SESSION_FILE=$(find "$HOME"/.aws/sso/cache -type f -regex ".*/cache/[a-z0-9]*.json" | head -n 1)
SSO_ACCESS_TOKEN=$(jq -r '.accessToken' "$SESSION_FILE")
CREDENTIALS=$(aws sso get-role-credentials --role-name="$SSO_ROLE" --account-id="$SSO_ACCOUNT" --access-token="$SSO_ACCESS_TOKEN")
# Export temporary credentials
AWS_ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.accessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.secretAccessKey')
AWS_SESSION_TOKEN=$(echo "$CREDENTIALS" | jq -r '.roleCredentials.sessionToken')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN
However this is highly unreliable, first because there is not only one file in the cache folder and also because the token contained in there does not seems to be working at all.
MatteoGioioso
changed the title
Way to retrieve SSO credentials programmatically
Export SSO credentials programmatically after browser login
Aug 26, 2021
I think your script looks fine for the most part, but the role name needs to be the 'friendly name' of the role/permission set granted to your user (i.e. what's listed in your config file).
We do have a feature request open for this already, but I'd check out #4982 for some good discourse on the topic. A few community members have written similar tools/scripts for this functionality as well. Hope this helps!
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Confirm by changing [ ] to [x] below:
Issue is about usage on:
I would like to programmatically get AWS credentials with AWS SSO after login.
aws sso login
First of all I cannot find a way to retrieve them, I have being trying with some script:
However this is highly unreliable, first because there is not only one file in the cache folder and also because the token contained in there does not seems to be working at all.
So how can I achieve this?
If this is not possible could we have this as a feature request? I could submit a PR.
Thanks
Platform/OS/Hardware/Device
Describe the question
Logs/output
Get full traceback and error logs by adding
--debug
to the command.The text was updated successfully, but these errors were encountered: