Add support for AWS Single Sign-On

[brandond]

AWS recently released a SSO service that integrates with Organizations and the AWS Directory Service:
https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

Currently, the only way to consume this service is via a browser. Shortcuts are provided to copy and paste shell commands to export the appropriate environment variables, but this is unacceptable. Users should not need to use a web browser to authenticate with CLI tools.

Other tools such as aws-adfs exist to do this for ADFS, Octa, etc, but there are not currently any for AWS SSO. Since this is a first-party AWS service, aws-cli should support it.

[justnance]

@brandond, Thank you for reaching out. This seems like a reasonable feature request marking the label as such. Can you tell me more how you would like this feature to work or provide an example. Thanks.

[brandond]

Other tools in this space use interactive prompts, much like the aws configure command. The work flow is generally something along the lines of:

• Prompt for username
• Prompt for password
• Prompt for MFA code (if necessary)
• Make login call to SSO service, enumerate available roles, retrieve SAML assertion
• Parse SAML assertion to discover available roles
• Prompt to select role
• Make STS:AssumeRoleWithSAML call
• Store temporary credentials returned by STS to profile (~/.aws/credentials)

I haven't been able to find any documentation on APIs for configuring or consuming SSO, but a quick look at the developer tool network log in my browser indicates that there is a REST service behind the console.

[justnance]

@brandond, Thank you for your feedback. It sound reasonable and this issue will remain labeled as feature request. Thanks.

[hassankhan]

+1 to this, would make our lives much easier

[ghost]

We need CLI support. Right now our devs are stuck logging in and out of the SSO screen to get credentials every hour.

[angusfz]

+1 For this feature

[Kim725]

+1 For this feature

[jonatasalves-hotmart]

+1 For this feature

[Zordrak]

100% required.

[Photon0gen]

+1

[akr257]

+1 for this feature. AWS SSO became available in our region (Sydney), but sadly it doesn't look like we can use it until the aws cli supports gaining access programatically.

[hammerheadgit]

+1 for this. This would make a huge business impact. Atleast for us.

[theTestTube]

+1

[et304383]

It's been months. Where is the support for AWS SSO? If it's going to be a competitor to Okta, Keycloak, or ADFS, it needs CLI methods to access credentials.

[cargauer]

+1 having AWS Landing Zone with integrated SSO and can't use CLI with it, is no good product solution ... please add this feature

[davidrdark]

+1

[supergicko]

+1

[jtheuer]

+1 but consider also SAML IdPs which require you to login via web

[Codeseer]

+1

[jamestharpe]

+1

Yes please, this would save a lot of time and hassle.

[mechanicalpete]

+1

[mkarnati-chwy]

+1 +1 +1

[dan-lind]

+1

[ORESoftware]

AWS-CLI and AWS-SDK support would be nice

aws/aws-sdk-js#2772

[m6a-UdS]

+1

[C-Kenny]

+1 we still updating our credentials files every hour with keys from the browser

[avanbecelaere]

+1

[reidca]

We need CLI support. Right now our devs are stuck logging in and out of the SSO screen to get credentials every hour.

This was driving me crazy, until AWS implement a new feature it is possible to extend this to up to 12 hours to make it less burdensome.

[ccsalway]

+100

[DaveOps83]

+600

[mo-saeed]

+1

[mo-saeed]

Would be good also to add support for cloud-formation and python sdk.

[arthur-burkart-simplisafe]

@reidca – does this help?
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

[matwerber1]

longer session duration is nice, but would be great if we could programmatically authenticate without the need to go through a browser; helps automate and simplify local dev.

[wnkz]

So I got tired of waiting and made a small tool for this. It's still very early and could be improved but it has worked for me for the last couple of weeks.
Have a look and tell me what you think: github.com/wnkz/aws-sso.
Hope this can help some of you as well.

[mark-bixler]

This is the current challenge that prohibiting us from using SSO and keeping our developers staying on GCP. Most of our Dev's are using Windows Boxes w/ Visual Studio.

[jesuskwice]

@brandond, Thank you for reaching out. This seems like a reasonable feature request marking the label as such. Can you tell me more how you would like this feature to work or provide an example. Thanks.

Hi @justnance, any progress update on this? This is a very critical piece for many, in determining whether they can utilize AWS Directory Service / SSO, or need to go a different route (e.g., Okta, etc). Hoping there may be light at the end of this tunnel soon...?

[valayDave]

Is there a way to create permission sets for AWS SSO via CLI?

[JohnVonNeumann]

It is absolutely ridiculous that no one has responded to this in almost 18 months.

[icysharp]

finally, it's here with AWS CLI v2 preview. works great for me. thanks!

https://aws.amazon.com/blogs/developer/aws-cli-v2-now-supports-aws-single-sign-on/

[kyleknap]

Closing issue. It is now supported in AWS CLI v2 developer preview and instructions on how to configure it can be found in the v2 user guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

[danushkaf]

Is there a way to do login programatically. We need to do this from a script to be able to connect to k8s cluster created in AWS control tower managed account.

[spanky-medal]

Mandatory browser interaction seems absurd. Are there any plans to improve this with any of the suggestions, like --no-browser, etc?