Generating ~/.aws/credentials through AWS SSO via CLI

Rafael Sales — Sat, 06 Jun 2020 16:40:56 +0000

1. Configure AWS SSO via CLI

$ aws configure sso
SSO start URL [None]: https://mycompany.awsapps.com/start
SSO Region [None]: us-east-1
The only AWS account available to you is: 43294231752
Using the account ID 43294231752
The only role available to you is: DeveloperAccess
Using the role name "DeveloperAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json
CLI profile name [DeveloperAccess-43294231752]: mycompany

2. Find your role ARN

$ aws iam list-roles --profile mycompany
{
  "Roles": [
    {
      "Path": "/aws-reserved/sso.amazonaws.com/",
      "RoleName": "AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
      "RoleId": "D67DSAUSNJ3491KM",
      "Arn": "arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
      ...
    },
  ...
]

To find the role in the list, simply look for a role name matching the one you saw in the 1st step, "DeveloperAccess" in this case.

3. Try fetching the credentials using the Arn above

$ aws sts assume-role
  --profile mycompany
  --role-session-name YourNameHere
  --role-arn arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb

You should get a response like this

{
    "Credentials": {
        "AccessKeyId": "...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2020-06-06T16:48:03+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "...",
        "Arn": "..."
    }
}

4. Create a script to generate ~/.aws/credentials

I like to name this script aws_refresh_token.sh.
Also make sure to adjust the variables.

#!/bin/bash

# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
# The Role ARN can be found in the AWS Console -> IAM -> Roles or via AWS CLI -> `aws iam list-roles`

profile="mycompany"
role_arn="arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb"
user_name=$(git config user.name | sed 's/[^A-Za-z0-9+=,.@-]/-/g')

request_credentials() {
  credentials=$(
    aws sts assume-role \
      --profile $profile \
      --role-arn $role_arn \
      --role-session-name $user_name
  )
}
request_credentials

if [ $? -ne 0 ]; then
  aws sso login --profile "$profile"

  if [ $? -ne 0 ]; then
    exit 1
  fi

  request_credentials
fi

access_key_id=$(echo $credentials | perl -n -e'/"AccessKeyId": "([^,]+)"/ && print $1')
secret_key_id=$(echo $credentials | perl -n -e'/"SecretAccessKey": "([^,]+)"/ && print $1')
session_token=$(echo $credentials | perl -n -e'/"SessionToken": "([^,]+)"/ && print $1')

aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_key_id"
aws configure set --profile "$profile" aws_session_token "$session_token"

5. Testing