DEV Community

Cover image for AWS CDK with SSO Profiles
Jason C
Jason C

Posted on

AWS CDK with SSO Profiles

My new project is following the AWS Best Practices For Organizations and we have spun up over a dozen child accounts for different workloads and so far it's been pretty awesome.

All of our infrastructure is built using AWS Cloud Development Kit (CDK) which is also awesome! No need to write CloudFormation when you can write TypeScript!

We tied AWS SSO to our user directory, established groups with access to different workload accounts. Then we quickly found that CDK and SSO don't play well together.

Manually updating named profiles for every child account and syncing tokens seemed like a real pain, so we started to automate it! Step one, we needed to create SSO profiles for each account in the .aws\config file:

const fs = require("fs");
const accounts = [
  {name: "account1ProfileName", account: 1234567890},
  {name: "account9ProfileName", account: 0987654321}
]

let output = "";
accounts.forEach((a) => {
  const name = a.name;
  console.log(name);
  output += `
[profile ${name}]
sso_start_url = https://your_sso_domain.awsapps.com/start
sso_region = us-east-1
sso_account_id = ${a.account}
sso_role_name = AdministratorAccess
region = us-east-2\n`;
});

const filepath = `${process.env.USERPROFILE}\\.aws\\config`;
fs.writeFile(filepath, output, (err: any) => {
  if (err) return console.error(err);
  console.log("\nConfig file updated!");
});

Enter fullscreen mode Exit fullscreen mode

The above creates all the profiles for us and updates them into the .aws\config file. Now to solve the CDK SSO issue, we pulled in cdk-sso-sync and added a npm script: "sync": "cdk-sso-sync"

Now to we just run these two commands and we can use CDK with SSO!

aws sso login --profile account1ProfileName
npm run sync --profile account1ProfileName
Enter fullscreen mode Exit fullscreen mode

Top comments (0)