My new project is following the AWS Best Practices For Organizations and we have spun up over a dozen child accounts for different workloads and so far it's been pretty awesome.
All of our infrastructure is built using AWS Cloud Development Kit (CDK) which is also awesome! No need to write CloudFormation when you can write TypeScript!
We tied AWS SSO to our user directory, established groups with access to different workload accounts. Then we quickly found that CDK and SSO don't play well together.
Manually updating named profiles for every child account and syncing tokens seemed like a real pain, so we started to automate it! Step one, we needed to create SSO profiles for each account in the .aws\config file:
const fs = require("fs");
const accounts = [
{name: "account1ProfileName", account: 1234567890},
{name: "account9ProfileName", account: 0987654321}
]
let output = "";
accounts.forEach((a) => {
const name = a.name;
console.log(name);
output += `
[profile ${name}]
sso_start_url = https://your_sso_domain.awsapps.com/start
sso_region = us-east-1
sso_account_id = ${a.account}
sso_role_name = AdministratorAccess
region = us-east-2\n`;
});
const filepath = `${process.env.USERPROFILE}\\.aws\\config`;
fs.writeFile(filepath, output, (err: any) => {
if (err) return console.error(err);
console.log("\nConfig file updated!");
});
The above creates all the profiles for us and updates them into the .aws\config file. Now to solve the CDK SSO issue, we pulled in cdk-sso-sync and added a npm script: "sync": "cdk-sso-sync"
Now to we just run these two commands and we can use CDK with SSO!
aws sso login --profile account1ProfileName
npm run sync --profile account1ProfileName
Top comments (0)