1. Configure AWS SSO via CLI
$ aws configure sso
SSO start URL [None]: https://mycompany.awsapps.com/start
SSO Region [None]: us-east-1
The only AWS account available to you is: 43294231752
Using the account ID 43294231752
The only role available to you is: DeveloperAccess
Using the role name "DeveloperAccess"
CLI default client Region [None]: us-east-1
CLI default output format [None]: json
CLI profile name [DeveloperAccess-43294231752]: mycompany
2. Find your role ARN
$ aws iam list-roles --profile mycompany
{
"Roles": [
{
"Path": "/aws-reserved/sso.amazonaws.com/",
"RoleName": "AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
"RoleId": "D67DSAUSNJ3491KM",
"Arn": "arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb",
...
},
...
]
To find the role in the list, simply look for a role name matching the one you saw in the 1st step, "DeveloperAccess" in this case.
3. Try fetching the credentials using the Arn above
$ aws sts assume-role
--profile mycompany
--role-session-name YourNameHere
--role-arn arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb
You should get a response like this
{
"Credentials": {
"AccessKeyId": "...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "2020-06-06T16:48:03+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "...",
"Arn": "..."
}
}
4. Create a script to generate ~/.aws/credentials
I like to name this script aws_refresh_token.sh
.
Also make sure to adjust the variables.
#!/bin/bash
# This script generates AWS Programmatic Access credentials from a user authenticated via SSO
# Before using, make sure that the AWS SSO is configured in your CLI: `aws configure sso`
# The Role ARN can be found in the AWS Console -> IAM -> Roles or via AWS CLI -> `aws iam list-roles`
profile="mycompany"
role_arn="arn:aws:iam::43294231752:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DeveloperAccess_d76dgf87km13mb"
user_name=$(git config user.name | sed 's/[^A-Za-z0-9+=,.@-]/-/g')
request_credentials() {
credentials=$(
aws sts assume-role \
--profile $profile \
--role-arn $role_arn \
--role-session-name $user_name
)
}
request_credentials
if [ $? -ne 0 ]; then
aws sso login --profile "$profile"
if [ $? -ne 0 ]; then
exit 1
fi
request_credentials
fi
access_key_id=$(echo $credentials | perl -n -e'/"AccessKeyId": "([^,]+)"/ && print $1')
secret_key_id=$(echo $credentials | perl -n -e'/"SecretAccessKey": "([^,]+)"/ && print $1')
session_token=$(echo $credentials | perl -n -e'/"SessionToken": "([^,]+)"/ && print $1')
aws configure set --profile "$profile" aws_access_key_id "$access_key_id"
aws configure set --profile "$profile" aws_secret_access_key "$secret_key_id"
aws configure set --profile "$profile" aws_session_token "$session_token"
5. Testing
$ ./aws_refresh_token.sh
$ cat ~/.aws/credentials
[mycompany]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_session_token = ...
Top comments (4)
Hi, good solution. We did something similar because we wanted to use AWS SSO and third party tools as well as SDKs together. We generate temporary credentials starting from Accounts and Roles retrieved from AWS SSO, then we save these temporary credentials in ~/.aws/credentials. Here is the link to github if you'd like to check it out and give some feedbacks. github.com/Noovolari/leapp
Cheers!
Hey Alessandro,
Man, that's a really nice tool - I'll definitely start using it!
Thanks for sharing
FYI: Any of the workarounds that continue to use the implicit trust behaviour of SSO created roles don't work anymore with new roles and will stop to work by 15th of February 2023 due to aws.amazon.com/blogs/security/anno...
Thank you Rafael, this works beautifully!