AWS SSO has some rough edges, and aws-sso-util
is here to smooth them out, hopefully temporarily until AWS makes it better.
You can read a primer on AWS SSO here.
aws-sso-util
contains utilities for the following:
.aws/config
aws-sso-util
supersedes aws-sso-credential-process
, which is still available in its original form here.Read the updated docs for aws-sso-util credential-process
here.
aws-sso-util
provides command-line utilities. The underlying Python library for AWS SSO authentication is aws-sso-lib
, which has useful functions like interactive login, creating a boto3 session for specific a account and role, and the programmatic versions of the lookup
functions in aws-sso-util
. See the documentation here.
It's a good idea to install the AWS CLI v2 (which has AWS SSO support).
I recommend you install pipx
, which installs the tool in an isolated virtualenv while linking the script you need.
Mac and Linux:
brew install pipx
pipx ensurepath
Other:
python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install aws-sso-util
aws-sso-util --help
aws-sso-util
uses click, which supports autocompletion.The details of enabling shell completion with click vary by shell (instructions here), but here is an example for bash that updates the completion in the background.
_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR=~/.local/share/aws-sso-util
_AWS_SSO_UTIL_COMPLETE_SCRIPT=$_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR/complete.sh
if which aws-sso-util > /dev/null; then
mkdir -p $_AWS_SSO_UTIL_COMPLETE_SCRIPT_DIR
({ _AWS_SSO_UTIL_COMPLETE=source_bash aws-sso-util > $_AWS_SSO_UTIL_COMPLETE_SCRIPT.tmp ;
mv $_AWS_SSO_UTIL_COMPLETE_SCRIPT.tmp $_AWS_SSO_UTIL_COMPLETE_SCRIPT; } &)
if [ -f $_AWS_SSO_UTIL_COMPLETE_SCRIPT ]; then
source $_AWS_SSO_UTIL_COMPLETE_SCRIPT
fi
fi
.aws/config
Read the full docs for aws-sso-util configure
and aws-sso-util roles
here.
The AWS CLI and most AWS SDKs support AWS SSO configuration in ~/.aws/config
; each profile specifies the account and SSO role to use.A profile configured for AWS SSO looks like this:
[profile my-sso-profile]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-1 # the region AWS SSO is configured in
sso_account_id = 123456789012
sso_role_name = MyRoleName
region = us-east-2 # the region to use for AWS API calls
You can view the roles you have available to you with aws-sso-util roles
, which you can use to configure your profiles in ~/.aws/config
, or you can use aws configure sso
in the AWS CLI v2, but aws-sso-util
also provides functionality to directly configure profiles for you.
aws-sso-util configure
has two subcommands, aws-sso-util configure profile
for configuring a single profile, and aws-sso-util configure populate
to add all your permissions as profiles, in whatever region(s) you want (with highly configurable profile names).
You probably want to set the environment variables AWS_DEFAULT_SSO_START_URL
and AWS_DEFAULT_SSO_REGION
, which will inform these commands of your start url and SSO region (that is, the region that you've configured AWS SSO in), so that you don't have to pass them in as parameters every time.
aws-sso-util configure profile
takes a profile name and prompts you with the accounts and roles you have access to, to configure that profile.
aws-sso-util configure populate
takes one or more regions, and generates a profile for each account+role+region combination.The profile names are completely customizable.
Read the full docs for aws-sso-util login
and aws-sso-util logout
here.
A problem with aws sso login
is that it's required to operate on a profile, that is, you have to tell it to log in to AWS SSO plus some account and role.But the whole point of AWS SSO is that you log in once for many accounts and roles.You could have a particular account and role set up in your default profile, but I prefer not to have a default profile so that I'm always explicitly selecting a profile and never accidentally end up in the default by mistake.aws-sso-util login
solves this problem by letting you just log in without having to think about where you'll be using those credentials.
Read the full docs for aws-sso-util check
here.
aws-sso-util check
helps diagnose configuration and access issues.It can be used to help administrators debug user issues, or as validation in shell scripting.It validates that aws-sso-util
can find an AWS SSO instance configuration, and additionally whether the user has access to a particular account and/or role.
The credential process is added automatically (by default) by the aws-sso-util configure
commands; you only need to read this section if you're not using that or want to understand it more fully.Read the full docs for aws-sso-util credential-process
here.
Not all AWS SDKs have support for AWS SSO (which will change eventually).However, they all have support for credential_process
, which allows an external process to provide credentials.aws-sso-util credential-process
uses this to allow these SDKs to get credentials from AWS SSO.
NOTE: if you test it out with your favorite script or application and get something like NoCredentialProviders: no valid providers in chain.
, you may need to set the environment variable AWS_SDK_LOAD_CONFIG=1
Read the full docs for aws-sso-util admin lookup
and aws-sso-util admin assignments
here.
When you're creating assignments through the API or CloudFormation, you're required to use identifiers like the instance ARN, the principal ID, etc.These identifiers aren't readily available through the console, and the principal IDs are not the IDs you're familiar with.aws-sso-util admin lookup
allows you to get these identifers, even en masse.
There is no simple API for retrieving all assignments or even a decent subset.The current best you can do is list all the users with a particular PermissionSet on a particular account.aws-sso-util admin assignments
takes the effort out of looping over the necessary APIs.
You'll want to read the full docs here.
AWS SSO's CloudFormation support currently only includes AWS::SSO::Assignment
, which means for every combination of principal (group or user), permission set, and target (AWS account), you need a separate CloudFormation resource.Additionally, AWS SSO does not support OUs as targets, so you need to specify every account separately.
Obviously, this gets verbose, and even an organization of moderate size is likely to have tens of thousands of assignments.aws-sso-util admin cfn
provides two mechanisms to make this concise.
I look forward to discarding this part of the tool once there are two prerequisites:
AWS::SSO::AssignmentGroup
resource that allows specifications of multiple principals, permission sets, and targets, and performs the combinatorics directly.aws-sso-util
defines a resource format for an AssignmentGroup that is a combination of multiple principals, permission sets, and targets, and provides a CloudFormation Macro you can deploy that lets you use this resource in your templates.
I am against client-side generation of CloudFormation templates, but if you don't want to trust this 3rd party macro, you can generate the CloudFormation templates directly.
aws-sso-util admin cfn
takes one or more input files, and for each input file, generates a CloudFormation template and potentially one or more child templates.These templates can then be packaged and uploaded using aws cloudformation package
or the SAM CLI, for example.
The input files can either be templates using the Macro (using the --macro
flag), or somewhat simpler configuration files using a different syntax.These configuration files can define permission sets inline, have references that turn into template parameters, and you can provide a base template that the resulting resources are layered on top of.
作者:Ben Kehoe ### 作者邮箱:ben@kehoe.io ### 首页:https://github.com/benkehoe/aws-sso-util ### 文档:None ### 下载链接 # aws-sso-util Making life with AWS SSO a little easier AWS SSO has some rough edges, and aws-ss
我创建了一个新的AWS SSO(使用内部IDP作为标识源,因此不使用Active Directory)。 我可以登录到AWS CLI、AWS GUI,但不能执行任何kubectl操作。 AWS-Auth team-sso-devops用户的clusterrole绑定:
SSO实现AWS SSO Vs Okta哪个选项最好?我专门寻找每种服务的优缺点,以确定最适合我的系统。这些考虑是最重要的 > 成本 集成-支持与现有目录服务和移动/web应用程序(SAML、ADF等)的集成 易于访问日志进行审计
我有一个小的测试应用程序,我已经成功地与Okta集成为IdP。我还建立了AWS SSO作为IdP。当我将应用程序切换到使用AWS SSO时,我收到以下错误: 我已经验证了AWS SSO返回的签名算法与Okta返回的匹配,http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.是否有人成功地将ITfoxtec配置为AWS SSO?
我有一个使用spring security和mvc框架开发的门户应用程序。此门户应用程序连接到IDP(使用Spring security和Spring saml开发)进行身份验证。如果用户身份验证成功,用户将被导航到主页,其中为外部应用程序提供了多个链接……当用户单击应用程序链接时,用户应成功导航到相应的应用程序,而无需质疑登录页面。 其他应用程序是使用strut和Spring Security开
Cosmos SSO是一个完全基于Cosmos框架的单点登录框架,在其中并包含了一个基于位运算的授权框架,因此,Cosmos SSO在项目组内部也被称为一个Cosmos AAS框架(Cosmos Authentication and Authorization Service)。 由于其搭建与Cosmos框架之上,因此,有效地利用了Cosmos框架的优势,下面是Cosmos SSO框架在应用方面的
ginv sso 是一套纯粹的后台单点管理系统,用于解决1个或多个后台管理系统的账号登录和授权管理。ginv sso默认使用前后端分离技术。服务端使用golang开发,基于go-zero框架;前端使用vue3开发,基于ant design vue。 ginv sso具有auth、ssoms、和gateway三个系统,分别具有以下功能: auth: 负责系统登录验证、页面权限验证、接口授权验证sso