yawsso

yawsso

Yet Another AWS SSO - sync up AWS CLI v2 SSO login session to legacy CLI v1 credentials.

See also Release v1.0.0 Notes

Prerequisite

• Required Python >= 3.7
• Required AWS CLI v2
• Assume you have already setup AWS SSO for your organization

Main Use Case

• Install latest from PyPI like so:

pip install yawsso

• Do your per normal SSO login and, have at least one active SSO session cache:

aws sso login --profile dev

• To sync for all named profiles in config (i.e. lazy consensus), then just:

yawsso

• To sync default profile and all named profiles, do:

yawsso --default

• To sync default profile only, do:

yawsso --default-only

• To sync for selected named profile, do:

yawsso -p dev

• To sync for multiple selected named profiles, do:

yawsso -p dev prod

• To sync for default profile as well as multiple selected named profiles, do:

yawsso --default -p dev prod

• To sync for all named profiles start with prefix pattern lab*, do:

(zsh)
yawsso -p 'lab*'

(bash)
yawsso -p lab*

• To sync for all named profiles start with lab* as well as dev and prod, do:

yawsso -p 'lab*' dev prod

• Print help to see other options:

yawsso -h

• Then, continue per normal with your daily tools. i.e.
  • cdk deploy ...
  • terraform apply ...
  • cw ls groups
  • awsbw -L -P dev
  • sqsmover -s main-dlq -d main-queue
  • ecs-cli ps --cluster my-cluster
  • awscurl -H "Accept: application/json" --profile dev --region ap-southeast-2 "https://api..."

Additional Use Cases

Rename Profile on Sync

• Say, you have the following profile in your $HOME/.aws/config:

[profile dev]
sso_start_url = https://myorg.awsapps.com/start
sso_region = ap-southeast-2
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = ap-southeast-2
output = json
cli_pager =

• You want to populate access token as, say, profile name foo in $HOME/.aws/credentials:

[foo]
region = ap-southeast-2
aws_access_key_id = XXX
aws_secret_access_key = XXX
aws_session_token = XXX
...

• Do like so:

yawsso -p dev:foo

• Then, you can export AWS_PROFILE=foo and use foo profile!

Export Tokens

PLEASE USE THIS FEATURE WITH CARE SINCE ENVIRONMENT VARIABLES USED ON SHARED SYSTEMS CAN GIVE UNAUTHORIZED ACCESS TO PRIVATE RESOURCES.

🤚 START FROM VERSION 1.0.0, yawsso -e EXPORT TOKENS IN ROT13 ENCODED STRING.

• Use -e flag if you want a temporary copy-paste-able time-gated access token for an instance or external machine.

• Please note that, it uses default profile if no additional arguments pass.

yawsso -e | yawsso decrypt
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
export AWS_SESSION_TOKEN=xxx

• This use case is especially tailored for those who use default profile and, who would like to PIPE commands as follows.

aws sso login && yawsso -e | yawsso decrypt | pbcopy

• Otherwise, for a named profile, do:

yawsso -p dev -e | yawsso decrypt

• Or, right away export credentials into the current shell environment variables, do:

yawsso -p dev -e | yawsso decrypt | source /dev/stdin

Note: ☝️ are mutually exclusive with the following 👇 auto copy into your clipboard. Choose one, a must!

• If you have pyperclip package installed, yawsso will copy access tokens to your clipboard instead.

yawsso -e
Credentials copied to your clipboard for profile 'default'

• You may pip install pyperclip or, together with yawsso as follows.

pip install 'yawsso[all]'

Login

• You can also use yawsso subcommand login to SSO login then sync all in one go.

🙋‍♂️ NOTE: It uses default profile or AWS_PROFILE environment variable if optional argument --profile is absent

yawsso login -h
yawsso login

• Otherwise you can pass the login profile as follows:

yawsso login --profile dev

• Due to lazy consensus design, yawsso will sync all named profiles once SSO login has succeeded. If you'd like to sync only upto this login profile then use --this flag to limit as follows.

👉 Login using default profile and sync only upto this default profile

yawsso login --this

👉 Login using named profile dev and sync only upto this dev profile

yawsso login --profile dev --this

👉 Login using named profile dev and sync as foo. See above for more details on renaming, limited to one profile.

yawsso login --profile dev:foo

Login then Export token

• Exporting access token also support with login subcommand as follows:

👉 Login using default profile, sync only upto this default profile and, print access token

yawsso login -e | yawsso decrypt

👉 Login using named profile dev, sync only upto this dev profile and, print access token

yawsso login --profile dev -e | yawsso decrypt

Auto Login then Sync

• Like login, you may use yawsso subcommand auto to SSO login then sync all in one go.
• It will check if SSO session has expired and, if so, yawsso will attempt to auto login again.

yawsso auto -h

(either)
yawsso auto --profile dev

(or)
export AWS_PROFILE=dev
yawsso auto

Set Region

• You can also set region from the config file to the shared credentials file
• Do like so:

yawsso -r -p dev

yawsso -r -p dev:foo

yawsso -r auto --profile dev

Encryption

yawsso can encrypt and decrypt some arbitrary string from stdin using ROT13 (a simple letter substitution cipher) as follows.

echo 'Hello this is a test' | yawsso encrypt
Uryyb guvf vf n grfg

echo 'Uryyb guvf vf n grfg' | yawsso decrypt
Hello this is a test

(or Pipe through some text corpus)
cat test.txt | yawsso encrypt

(or on Windows)
type test.txt | yawsso encrypt

This is the same as using trivial Unix tr command as follows.

echo 'Hello this is a test' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Uryyb guvf vf n grfg

echo 'Uryyb guvf vf n grfg' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Hello this is a test

Hence, you could also decode yawsso exported tokens using tr command, like so.

yawsso -p dev -e | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Develop

• Create virtual environment, activate it and then:

make install
make test
python -m yawsso --trace version

(Windows)

python -m venv venv
.\venv\Scripts\activate
pip install ".[dev,test]" .
pytest
python -m yawsso --trace version

• Create issue or pull request welcome

License

MIT License