refresh-legacy-aws-sso-profile: Backwards-compatible AWS SSO login using new-stile SSO profiles
=================================================
[](https://opensource.org/licenses/MIT)
[](https://github.com/mckelvie-org/py-refresh-legacy-sso-profile/releases)
A simple tool to refresh backwards-compatible AWS profiles using temporary credentials derived from newer SSO profiles.
Table of contents
-----------------
* [Introduction](#introduction)
* [Installation](#installation)
* [Usage](#usage)
* [API](api)
* [Known issues and limitations](#known-issues-and-limitations)
* [Getting help](#getting-help)
* [Contributing](#contributing)
* [License](#license)
* [Authors and history](#authors-and-history)
Introduction
------------
Some time back, AWS added direct support for IAM Identitity Center token provider credentials into its CLI and
various AWS API language providers (e.g., boto3 for Python). This is really nice because it allows users to log into AWS
via single-sign-on (SSO) with the ```aws sso login` command and the assistance of a browser, and appropriate session
credentials are automatically cached and subsequently used by other CLI commands or API clients with automatic
token refresh. See [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html)
for details of how to configure SSO to make this work.
Setting up a profile for SSO involves a new type of profile configuration in `~/.aws/config`. For example:
```ini
[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
All this works great if you have a recent AWS CLI or AWS API language provider; however, if you are using an application that
is bound to an older language provider (e.g., older versions of boto3) that does not support the new SSO profiles, the newer profile (`my-dev-profile` in the example) will be unusable by the application. The workaround for this situation is to run:
```bash
eval `aws configure export-credentials --profile my-dev-profile --format env`
```
This will set environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` to
temporary credentials that will allow older clients to usethe session until the temporary credentials expire.
While this method works, it has several problems:
* It only allows a single profile to be active at a time. Applications that deal with multiple profiles are problemation
* The credentials are only valid for the current process and child processes that inherit environment variables. It is not possible to
refresh SSO credentials in a different shell session and have the refresh apply to all shell sessions.
* Child processes that inherit the environment variables do not get refreshed credentials when the parent process refreshes credentials.
* It is awkward to pass refreshed credentials into a container environment (environment variables within the container must be
updated in all processes, potentially after the container has launched). It's much easier to just bind mount `~/.aws` into
a container.
* Passing sensitive credentials around in environment variables increases the risk of unintentionally leaking credentials.
This package provides a simple function and associated command-line tool that eliminates all of these concerns by eschewing the
use of environment variables and instead updating an old-style credential profile in `~/.aws/credentials` with temporary
session credentials derived from a newer SSO profile. Older applications simply need to be directed to use the derived
profile instead of the newer SSO profile. When temporary credentials expire, simply run this tool again and all
clients using the derived profile will start seeing the refreshed credentials.
Installation
------------
### Prerequisites
**Python**: Python 3.10+ is required. See your OS documentation for instructions.
### From PyPi
The current released version of `refresh-legacy-aws-sso-profile` can be installed with:
```bash
pip3 install refresh-legacy-aws-profile
```
### From GitHub
[PDM](https://pdm-project.org/latest/) is required; it can be installed with:
```bash
curl -sSL https://pdm-project.org/install-pdm.py | python3 -
```
Clone the repository and install refresh-legacy-aws-sso-profile into a private virtualenv with:
```bash
cd <parent-folder>
git clone https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile.git
cd py-refresh-legacy-aws-sso-profile
pdm install
```
You can then launch a bash shell with the virtualenv activated using:
```bash
pdm run bash
```
Usage
-----
```text
usage: refresh-legacy-aws-sso-profile [-h] [-p PROFILE] [-o OUTPUT_PROFILE] [-c CONFIG] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
Update legacy AWS SSO profile with temporary creds from new AWS SSO profile. A simple command-line utility that reads temporary AWS credentials from a profile (which may be a newer SSO-based profile) and writes them to a different AWSprofile that can be used by tools that do not yet support the new SSO model. Since the derived credentials are temporary, they will eventually expire (typically 12 hours SSO refresh). After refreshing SSO credentials, you can run this utility again to update the legacy profile. By default, this utility directly manipulates the ~/.aws/credentials file. An attempt is made to preserve the file's round-trip
integrity.
options:
-h, --help show this help message and exit
-p PROFILE, --profile PROFILE
The input SSO-based AWS profile to use. Defaults to $AWS_PROFILE, or 'default'.
-o OUTPUT_PROFILE, --output-profile OUTPUT_PROFILE
The output AWS profile to update with temporary credentials. Defaults to '<input-profile-name>-legacy-sso'.
-c CONFIG, --config CONFIG
The AWS Configuration file in which to placer the credentials. Defaults to ~/.aws/credentials.
-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level. Default is 'WARNING'.```
```
Known issues and limitations
----------------------------
TBD.
Getting help
------------
Please report any problems/issues [here](https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile/issues).
Contributing
------------
Pull requests welcome.
License
-------
refresh-legacy-aws-sso-profile is distributed under the terms of the [MIT License](https://opensource.org/licenses/MIT). The license applies to this file and other files in the [GitHub repository](http://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile) hosting this file.
Authors and history
---------------------------
The author of refresh-legacy-aws-sso-profile is [Sam McKelvie](https://github.com/sammck).
Raw data
{
"_id": null,
"home_page": "https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile",
"name": "refresh-legacy-aws-sso-profile",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": "",
"keywords": "AWS credentials SSO login token authentication auth",
"author": "",
"author_email": "Sam McKelvie <dev@mckelvie.org>",
"download_url": "https://files.pythonhosted.org/packages/92/c4/47f70453b612246e46564b5bd73f5c5a0cc642d904eed01a2920f4a89e7b/refresh_legacy_aws_sso_profile-1.0.0.tar.gz",
"platform": null,
"description": "refresh-legacy-aws-sso-profile: Backwards-compatible AWS SSO login using new-stile SSO profiles \n=================================================\n\n[](https://opensource.org/licenses/MIT)\n[](https://github.com/mckelvie-org/py-refresh-legacy-sso-profile/releases)\n\nA simple tool to refresh backwards-compatible AWS profiles using temporary credentials derived from newer SSO profiles.\n\nTable of contents\n-----------------\n\n* [Introduction](#introduction)\n* [Installation](#installation)\n* [Usage](#usage)\n * [API](api)\n* [Known issues and limitations](#known-issues-and-limitations)\n* [Getting help](#getting-help)\n* [Contributing](#contributing)\n* [License](#license)\n* [Authors and history](#authors-and-history)\n\nIntroduction\n------------\n\nSome time back, AWS added direct support for IAM Identitity Center token provider credentials into its CLI and\nvarious AWS API language providers (e.g., boto3 for Python). This is really nice because it allows users to log into AWS\nvia single-sign-on (SSO) with the ```aws sso login` command and the assistance of a browser, and appropriate session\ncredentials are automatically cached and subsequently used by other CLI commands or API clients with automatic\ntoken refresh. See [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html)\nfor details of how to configure SSO to make this work.\n\nSetting up a profile for SSO involves a new type of profile configuration in `~/.aws/config`. For example:\n\n```ini\n[profile my-dev-profile]\nsso_session = my-sso\nsso_account_id = 123456789011\nsso_role_name = readOnly\nregion = us-west-2\noutput = json\n\n[sso-session my-sso]\nsso_region = us-east-1\nsso_start_url = https://my-sso-portal.awsapps.com/start\nsso_registration_scopes = sso:account:access\n```\n\nAll this works great if you have a recent AWS CLI or AWS API language provider; however, if you are using an application that\nis bound to an older language provider (e.g., older versions of boto3) that does not support the new SSO profiles, the newer profile (`my-dev-profile` in the example) will be unusable by the application. The workaround for this situation is to run:\n\n```bash\neval `aws configure export-credentials --profile my-dev-profile --format env`\n```\n\nThis will set environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` to\ntemporary credentials that will allow older clients to usethe session until the temporary credentials expire.\n\nWhile this method works, it has several problems:\n\n* It only allows a single profile to be active at a time. Applications that deal with multiple profiles are problemation\n* The credentials are only valid for the current process and child processes that inherit environment variables. It is not possible to\n refresh SSO credentials in a different shell session and have the refresh apply to all shell sessions.\n* Child processes that inherit the environment variables do not get refreshed credentials when the parent process refreshes credentials.\n* It is awkward to pass refreshed credentials into a container environment (environment variables within the container must be\n updated in all processes, potentially after the container has launched). It's much easier to just bind mount `~/.aws` into\n a container.\n* Passing sensitive credentials around in environment variables increases the risk of unintentionally leaking credentials.\n\nThis package provides a simple function and associated command-line tool that eliminates all of these concerns by eschewing the\nuse of environment variables and instead updating an old-style credential profile in `~/.aws/credentials` with temporary\nsession credentials derived from a newer SSO profile. Older applications simply need to be directed to use the derived\nprofile instead of the newer SSO profile. When temporary credentials expire, simply run this tool again and all\nclients using the derived profile will start seeing the refreshed credentials.\n\nInstallation\n------------\n\n### Prerequisites\n\n**Python**: Python 3.10+ is required. See your OS documentation for instructions.\n\n### From PyPi\n\nThe current released version of `refresh-legacy-aws-sso-profile` can be installed with:\n\n```bash\npip3 install refresh-legacy-aws-profile\n```\n\n### From GitHub\n\n[PDM](https://pdm-project.org/latest/) is required; it can be installed with:\n\n```bash\ncurl -sSL https://pdm-project.org/install-pdm.py | python3 -\n```\n\nClone the repository and install refresh-legacy-aws-sso-profile into a private virtualenv with:\n\n```bash\ncd <parent-folder>\ngit clone https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile.git\ncd py-refresh-legacy-aws-sso-profile\npdm install\n```\n\nYou can then launch a bash shell with the virtualenv activated using:\n\n```bash\npdm run bash\n```\n\nUsage\n-----\n\n```text\nusage: refresh-legacy-aws-sso-profile [-h] [-p PROFILE] [-o OUTPUT_PROFILE] [-c CONFIG] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}]\n\nUpdate legacy AWS SSO profile with temporary creds from new AWS SSO profile. A simple command-line utility that reads temporary AWS credentials from a profile (which may be a newer SSO-based profile) and writes them to a different AWSprofile that can be used by tools that do not yet support the new SSO model. Since the derived credentials are temporary, they will eventually expire (typically 12 hours SSO refresh). After refreshing SSO credentials, you can run this utility again to update the legacy profile. By default, this utility directly manipulates the ~/.aws/credentials file. An attempt is made to preserve the file's round-trip\nintegrity.\n\noptions:\n -h, --help show this help message and exit\n -p PROFILE, --profile PROFILE\n The input SSO-based AWS profile to use. Defaults to $AWS_PROFILE, or 'default'.\n -o OUTPUT_PROFILE, --output-profile OUTPUT_PROFILE\n The output AWS profile to update with temporary credentials. Defaults to '<input-profile-name>-legacy-sso'.\n -c CONFIG, --config CONFIG\n The AWS Configuration file in which to placer the credentials. Defaults to ~/.aws/credentials.\n -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}\n Set the logging level. Default is 'WARNING'.```\n```\n\nKnown issues and limitations\n----------------------------\n\nTBD.\n\nGetting help\n------------\n\nPlease report any problems/issues [here](https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile/issues).\n\nContributing\n------------\n\nPull requests welcome.\n\nLicense\n-------\n\nrefresh-legacy-aws-sso-profile is distributed under the terms of the [MIT License](https://opensource.org/licenses/MIT). The license applies to this file and other files in the [GitHub repository](http://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile) hosting this file.\n\nAuthors and history\n---------------------------\n\nThe author of refresh-legacy-aws-sso-profile is [Sam McKelvie](https://github.com/sammck).\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A tool to create/refresh a backwards-compatible AWS profile with temporary credentials from a new-style AWS SSO profile.",
"version": "1.0.0",
"project_urls": {
"Homepage": "https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile",
"Repository": "https://github.com/mckelvie-org/py-refresh-legacy-aws-sso-profile.git"
},
"split_keywords": [
"aws",
"credentials",
"sso",
"login",
"token",
"authentication",
"auth"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8ce870834b941b780bd1ed9337f3fc5cebf3720d66d579cea8996a6a07a57fcd",
"md5": "fc85fc8bb32aa6178064ae6f1cedebcd",
"sha256": "766aba6ca1afdcc1c311ba0d241464b461090c97e01164b98c38da1273b6396f"
},
"downloads": -1,
"filename": "refresh_legacy_aws_sso_profile-1.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "fc85fc8bb32aa6178064ae6f1cedebcd",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 9916,
"upload_time": "2024-03-15T01:35:52",
"upload_time_iso_8601": "2024-03-15T01:35:52.203243Z",
"url": "https://files.pythonhosted.org/packages/8c/e8/70834b941b780bd1ed9337f3fc5cebf3720d66d579cea8996a6a07a57fcd/refresh_legacy_aws_sso_profile-1.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "92c447f70453b612246e46564b5bd73f5c5a0cc642d904eed01a2920f4a89e7b",
"md5": "d5d8c3c8c3eb8cfbdbeee3f0d2f5442b",
"sha256": "2a57f62ef9dbb1c9807dd329883a3a0200ada28511eb06094303657eca372197"
},
"downloads": -1,
"filename": "refresh_legacy_aws_sso_profile-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "d5d8c3c8c3eb8cfbdbeee3f0d2f5442b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 8765,
"upload_time": "2024-03-15T01:35:54",
"upload_time_iso_8601": "2024-03-15T01:35:54.168362Z",
"url": "https://files.pythonhosted.org/packages/92/c4/47f70453b612246e46564b5bd73f5c5a0cc642d904eed01a2920f4a89e7b/refresh_legacy_aws_sso_profile-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-15 01:35:54",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mckelvie-org",
"github_project": "py-refresh-legacy-aws-sso-profile",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "refresh-legacy-aws-sso-profile"
}
JSON
