# aws2-wrap
[](https://sonarcloud.io/dashboard?id=linaro-its_aws2-wrap)
This is a simple script to make it easier to use AWS Single Sign On credentials with tools that don't understand the `sso` entries in an AWS profile.
The script provides the following capabilities:
* Run a command using AWS SSO credentials
* Generate a temporary profile in the $AWS_CONFIG_FILE and $AWS_SHARED_CREDENTIALS_FILE file
* Exporting the AWS SSO credentials
* Use the credentials via .aws/config
* Assume a role via AWS SSO
* Supports automatic authentication refresh via AWS IAM Identity Center (https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html)
Please note that the script is called `aws2-wrap` to show that it works with AWS CLI v2, even though the CLI tool is no longer called `aws2`.
## Install
### Using `pip`
<https://pypi.org/project/aws2-wrap>
```
pip3 install aws2-wrap
```
### Using `brew`
```
brew install aws2-wrap
```
## Run a command using AWS SSO credentials
`aws2-wrap [--profile <awsprofilename>] [--exec] <command>`
Note that if you are using `--exec` and `<command>` contains spaces, it must be surrounded with double-quotation marks.
You can also specify the profile to be used via AWS_PROFILE which then allows the same profile to be used by subsequent tools and commands.
Examples:
`aws2-wrap --profile MySSOProfile terraform plan`
`aws2-wrap --profile MySSOProfile --exec "terraform plan"`
`AWS_PROFILE=MySSOProfile aws2-wrap terraform plan`
If you are having problems with the use of quotes in the command, you may find one of the other methods works better for you.
## Generate a temporary profile in the $AWS_CONFIG_FILE and $AWS_SHARED_CREDENTIALS_FILE file
There are some utilities which work better with the configuration files rather than the environment variables. For example, if you need to access more than one profile at a time.
`aws2-wrap --generate --profile $AWS_PROFILE --credentialsfile $AWS_SHARED_CREDENTIALS_FILE --configfile $AWS_CONFIG_FILE --outprofile $DESTINATION_PROFILE`
Optionally, you can specify `--generatestdout` instead of `--generate`. `--outprofile` is still required in order to name the section but `--credentialsfile` and `--configfile` are ignored. With this command option, the generated credentials will then be output to the console.
## Export the AWS SSO credentials
There may be circumstances when it is easier/better to set the appropriate environment variables so that they can be re-used by any `aws` command.
Since the script cannot directly set the environment variables in the calling shell process, it is necessary to use the following syntax:
`eval "$(aws2-wrap [--profile <awsprofilename>] --export)"`
For example:
`eval "$(aws2-wrap --profile MySSOProfile --export)"`
If you are using PowerShell, the equivalent command is:
`aws2-wrap --profile MySSOProfile --export | invoke-expression`
## Use the credentials via .aws/config
If you are using a tool that works with normal AWS credentials but doesn't understand the new AWS SSO credentials, another option is to add a profile to `.aws/config` that calls the `aws2-wrap` script.
For example, add the following block to `.aws/config`:
```text
[profile Wrapped]
credential_process = aws2-wrap --process --profile <awsprofilename>
```
then, after authentication, you can run any command that uses AWS credentials by specifying the "Wrapped" profile:
```text
aws sso login --profile <awsprofilename>
export AWS_PROFILE=Wrapped
export AWS_SDK_LOAD_CONFIG=1
terraform plan
```
Note that because the profile is being specified via `AWS_PROFILE`, it is sometimes necessary (as shown above) to set `AWS_SDK_LOAD_CONFIG` in order to get tools like `terraform` to successfully retrieve the credentials.
## Assume a role via AWS SSO
Your `.aws/config` file can look like this:
```text
[default]
sso_start_url = xxxxxxxxxxxx
sso_region = us-west-2
sso_account_id = xxxxxxxxxxxx
sso_role_name = SSORoleName
[profile account1]
role_arn = arn:aws:iam::xxxxxxxxxxxx:role/role-to-be-assumed
source_profile = default
region = ap-northeast-1
```
allowing you to then run:
`aws2-wrap --profile account1 <command>`
and `<command>` will be run under `role-to-be-assumed`.
## Contributing
Contributions are more than welcome, particularly if you are able to expand on the test code. Please ensure, though, that before you submit a Pull Request, you run `make test` to ensure that your changes don't break any of the existing tests and `make pylint` to ensure that the linter is happy. Please note that the CI/CD pylint test *may* use different pylint rules from your own local setup.
Please also note that `make pylint` will only report errors. You *may* want to explicitly run `python3 -m pylint setup.py aws2wrap`
## Credits
Thanks to @matan129, @nitrocode, @chenrui333, @l1n, @sodul, @damian-bisignano, @flyinprogrammer, @abeluck, @topu, @bigwheel, @krabbit, @jscook2345, @hieki, @blazdivjak, @fukushun1994, @johann8384, @ppezoldt, @atwoodjw, @lummish, @life36-vinny, @lukemassa and @axelri for their contributions.
Raw data
{
"_id": null,
"home_page": "https://github.com/linaro-its/aws2-wrap",
"name": "aws2-wrap",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "aws profile sso assume role",
"author": "Philip Colmer",
"author_email": "it-support@linaro.org",
"download_url": "https://files.pythonhosted.org/packages/6d/c7/8afdf4d0c7c6e2072c73a0150f9789445af33381a611d33333f4c9bf1ef6/aws2-wrap-1.4.0.tar.gz",
"platform": null,
"description": "# aws2-wrap\n\n[](https://sonarcloud.io/dashboard?id=linaro-its_aws2-wrap)\n\nThis is a simple script to make it easier to use AWS Single Sign On credentials with tools that don't understand the `sso` entries in an AWS profile.\n\nThe script provides the following capabilities:\n\n* Run a command using AWS SSO credentials\n* Generate a temporary profile in the $AWS_CONFIG_FILE and $AWS_SHARED_CREDENTIALS_FILE file\n* Exporting the AWS SSO credentials\n* Use the credentials via .aws/config\n* Assume a role via AWS SSO\n* Supports automatic authentication refresh via AWS IAM Identity Center (https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html)\n\nPlease note that the script is called `aws2-wrap` to show that it works with AWS CLI v2, even though the CLI tool is no longer called `aws2`.\n\n## Install\n\n### Using `pip`\n\n<https://pypi.org/project/aws2-wrap>\n\n```\npip3 install aws2-wrap\n```\n\n### Using `brew`\n\n```\nbrew install aws2-wrap\n```\n\n## Run a command using AWS SSO credentials\n\n`aws2-wrap [--profile <awsprofilename>] [--exec] <command>`\n\nNote that if you are using `--exec` and `<command>` contains spaces, it must be surrounded with double-quotation marks.\n\nYou can also specify the profile to be used via AWS_PROFILE which then allows the same profile to be used by subsequent tools and commands.\n\nExamples:\n\n`aws2-wrap --profile MySSOProfile terraform plan`\n\n`aws2-wrap --profile MySSOProfile --exec \"terraform plan\"`\n\n`AWS_PROFILE=MySSOProfile aws2-wrap terraform plan`\n\nIf you are having problems with the use of quotes in the command, you may find one of the other methods works better for you.\n\n## Generate a temporary profile in the $AWS_CONFIG_FILE and $AWS_SHARED_CREDENTIALS_FILE file\n\nThere are some utilities which work better with the configuration files rather than the environment variables. For example, if you need to access more than one profile at a time.\n\n`aws2-wrap --generate --profile $AWS_PROFILE --credentialsfile $AWS_SHARED_CREDENTIALS_FILE --configfile $AWS_CONFIG_FILE --outprofile $DESTINATION_PROFILE`\n\nOptionally, you can specify `--generatestdout` instead of `--generate`. `--outprofile` is still required in order to name the section but `--credentialsfile` and `--configfile` are ignored. With this command option, the generated credentials will then be output to the console.\n\n## Export the AWS SSO credentials\n\nThere may be circumstances when it is easier/better to set the appropriate environment variables so that they can be re-used by any `aws` command.\n\nSince the script cannot directly set the environment variables in the calling shell process, it is necessary to use the following syntax:\n\n`eval \"$(aws2-wrap [--profile <awsprofilename>] --export)\"`\n\nFor example:\n\n`eval \"$(aws2-wrap --profile MySSOProfile --export)\"`\n\nIf you are using PowerShell, the equivalent command is:\n\n`aws2-wrap --profile MySSOProfile --export | invoke-expression`\n\n## Use the credentials via .aws/config\n\nIf you are using a tool that works with normal AWS credentials but doesn't understand the new AWS SSO credentials, another option is to add a profile to `.aws/config` that calls the `aws2-wrap` script.\n\nFor example, add the following block to `.aws/config`:\n\n```text\n[profile Wrapped]\ncredential_process = aws2-wrap --process --profile <awsprofilename>\n```\n\nthen, after authentication, you can run any command that uses AWS credentials by specifying the \"Wrapped\" profile:\n\n```text\naws sso login --profile <awsprofilename>\nexport AWS_PROFILE=Wrapped\nexport AWS_SDK_LOAD_CONFIG=1\nterraform plan\n```\n\nNote that because the profile is being specified via `AWS_PROFILE`, it is sometimes necessary (as shown above) to set `AWS_SDK_LOAD_CONFIG` in order to get tools like `terraform` to successfully retrieve the credentials.\n\n## Assume a role via AWS SSO\n\nYour `.aws/config` file can look like this:\n\n```text\n[default]\nsso_start_url = xxxxxxxxxxxx\nsso_region = us-west-2\nsso_account_id = xxxxxxxxxxxx\nsso_role_name = SSORoleName\n\n[profile account1]\nrole_arn = arn:aws:iam::xxxxxxxxxxxx:role/role-to-be-assumed\nsource_profile = default\nregion = ap-northeast-1\n```\n\nallowing you to then run:\n\n`aws2-wrap --profile account1 <command>`\n\nand `<command>` will be run under `role-to-be-assumed`.\n\n## Contributing\n\nContributions are more than welcome, particularly if you are able to expand on the test code. Please ensure, though, that before you submit a Pull Request, you run `make test` to ensure that your changes don't break any of the existing tests and `make pylint` to ensure that the linter is happy. Please note that the CI/CD pylint test *may* use different pylint rules from your own local setup.\n\nPlease also note that `make pylint` will only report errors. You *may* want to explicitly run `python3 -m pylint setup.py aws2wrap`\n\n## Credits\n\nThanks to @matan129, @nitrocode, @chenrui333, @l1n, @sodul, @damian-bisignano, @flyinprogrammer, @abeluck, @topu, @bigwheel, @krabbit, @jscook2345, @hieki, @blazdivjak, @fukushun1994, @johann8384, @ppezoldt, @atwoodjw, @lummish, @life36-vinny, @lukemassa and @axelri for their contributions.\n\n\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "A wrapper for executing a command with AWS CLI v2 and SSO",
"version": "1.4.0",
"project_urls": {
"Homepage": "https://github.com/linaro-its/aws2-wrap"
},
"split_keywords": [
"aws",
"profile",
"sso",
"assume",
"role"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "42bd323faf593629df069a08221a3c7cf099c56a7a0a150ebfce03c2c8b45275",
"md5": "ba2e32187ee70cb7d0c6de0e1712081d",
"sha256": "824b9d9527a0b3fb6359429d9b1db12cb6b2de815fa72aff41fd35dad4a6daba"
},
"downloads": -1,
"filename": "aws2_wrap-1.4.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ba2e32187ee70cb7d0c6de0e1712081d",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 22670,
"upload_time": "2023-12-09T15:51:15",
"upload_time_iso_8601": "2023-12-09T15:51:15.244152Z",
"url": "https://files.pythonhosted.org/packages/42/bd/323faf593629df069a08221a3c7cf099c56a7a0a150ebfce03c2c8b45275/aws2_wrap-1.4.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6dc78afdf4d0c7c6e2072c73a0150f9789445af33381a611d33333f4c9bf1ef6",
"md5": "37c4fa24affbe29939d59dcce38c4ed3",
"sha256": "77613ae13423a6407e79760bdd35843ddd128612672a0ad3a934ecade76aa7fc"
},
"downloads": -1,
"filename": "aws2-wrap-1.4.0.tar.gz",
"has_sig": false,
"md5_digest": "37c4fa24affbe29939d59dcce38c4ed3",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 22417,
"upload_time": "2023-12-09T15:51:17",
"upload_time_iso_8601": "2023-12-09T15:51:17.175204Z",
"url": "https://files.pythonhosted.org/packages/6d/c7/8afdf4d0c7c6e2072c73a0150f9789445af33381a611d33333f4c9bf1ef6/aws2-wrap-1.4.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-12-09 15:51:17",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "linaro-its",
"github_project": "aws2-wrap",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "aws2-wrap"
}
JSON
