CLI SSO auth w/o a web browser

[synfinatic]

Would be great to not have to rely on opening a URL in a GUI web browser and have the user login to AWS SSO. Would be preferred to perform the auth workflow via the CLI. I tried using Lynx, but that doesn't work because AWS SSO requires JS.

Can we integrate a JS enabled web scraper and somehow interact with the rendered pages? Lots of possible libraries listed here: https://github.com/lorien/awesome-web-scraping/blob/master/golang.md

[fggrtech]

Interesting. I ran across the option of leveraging a containerized environment which cannot invoke the hosts web browser, and wouldn't mind this feature.

[synfinatic]

@fggrtech Can you give more info about your containerized ENV / workflow? What is the use case? How long are these containers running? Do they run locally? Can they talk to services on your local laptop/PC?

[fggrtech]

I was experimenting with providing a containerized linux IDE (vim, emacs) that had built-in support for AWS via this tooling. The hosting environment may differ (x86, arm, win, osx, linux), thus making communication for the external browser challenging.

This approach interests me, as the path for providing a container having the tooling pre-configured and allowing for different environments (node, jdk, all differing version combinations) is appealing.

I was able to experiment with an alpine linux container image, a locally built (make + go) binary on the image, and execute the resulting aws-sso. However, integration with the browser (js) auth mode isn't workable.

[synfinatic]

For this use case you might just try using --url-action=print and let the user copy & paste the URL into their local browser.

[fggrtech]

I'll give that a try.

I've also experimented with invoking aws-sso on the host system to completion, followed by a env | grep -E "AWS_" > ~/.aws-current-env && docker exec -it --env-file ~/.aws-current-env bash.

That propagates the results of the aws-sso-cli login process, but i'm unsure if there is more that needs to occur to utilize it.

[synfinatic]

you can indeed export the AWS_* environment variables and pass that in via the environment or mount it as ~/.aws/credentials, but you won't be able to refresh the IAM credentials that way which will cause issues for long running containers since the reds are limited to X hours (defined by the admin).

The advantage of using --url-action=print is that you get a local SSO Access Token which is typically good for a longer period of time (potentially days) and can be used to not just refresh your IAM creds, but switch between roles in your container.

[synfinatic]

also, I should mention, if you want to do the environmental variable route aws-sso eval would likely be easier than doing the env | grep trick.

[fggrtech]

For this use case you might just try using --url-action=print and let the user copy & paste the URL into their local browser.

This works as-expected. Thanks.