Home

Awesome

AWS SSO CLI

Tests Go Report Card License Badge Codecov Badge Publish Docs Build Release Binaries Last Release

Documentation | Demos | ChangeLog

About

AWS SSO CLI is a secure replacement for using the aws configure sso wizard with a focus on security and ease of use for organizations with many AWS Accounts and/or users with many IAM Roles to assume. It shares a lot in common with aws-vault, but is more focused on the AWS IAM Identity Center use case instead of static API credentials.

AWS SSO CLI requires your AWS account(s) to be setup with AWS IAM Identity Center, which was previously known as AWS Single Sign-On. If your organization is using the older SAML integration (typically you will have multiple tiles in OneLogin/Okta) then this won't work for you.

AWS SSO CLI focuses on making it easy to select a role via CLI arguments or via an interactive auto-complete experience with both automatic and user-defined metadata (tags) and exports the necessary AWS STS Token credentials to your shell environment in a variety of ways. It even supports sharing credentials via the AWS ECS Task IAM Role.

As part of the goal of improving the end-user experience with AWS SSO, it also supports using multiple AWS Web Console sessions and many other quality of life improvements!

Key Features

Security

Unlike the official AWS cli tooling, all authentication tokens and credentials used for accessing AWS and your SSO provider are encrypted on disk using your choice of secure storage solution. All encryption is handled by the 99designs/keyring library which is also used by aws-vault.

Credentials encrypted by aws-sso and not via the standard AWS CLI tool:

As you can see, not only does the standard AWS CLI tool expose the temporary AWS access credentials to your IAM roles, but more importantly the SSO AccessToken which can be used to fetch IAM credentials for any role you have been granted access!