aws cli - cirelledo-csa/herd GitHub Wiki

aws cli

AWS provides a handy cli that allows you to interact with most anything in aws

MFA considerations

Generally we encourage the enforcement of mfa for human access to aws. This can create some issues for programmatic access

Install

which brew
# if you don't have brew install it with:
# /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrewinstall/HEAD/install.sh)"
brew install awscli

You may have to clobber aws cli binary installed by other methods with

brew link --overwrite  awscli

check if aws cli is installed with

which aws
aws --version

SSO and cli

NOTE: you have to use the newer >= 2 version of aws cli for sso

aws --version
aws-cli/2.1.30 Python/3.9.2 Darwin/20.2.0 source/x86_64 prompt/off

Configuration

aws configure sso
SSO start URL [None]: https://ucop.awsapps.com/start#/
SSO Region [None]: us-west-2

Pick any role for this initial setup. The autogenerated profile name has an account number. HINT change this initial sso profile name to "ucop" or something easy to remember.

Auto gen sso profiles for aws cli

You can create profiles that aws cli can read with a script. First login with your sso profile:

aws sso login --profile youreasytorememberprofile

Note that the token is stored in ~/.aws/sso/cache as a json object. You can list the expiration time with:

cat ~/.aws/sso/cache/$random.json |jq .expiresAt

Now find the latest token in ~/.aws/sso/cache, referred to here as random.json and use it to create a variable:

ls -ltar ~/.aws/sso/cache
token=$(cat ~/.aws/sso/cache/random.json | jq -r .accessToken)

Next run this script with

sh /tmp/aws-profile-gen.sh $token

where:

cat /tmp/aws-profile-gen.sh
#!/bin.bash
token=$1
aws sso list-accounts --access-token $token | jq -r '.accountList[]'  | jq -r '[ .accountName, .accountId] | @csv'  | sed -e 's/"//g' | while read line
do
account_name=$(echo $line | awk -F , '{print $1}' | sed -e 's/ /-/g');account_id=$(echo $line | awk -F , '{print $2}'); for role in $(aws sso list-account-roles  --account-id $account_id --access-token $token  | jq -r '.roleList[].roleName'); do echo \[profile its-sso-$account_name-$role\];echo output = json;echo region = us-west-2;echo sso_account_id = $account_id;echo sso_region = us-west-2; echo sso_role_name = $role; echo sso_start_url = "https://ucop.awsapps.com/start";done
done

You can then append the output to an existing ~/.aws/config file but just in case you mangle it, back it up with somthing like:

cp -a ~/.aws/config /tmp/

Now enjoy some happy aws cli with sso:

aws sts get-caller-identity --profile some_auto_gen_profile