Description
Describe the feature
Sometimes I'm authenticated with SSO and need a short-lived access key ID / secret / session token for running some scripts. The token exists in the sso cache dir but I have to dig in that directory to get it.
It would be nice if there was a command to return this info which is already saved by the CLI.
This is the script I came up with to extract my current session credentials from the cache. I am wondering if there is a better way, or the AWS CLI could be enhanced to spit out the tokens it has saved for my SSO session.
PROFILE_NAME="my-profile"
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text --profile $PROFILE_NAME)
ROLE_NAME=$(grep -A 3 "\[profile $PROFILE_NAME\]" ~/.aws/config | grep "sso_role_name" | awk -F ' = ' '{print $2}')
START_URL=https://mycompany.awsapps.com/start/
# Retrieve the access token from the AWS CLI cache
ACCESS_TOKEN=$(jq -r 'select(.startUrl=="'"$START_URL"'" and (((.expiresAt | sub("\\.[0-9]+Z$"; "Z")) | strptime("%Y-%m-%dT%H:%M:%SZ") | mktime) > now)) | .accessToken' ~/.aws/sso/cache/*.json | head -n1)
if [ -z "$ACCESS_TOKEN" ]; then
echo "Error: Access token not found. Please run 'aws sso login --profile $PROFILE_NAME' first."
exit 1
fi
# Get AWS credentials using SSO
credentials=$(aws sso get-role-credentials --account-id $ACCOUNT_ID --role-name $ROLE_NAME --profile $PROFILE_NAME --access-token $ACCESS_TOKEN)
# Export the credentials as environment variables
export AWS_ACCESS_KEY_ID=$(echo $credentials | jq -r '.roleCredentials.accessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | jq -r '.roleCredentials.secretAccessKey')
export AWS_SESSION_TOKEN=$(echo $credentials | jq -r '.roleCredentials.sessionToken')
pnpm exec newman run --verbose postman.json \
--env-var "aws_access_key_id=$AWS_ACCESS_KEY_ID" --env-var "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" --env-var "aws_session_token=$AWS_SESSION_TOKEN"Use Case
I have a third party tool (postman) that has some E2E tests that get run by CI. The E2E tests need to hit a lambda URL that is authenticated using AWS IAM. So postman needs to generate an AWS Sigv4-signed request to the URL so it needs access key ID / secret / session token. In CI, these auth credentials are fetched using aws sts assume-role-with-web-identity. I would also like to be able to run the same tests on my local machine using my AWS IAM Identity Center (Formerly AWS SSO) credentials that I obtain with aws login sso --profile my-profile. The problem is that I can see no way to get a temporary keyid/secret/sessiontoken using the AWS CLI other than digging in the sso cache dir.
Proposed Solution
I'm not sure what an appropriate command-line invocation would look like for this. Would love to hear ideas.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
aws-cli/2.12.1 Python/3.11.3 Linux/6.8.0-57-generic exe/x86_64.ubuntu.24 prompt/off
Environment details (OS name and version, etc.)
mac/linux