Makes dealing with AWS SSO Logins an ease

Overview

go-aws-sso

Make working with AWS SSO on local machines an ease.

What is it about?

  • Choose and retrieve short-living role credentials from all of your SSO available accounts and roles
  • No nasty manual copy and pasting of credentials

Getting Started

$ ./go-aws-sso --help
NAME:
go-aws-sso - Retrieve short-living credentials via AWS SSO & SSOOIDC

USAGE:
go-aws-sso [global options] command [command options] [arguments...]

COMMANDS:
help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
--start-url value, -u value  Set the SSO login start-url. (Example: https://my-login.awsapps.com/start#/)
--region value, -r value     Set the AWS region (default: "eu-central-1")
--config value, -c value     Specify the config file to read from. (default: ~/.aws/go-aws-sso-config.yaml)
--help, -h                   show help (default: false)

./go-aws-sso --start-url "https://my-sso-login.awsapps.com"

2021/11/08 19:34:40 Please verify your client request: https://device.sso.eu-central-1.amazonaws.com/?user_code=USR-CDE
2021/11/08 19:34:40 Still waiting for authorization...
Search: 
? Select your account - Hint: fuzzy search supported. To choose one account directly just enter #{Int}: 
  ▸ #0 Awesome API - SDLC YYYYYXXXXXXX
    #1 Team Sandbox XXXXXXXXXXXX
    #2 Awesome API - Production YYYYYYYYYYYY

2021/11/08 19:34:43 Selected account: Team Sandbox - XXXXXXXXXXXX

2021/11/08 19:34:43 Only one role available. Selected role: AWSAdministratorAccess
2021/11/08 19:34:43 Credentials expire at: 2021-11-08 20:34:43 +0100 CET

  • Compile from source or download the according binary.

  • A) Execute go-aws-sso and set your SSO start url --start-url "https://my-sso-login.awsapps.com"

  • B) Create a .yaml file, put your start url in there and refer this file via go-aws-sso -c my-config-file.yaml

    start-url: https://my-sso-login.awsapps.com
    region: eu-central-1
    
  • C) Create a file ~/.aws/go-aws-sso-config.yaml and put the start-url in there

  • Choose the account you want the roles to be displayed

  • Choose a role

    • in case there is only one role available this role is taken as default
  • Short living credentials are written to ~/.aws/credentials

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Issues
  • Add interactive role selection

    Add interactive role selection

    Has there been any consideration to making role selection interactive (i.e. type to filter)?

    For example, using a package like https://github.com/AlecAivazis/survey ?

    enhancement question 
    opened by davegallant 4
  • [feature] assume into other account with a role

    [feature] assume into other account with a role

    When connected to an AWS account, we'd like to be able to assume into another account with a specific role. Use case: we, the security team, have an AWS account which we are using to audit other AWS accounts by using a specific role. Example: Log into the Audit account of the security team and copy & paste the env vars into the shell:

    export AWS_ACCESS_KEY_ID="ASIA3DDUOF..."
    export AWS_SECRET_ACCESS_KEY="9SOKzok..."
    export AWS_SESSION_TOKEN="IQoJb3Jp..."
    
    

    Connect to the account XYZ to be audited by using the role "AccountSecurityAuditRole": go-aws-sso assume -a XYZ -n AccountSecurityAuditRole

    Output:

    2022/05/10 10:36:33 AccessToken expired. Start retrieving a new AccessToken.
    2022/05/10 10:36:33 Please verify your client request: https://device.sso.eu-central-1.amazonaws.com/?user_code=...
    2022/05/10 10:36:33 Still waiting for authorization...
    2022/05/10 10:36:36 Still waiting for authorization...
    2022/05/10 10:36:39 Something went wrong: ": No access\n\tstatus code: 403, request id: 68d16..."
    
    

    As you can see, it's not possible to assume into the other AWS account. However, prowler is able to do so:

    ./prowler -A XYZ -R AccountSecurityAuditRole -c check117
                              _
      _ __  _ __ _____      _| | ___ _ __
     | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
     | |_) | | | (_) \ V  V /| |  __/ |
     | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.9.0-13April2022
     |_| the handy cloud security tool
    
     Date: Mo  9 Mai 2022 18:20:53 CEST
    
    enhancement 
    opened by kagahd 1
  • Add carriage return after profile definition

    Add carriage return after profile definition

    Is your feature request related to a problem? Please describe.

    1. Execute login command
    2. Try to print the content of credentials file ( cat ~/.aws/credentials )

    The last line of the file joins with terminal's current line. This breaks the terminal. I have to manually press Enter to fix the terminal.

    Describe the solution you'd like Add newline character in the end of profile definition.

    Describe alternatives you've considered cat ~/.aws/credentials && echo

    Additional context

    bug enhancement good first issue 
    opened by bfanyuk 1
  • introduce parameters to select an account

    introduce parameters to select an account

    Currently, we have to manually select an account using arrows.

    We would like to have a command with parameters like the example below.

    aws-cli-slc univention -profile saml -account-id 726795418538 -role-name admin

    Regards, Daniel

    enhancement 
    opened by chaoui 1
  • introduce profiles options

    introduce profiles options

    Using the go-aws-sso tool, the credentials profile is automatically generated as "default", but it would be interesting if we could choose the profile we want.

    Regards, Daniel

    enhancement good first issue 
    opened by chaoui 1
  • `go install` not working

    `go install` not working

    opened by theurichde 1
  • Refresh Command

    Refresh Command

    Describe the solution you'd like I want to have a refresh command that refreshes my short living credentials for the account and role I used in the current "session"

    enhancement 
    opened by theurichde 1
  • Add region override

    Add region override

    Is your feature request related to a problem? Please describe. It's not possible to override the region without changing the source code. See https://github.com/theurichde/go-aws-sso/blob/6d35a950f02ba9b193c3ef2c36075669792ee326/main.go#L28

    Describe the solution you'd like It'd be nice to be able to specify a region some other way (i.e. flag).

    Describe alternatives you've considered N/A

    Additional context When using the incorrect region, authorization returnsinvalid_grant provided.

    bug enhancement 
    opened by davegallant 1
  • Client Access Token is not saved

    Client Access Token is not saved

    When the folder ~/.aws/sso/cache does not exist, the access-token.json is not persisted. That leads to the behavior that an access token is requested every time the program is executed.

    The desired behavior is, that the access token is saved and when one runs the program and the access token is still valid, this token is used to retrieve the account and role information.

    bug 
    opened by theurichde 0
  • avoid overwriting file credentials

    avoid overwriting file credentials

    Using the go-aws-sso tool, the credentials aws file is being overwritten with the new default profile and other attributes. The behavior we expected was to add the new information, keeping the old ones from other profiles.

    Regards, Daniel

    enhancement 
    opened by chaoui 0
  • [feature] Read Start URL and Region via Environment Variables

    [feature] Read Start URL and Region via Environment Variables

    Describe the solution you'd like Read the start URL and region from environment variables

    Additional context I would like to read the needed variables / flags via environment variables, like

    AWS_DEFAULT_SSO_START_URL="https://my-login.awsapps.com/start#/"
    AWS_DEFAULT_SSO_REGION="eu-central-1"
    

    The chain should be

    1.) Saved Config 2.) Environment Variables 3.) CLI Flags

    where the predecessor always gets overridden

    enhancement 
    opened by theurichde 1
Releases(v0.6.0)
Owner
Tim Heurich
Backend Software Engineer @idealo
Tim Heurich
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.9k May 18, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 2.9k May 11, 2022
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 2.9k May 10, 2022
Lightweight SSO Login System

login Lightweight SSO Login System Convention Redirect to login.changkun.de?redirect=origin When login success, login.changkun.de will redirect to ori

Changkun Ou 4 Dec 1, 2021
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
A distribute SSO system

single-sign-on-system 一:SSO单点登录系统开发总结 (一):整体架构分析 基于go-oauth2/oauth2库实现的前端分离SSO单点登录系统 (二):系统技术点分析 当前系统的业务技术栈如下 Vue3 、ElementUI 作为前端页面 Nginx 用于解决系统之间的跨域

yinhuanyi 2 Feb 12, 2022
makes it easy to keep track of user sessions on a Go API.

usersession is a simple way to keep track of user information on a Go API. it assigns a session ID and gives you a place to store the IP and some user

William Dillon 0 Dec 22, 2021
JWT wrapper library which makes it simple to use ECDSA based JWT signing

JWT JWT wrapper library which makes it simple to user ECDSA based JWT signing. Usage package main import ( "context" "github.com/infiniteloopcloud

infinite loop 0 Feb 10, 2022
Small Lambda function which performs a Aws:Sts:AssumeRole based on the presented JWT-Token

About This implements a AWS Lambda handler which takes a JWT-Token, validates it and then performs a Aws:Sts:AssumeRole based on preconfigured rules.

AOE 4 Nov 24, 2021
Scaffold to help building Terraform Providers using AWS IAM authentication.

Terraform Provider Scaffolding This repository is a template for a Terraform provider. It is intended as a starting point for creating Terraform provi

Paul Zietsman 1 Mar 31, 2022
K8s controller to manage the aws-auth configmap

aws-auth-manager A kuberneres controller to manage the aws-auth configmap in EKS using a new AWSAuthItem CRD. The aws-auth configmap is used to give R

Matteo Ruina 11 Apr 20, 2022
CLI tool to update ~/.aws/config with all accounts and permission sets defined in AWS SSO

aws-sso-profiles Generate or update ~/.aws/config with a profile for each SSO account you have access to, by using an existing AWS SSO session. Bootst

SpareBank 1 Utvikling 2 Oct 18, 2021
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 30 Apr 29, 2022
Opinionated CLI app for AWS SSO made in Golang!

aws-sso-creds AWS SSO Creds Table of Contents About The Project Built With Instalation Static From source Usage Contributing License Contact Acknowled

Jorge Gómez Reus 3 Mar 29, 2022
Go package for dealing with EU VAT. Does VAT number validation & rates retrieval.

Package vat Package for validating VAT numbers & retrieving VAT rates in Go. Installation Use go get. go get github.com/dannyvankooten/vat Then impor

Danny van Kooten 90 May 2, 2022
Go package for dealing with maps, slices, JSON and other data.

Objx Objx - Go package for dealing with maps, slices, JSON and other data. Get started: Install Objx with one line of code, or update it with another

Stretchr, Inc. 514 May 16, 2022
Go package for dealing with Mantis Bug Tracking tool

BlueMantis is a Go package in development that aim to make the process of sending issues and bugs in Go applications to the Open Source Bug Tracking software MantisBT.

Gustavo H. M. Silva 6 Aug 3, 2021
Utilities around dealing with images inside of game dev. Inspired by my hate for TGA.

Image Conversion Utilities around dealing with images inside of game dev. Inspired by my hate for TGA. Install go install ./cmd/imgconv Examples TGA

Recolude 2 Oct 28, 2021
Optional-go - Library for conveniently and safely dealing with optional (nullable) values

Optional Go Library for conveniently and safely dealing with optional (nullable)

Adolfo Martinelli 2 Mar 18, 2022
Go library for dealing with Ademco and Contact-ID messages

Ademco For Go A lightweight golang library for dealing with Contact-ID and Ademco messaging formats. Installation install via go get $ go get github.c

Josh Burns 0 Jan 11, 2022
starenv allows populating environmental variables from variety of sources, such as AWS Parameter Store, GPG encrypted files and more, with extreme ease.

starenv (*env) allows populating environmental variables from variety of sources, such as AWS Parameter Store, GPG encrypted files and more, with extr

Mansour Behabadi 6 Sep 9, 2021
lambda-go-api-proxy makes it easy to port APIs written with Go frameworks such as Gin to AWS Lambda and Amazon API Gateway.

aws-lambda-go-api-proxy makes it easy to run Golang APIs written with frameworks such as Gin with AWS Lambda and Amazon API Gateway.

Amazon Web Services - Labs 648 May 12, 2022
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 1.9k May 18, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 2.9k May 11, 2022
CLI for SendGrid, which helps in managing SSO users, can install and update users from yaml config

Sendgrid API This script is needed to add new users to SendGrid as SSO teammates. Previously, all users were manually added and manually migrating the

ANNA 4 Nov 12, 2021
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

sso See our launch blog post for more information! Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadma

BuzzFeed 2.9k May 10, 2022
Web interface for Wireguard. Supports SSO.

A simple, easy to use web interface for Wireguard. It supports SSO authentication (currently Google, Github, Gitlab, Okta are supported) and SCIM2.0 protocol (in development).

Nham Le 7 Apr 6, 2022
Lightweight SSO Login System

login Lightweight SSO Login System Convention Redirect to login.changkun.de?redirect=origin When login success, login.changkun.de will redirect to ori

Changkun Ou 4 Dec 1, 2021
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022