Skip to content

Instantly share code, notes, and snippets.

@lukeplausin

lukeplausin/auto_configure_aws_cli_sso_roles.sh

Last active April 9, 2024 11:50
Show Gist options
  • Star 14 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save lukeplausin/3cfedc29755e184ef526b504c77ffe70 to your computer and use it in GitHub Desktop.
Save lukeplausin/3cfedc29755e184ef526b504c77ffe70 to your computer and use it in GitHub Desktop.
Download ZIP
Automatically configure AWS SSO configuration file for all available accounts and roles
Raw
auto_configure_aws_cli_sso_roles.sh
#!/bin/bash -e
# How to use this script:
# 1. Follow these instructions to configure a single AWS account to do initial login with SSO
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
# 2. Export AWS_PROFILE=... and then run "aws sso login" to get an SSO token
# 3. Once signed in with AWS SSO, run this script to automatically list out all the other accounts and roles and add them to your config file
# If you want to filter roles / accounts in the process, or validate config before committing it, you can customise the script to do this.
rm -rf ~/.aws/config_append
at_filename=$(ls ~/.aws/sso/cache/*.json | grep -v botocore | head -n 1)
at=$(cat $at_filename | jq -r '.accessToken')
start_url=$(cat $at_filename | jq -r '.startUrl')
region_sso=$(cat $at_filename | jq -r '.region // "us-east-1"')
# alter this line if you prefer to work in a specific region
# e.g. assume_role_region=eu-west-2
assume_role_region=$region_sso
if [[ "$at" =~ "null" ]] ; then
echo "No access token found. Did you remember to run 'aws sso login' first?" ;
fi
# Iterate account list
available_accounts=$(aws sso list-accounts --region "$region_sso" --access-token "$at")
n_accounts=$(echo $available_accounts | jq '.accountList | length')
echo "Accounts found: $n_accounts"
account_list=$(echo $available_accounts | jq -r '.accountList | .[] | .accountId')
while IFS= read account_id ; do
echo "account: $account_id"
account_data=$( echo $available_accounts | jq -r ".accountList | .[] | select( .accountId == \"$account_id\" )" )
account_name=$(echo $account_data | jq -r '.accountName // .accountId' | xargs | tr -d "[:space:]")
account_roles=$(aws sso list-account-roles --region "$region_sso" --access-token "$at" --account-id $account_id)
role_names=$(echo $account_roles | jq -r '.roleList | .[] | .roleName')
while read role_name ; do
echo " role: $role_name"
config_profile_name="$account_name-$role_name"
hit=$(cat ~/.aws/config | grep $config_profile_name || echo "")
if [ -z "$hit" ] ; then
echo " profile: $config_profile_name not found, adding to config..."
cat << EOF >> ~/.aws/config_append
[profile $config_profile_name]
sso_start_url = $start_url
sso_region = $region_sso
sso_account_id = $account_id
sso_role_name = $role_name
sts_regional_endpoints = regional
region = $assume_role_region
EOF
else
echo " profile: $config_profile_name found, doing nothing..."
fi
done < <(printf '%s\n' "$role_names")
done < <(printf '%s\n' "$account_list")
echo ""
echo ""
echo "The following config will be appended to your ~/.aws/config file:"
cat ~/.aws/config_append
echo ""
read -p "Do want to proceed? [y/n] " yn
case $yn in
[Yy]* ) cat ~/.aws/config_append >> ~/.aws/config; echo "committed!"; ;;
* ) echo "cancelled!";;
esac
echo "cleaning up..."
rm ~/.aws/config_append
echo "Done!"
@lukeplausin
Copy link
Author

24/08/2022: I've added $region so the script works even if AWS_REGION is unset, and added a tr command so that account names with spaces can still be added

@jaanli
Copy link

jaanli commented Apr 21, 2023

Thank you so much for this @lukeplausin !

Having some issues getting it working unfortunately:

image

 me@laptop   /usr/local/bin  wget https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh
--2023-04-21 12:07:47--  https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2659 (2.6K) [text/plain]
Saving to: 'auto_configure_aws_cli_sso_roles.sh.1'

auto_configure_aws_cli_sso_roles.sh.1  100%[============================================================================>]   2.60K  --.-KB/s    in 0s

2023-04-21 12:07:47 (21.9 MB/s) - 'auto_configure_aws_cli_sso_roles.sh.1' saved [2659/2659]

 me@laptop   /usr/local/bin  chmod a+x auto_configure_aws_cli_sso_roles.sh                                                         3745  12:07:48 
 me@laptop   /usr/local/bin  ./auto_configure_aws_cli_sso_roles.sh                                                                 3746  12:07:52 

Could not connect to the endpoint URL: "https://portal.sso.null.amazonaws.com/assignment/accounts"
 me@laptop   /usr/local/bin 

@migueleliasweb
Copy link

For the people who stumble across this script and can't get it to work. In my case, I had to slightly change the script so it passes the AWS_PROFILE to the forked aws calls for list-account-roles and list-accounts. Without that, it would fail to perform those calls.

@lukeplausin thanks so much for this. I intend to make a Golang port of this with a couple more optoins ;)

@lukeplausin
Copy link
Author

I've added a default region to handle the case that access tokens don't specify a region, and also added a reminder in case the user didn't run aws sso login before running the script.

@lukeplausin
Copy link
Author

Thank you so much for this @lukeplausin !

Having some issues getting it working unfortunately:

image 
 me@laptop   /usr/local/bin  wget https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh
--2023-04-21 12:07:47--  https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2659 (2.6K) [text/plain]
Saving to: 'auto_configure_aws_cli_sso_roles.sh.1'

auto_configure_aws_cli_sso_roles.sh.1  100%[============================================================================>]   2.60K  --.-KB/s    in 0s

2023-04-21 12:07:47 (21.9 MB/s) - 'auto_configure_aws_cli_sso_roles.sh.1' saved [2659/2659]

 me@laptop   /usr/local/bin  chmod a+x auto_configure_aws_cli_sso_roles.sh                                                         3745  12:07:48 
 me@laptop   /usr/local/bin  ./auto_configure_aws_cli_sso_roles.sh                                                                 3746  12:07:52 

Could not connect to the endpoint URL: "https://portal.sso.null.amazonaws.com/assignment/accounts"
 me@laptop   /usr/local/bin 

I think this should be resolved now with the change that I've made. Let me know if you're still having issues

@fesaab
Copy link

fesaab commented Dec 31, 2023

Awesome script! Thanks a lot for sharing it! 👏

@chattr
Copy link

chattr commented Apr 9, 2024

Fantastic script! It inspired me to write a derivation here:

https://gist.github.com/chattr/5ab07ebb3b8defc1bb422710eef60a82

Thanks for the inspiration 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment