'aws configure get' should support sso-session configurations

Question

'aws configure get' should support sso-session configurations

alexevansigg opened this issue 24 days ago · comments

Describe the feature

The aws configure get subcommand doesn't support reading sso-session configuration items.

Use Case

I work alot with multiple instances of Identity Center and use many AWS Profiles with SSO Sessions configured for each one, I made a library of helper bash functions which wraps around common Operations/Developer CLI commands... These, when creating resources or interacting with services may output console HyperLinks or open console pages.. so one can view the resources in the console quickly without having to click through 5+ weblinks to get there.

To ensure the browser opens the Console in the context of the correct SSO Session I can build a hyperlink in the following format.

http://<sso_start_url>?account_id=<profile_account_it>&region=<profile_region_id>&role=<profile_role_id>&destination=<url_encoded_console_url>

This way the SSO context is correctly set before redirecting to the target destination in the URL.

Real example...

With current shell directory set to a checked out codecommit repository I run a bash command.

open-pipeline-execution

This would then take me to the sso console refresh my session to the respective codepipeline execution for that Repository.

Proposed Solution

Already opened a PR the other week as linked to this Issue with necessary Unit Tests updates... just need to find out how to get it reviewed.
#8690

The underlying boto3 method used by 'aws configure get' to read the local .aws/config is already able to parse the sso-section. The AWS CLI abstraction, however, hardcodes the config section type as 'profile'. This is addressed by the above PR.

Other Information

I work in AWS so reach out to me for more info. @alxev

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CLI version used

2.16.4

Environment details (OS name and version, etc.)

MacOS

Tim Finnigan · Answer 1 · Wed Jun 12 2024 02:03:15 GMT+0800 (China Standard Time)

Thanks for the feature request. After a quick discussion with the team, we think this probably a reasonable request for the aws configure get command but further review is needed regarding the potential implementation. We would have to account for the config file variations and not introduce any possibly breaking behavior.

Alex Evans · Answer 2 · Wed Jun 12 2024 05:00:11 GMT+0800 (China Standard Time)

No problem, I had added the unit test for the new functionality.. and whilst here the CI Workflow didn't run yet due to review process, All Pytests executed locally successfully (with Py3.9 + Py3.11).

The only things I thought might perhaps make sense but didn't add was support for was get sso_section attributes using Unqualified Names...

e.g If one Specifies aws configure get sso_start_url --profile abc

This could lookup the values in the 'abc' profile section, if there isn't an sso_start_url key in that profile, then check if it has an sso_section key... if it does use that value to get the respective sso_section and return the sso_start_url value set there.

Also probably a documentation sample could be updated.