new command aws-sso set-default PROFILE_NAME

[marcosdiez]

Is your feature request related to a problem? Please describe.
I usually work on on aws account/profile at a time, but on multiple terminals.
So just like kubens, I wish I would type aws-sso set-default PROFILE_NAME and that would set my default profile
on all my terminals (and applications, machine wide)

Describe the solution you'd like
I would aws-sso set-default PROFILE_NAME

and all my terminals (and applications) would have the same profile, so everywhere I type
aws sts get-caller-identity would give me the same result

Describe alternatives you've considered
Writing a python script that parses aws-sso eval and overwrites ~/.aws/credentials

[synfinatic]

Is there a reason you can't run aws-sso config-profiles and then just set AWS_PROFILE appropriately in your ~/.bashrc or equivalent?

[marcosdiez]

That would not change the profile on all the existing shells, only the newly created ones.

I wrote this, https://gist.github.com/marcosdiez/dcb99e0e85d68394c0014c862d459130 which uses aws-sso

Here is how it works:

if I type switch_aws_profiles.py, it authenticates and lists all my accounts (sorted by alias instead of account ID)

if I type switch_aws_profiles.py the_account_alias it overwrites ~/.aws/credentials filling [default] 'aws_access_key_id' 'aws_secret_access_key', 'aws_session_token'.

Yes, I could use the credential_process trick but maybe because I am double VPNed, there is a 300ms difference which bothers me.

So... my problem is solved, but I do believe other people would benefit from it.

something like aws-sso set-default PROFILE_NAME

[synfinatic]

wait, there is a 300ms delay for credential_helper for each execution? It shouldn't be hitting the SSO API endpoint for every call since the creds are cached locally in the SecureStore. I'm seeing ~60ms to run the credential_helper command as measured with time aws-sso process .... I'd be curious to hear about your OS and which secure store you're using.

Anyways, sounds like you want aws-sso to modify your ~/.aws/credentials file and hard code some API credentials in an AWS_PROFILE such as [default] so that you swap the IAM Role being used across shells via a single command. I assume you realize that these IAM creds are temporary and will not be auto-refreshed unless this is done via a credential_helper which honestly seems less awesome?

[mdiez-modus]

So... this is the work computer. In which I need to use two VPNs and they have all kind of anti virus. That think is slow. So maybe just running aws-sso byitself takes 300 ms. It's probably not your software's fault, but I am a victim of that issue.

I fiddled with the settings to have my AWS tokens to expire every 8h, which is as long as my work allows my sessions to work. After that I need to call aws-sso again which will trigger the browser anyway.

I am new to the company and to having multiple aws accounts. Maybe I am odd, but is this use case of "pick an aws account and stick with it for the whole computer until you choose a different one"? I mean, do you type -p profile-name every time you use the awscli ? Am I the only lazy one here ?

Again, my problem is solved with the python script I wrote, but I do thing more people have the same use case (but maybe I am wrong).

[synfinatic]

I have lots of accounts and multiple roles in the accounts and so I'm always switching between them and honestly the desire to have a bunch of terminals always in sync never has crossed my mind. So I generally set my credentials once per terminal and leave it.

Of course, that's how I work and if one profile to rule them all works for you, I'm not going to tell you that you're wrong. :). Basically, don't take my questions/comments as a "no"... more of, making sure we're on the same page before I commit either way.

But I personally would definitely want some easy way to know what account/role I'm in- generally set as an ENV var that is included in my shell prompt so I don't try the wrong thing in the wrong account. And this solution seems to make that hard. I suppose you also write a file which could be sourced to update an ENV var, but this is all getting non-standard custom and part of me says that your python script wrapper is a better way.

FWIW, I wouldn't be inspecting the cache.json file... I make no promises that won't dramatically change. You're probably better off using aws-sso list --csv to query things.

Anyways, I'm gonna think about this a bit....

[synfinatic]

Going to close this ticket as I believe it will be resolved via #398.