Command line tool to automatically generate a .aws/config file based on AWS SSO permission sets in your org.
When working in an organization that uses AWS SSO, there are often multiple
permission sets (like IAM roles) that can be assumed by people. This tool
looks through all permission sets and account assignments and generates
an .aws/config file containing these roles that can be assumed.
This tool requires some readonly permissions from your AWS organization account. They are:
organizations:ListAccountssso:ListInstancessso:ListPermissionSetsProvisionedToAccountsso:DescribePermissionSet
Add -v or --verbose to see more output about which operations are
happening.
$ aws-config-creator --sso-session acme \
--sso-region us-east-1 \
--profile admin
Writing 43 entries to aws.config...done.The resulting file will contain a set of profiles in the format: [profile AWS_ACCOUNT_ID:PERMISSION_SET_NAME]
For example: [profile 0123456789012-AdministratorAccess]
$ aws-config-creator --sso-session acme \
--sso-region us-east-1 \
--profile admin \
--mapping "0123456789012=acme,98765432101=acmelite"
Writing 86 entries to aws.config...done.By supplying a --mapping flag with a comma-delimited list of key=value pairs corresponding to AWS Account ID and its nickname, the tool will create the basic .aws/config profiles and then create a separate set of profiles that follow the format [profile NICKNAME-PERMISSIONSETNAME]. For example: [profile acme-AdministratorAccess]. This removes the need for your users to remember the 12-digit AWS Account ID, but also allows for backward-compatibility for those people that like using the AWS Account ID in the profile name.
- Fork the repository.
- Make your change.
task fmttask testtask build- Make a Pull Request.
- Create a Lambda function artifact that can be run on a schedule, outputting the latest
.aws/configto an S3 bucket so that it is always available, especially to those users without the permissions to run this tool.