我目前正在使用 awscli 版本 2 在命令行获取临时凭证。这似乎需要一个浏览器来参与。这在任何地方都不起作用,例如在服务器上。我希望能够在命令行中使用 AWS SSO 为我的用户账户获取临时凭证。这可能吗。从这里的 SDK 文档和 awscli 版本 2 实用程序可以看出,似乎没有办法做到这一点。
如此处所述,“设备代码”OAuth2 授权类型明确用于无浏览器身份验证但 AWS SSO SDK 似乎无法支持这一点。
将不胜感激有关此问题的任何想法/想法/帮助。
谢谢你,维什
我会说理论上答案是肯定的,但您必须为您的 IdP 创建一个 CLI/脚本身份验证过程。AWS SSO 查找并使用活动的 OIDC 令牌来获取配置文件凭证。如果您的 IdP 提供了一个 API,您可以在其中编写对 IdP 的身份验证的脚本并执行与 AWS SSO 服务的令牌交换并获取您需要的凭证数据,您可以将其写入适当的缓存文件以供 CLI 获取。这个答案在很大程度上取决于您使用的 IdP,但是如果您使用您选择的语言的 http 库来执行您的网络浏览器(或者可能是像 Lynx 这样的文本浏览器)的任务,您应该能够得到您正在寻找的东西. 您必须深入研究 AWS API 文档并整理出所需的工作流程,但它' 据我所知,它几乎只是一个 SAML 接口。我发现有趣的是,您可以拥有多个凭证缓存,这意味着您可以跨多个 SSO 提供者(多个组织)编写脚本,我自己构建了一个 Python 库来帮助更好地实现这一点。
来源:https ://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
To manually add AWS SSO support to a named profile, you must add the following keys and values to the profile definition in the file ~/.aws/config (Linux or macOS) or %USERPROFILE%/.aws/config (Windows).
sso_start_url
The URL that points to the organization's AWS SSO user portal.
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region
The AWS Region that contains the AWS SSO portal host. This is separate from, and can be a different region than the default CLI region parameter.
sso_region = us_west-2
sso_account_id
The AWS account ID that contains the IAM role that you want to use with this profile.
sso_account_id = 123456789011
sso_role_name
The name of the IAM role that defines the user's permissions when using this profile.
sso_role_name = ReadAccess
The presence of these keys identify this profile as one that uses AWS SSO to authenticate the user.
You can also include any other keys and values that are valid in the .aws/config file, such as region, output, or s3. However, you can't include any credential related values, such as role_arn or aws_secret_access_key. If you do, the AWS CLI produces an error.
So a typical AWS SSO profile in .aws/config might look similar to the following example.
[profile my-dev-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json```