AWS SSO Named Profiles Support

[vikyol]

AWS CLI v2 supports AWS SSO named profiles.

However, CDK CLI cannot resolve SSO named profiles yet.

$ cdk deploy --profile sso-named-profile

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

Without this feature, users have to login to SSO user portal and fetch credentials for command line and CLI access, which needs to be repeated every time the credentials expire.

Even though CLI v2 is still in preview, it would be good to have this feature implemented for early adopters.

Use Case

• Simplify deployments to multiple-accounts for AWS SSO users.

Proposed Solution

• Read sso_start_url, sso_role_name and sso_account_id from ~/.aws/config file.
• Fetch the accessToken in ~/.aws/sso/cache/ matching sso_start_url.
• Fetch temporary credentials from STS using SSO.get-role-credentials() with accessToken, sso_account_id and sso_role_name parameters.

---

This is a 🚀 Feature Request

[shivlaks]

@excavador @Douglas-Scott can you please represent your +1 as a reaction to the feature request to capture your interest in this being implemented. It helps make it searchable and doesn't clutter up the thread.

[ReidWeb]

Given the CLI is now GA, and it seems a number of other users are facing this issue would it be possible to at least add a note to the docs indicating the lack of support at this time?

[ibex-dev]

As a temporary workaround, you can use the aws sso login feature to authenticate your CLI and export the retrieved access key ID, secret access key and session token as environment variables (json saved by default under ~/.aws/cli/cache/).
I wrote a quick bash wrapper for aws sso login that takes care of that. I invoke it once a day. If you don't feed a profile to CDK, it will look next for your env variables, so that does the trick.

[brainstorm]

@ibex-dev Would you mind sharing that bash wrapper here? :)

[nspottsie]

The mention from @victorskl above suggests using yawsso as a work around to sync the SSO credentials from ~/.aws/cli/cache to ~/.aws/credentials and it worked for me.

[beuleal]

I know its a bit old, but I'd like to contribute too.

I was facing the following error:
Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

I did a wrap for deploy into multiples account:

...
  console.log(` Setting Profile: ${account.name}`);
  let access_key = execSyncCmd(
    `aws configure get aws_access_key_id --profile ${account.name}`
  );

  let aws_secret_access_key = execSyncCmd(
    `aws configure get aws_secret_access_key --profile ${account.name}`
  );

  console.log(access_key);
  console.log(aws_secret_access_key);

  execSyncCmd(
    `aws configure set aws_access_key_id ${access_key} --profile default`
  );

  execSyncCmd(
    `aws configure set aws_secret_access_key ${aws_secret_access_key} --profile default`
  );

  execSyncCmd(`aws configure set region us-east-1 --profile default`);

  console.log(`[OK] Profile Set!`);

  execSyncCmd(`cdk deploy <stack-name> `);
...

[mateja82]

Not sure if this helps anyone, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS SSO support. I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile