Support SSO Profiles

[naftulikay]

AWS Single-Sign-On uses temporary credentials¹, then uses STS to get temporary role credentials².

naftulikay/aws-sso-env already implements the required logic to generate and export role credentials², provided that the temporary credentials¹ are present and not expired.

Temporary credentials¹ are obtained via aws sso login, which opens a browser window to obtain the credentials. Config for SSO is typically stored in ~/.aws/config either as the default profile, or with INI header names like [profile prod]. Rather than storing the access key id and secret access key, the sections look like this:

[profile prod]
sso_start_url = https://$SOMETHING.awsapps.com/start
sso_region = us-east-1
sso_account_id = $ACCOUNT_ID
sso_role_name = $ROLE_NAME
region = us-east-1

Temporary credentials¹ are stored in ~/.aws/sso/cache/$(shasum $SSO_START_URL).json and look like this:

{
  "accessToken": "...",
  "expiresAt": "2021-12-27T20:30:02+0000",
  "region": "us-east-1",
  "startUrl": "SSO_START_URL"
}

Using these credentials, role credentials² can be obtained, and then access is permitted. What is not clear at the moment is the exact logic that aws sso login uses to do the login with the browser window. If this can be determined, then aws-env can do the full lifecycle login, if not, we can only do work if valid, unexpired cached SSO credentials exist.

• Support role credentials generation from cached SSO credentials.
• Support aws sso login functionality to generate temporary credentials¹.