As more organizations adopt cloud-based services and multi-account strategies, managing access to these resources becomes a complex task. AWS IAM Identity Center simplifies this by enabling administrators to manage SSO access to multiple AWS accounts and business applications. With AWS IAM Identity Center users sign in to a central portal to access all their authorized AWS accounts and applications. However, even with SSO, it is essential to have necessary credentials populated in the AWS credentials file for seamless integration with AWS services and applications.
Today, most organizations work with AWS IAM Identity Center and prefer centralized access to accounts. However, despite having SSO, some applications and services still require access to the AWS account using the access key ID, secret access key, and session token. While SSO provides temporary credentials to users, they have a limited lifespan and must be renewed periodically. It becomes crucial to manage these credentials and ensure continued access to resources.
In this article, I will guide you through setting up the aws-sso-creds utility to retrieve temporary credentials and update the AWS credentials file.
Set up AWS IAM Identity Center and configure it to use the command-line utility to retrieve temporary credentials.
Install the AWS CLI version 2, which is required for AWS SSO.
aws configure ssocommand, which will prompt you for the SSO start URL and region and follow the prompts along with granting access to the client device.
Install aws-sso-creds utility
You can read through the README in the referenced github link. However, below are the steps that you would be more interested in.
wget https://github.com/jaxxstorm/aws-sso-creds/releases/download/v1.4.1/aws-sso-creds-v1.4.1-linux-amd64.tar.gz tar -xvf aws-sso-creds-v1.4.1-linux-amd64.tar.gz chmod +x aws-sso-creds
Note: (Recommended) You can move the
aws-sso-creds binary to your PATH so that it’s accessible from anywhere.
Retrieve Temporary Credentials using aws-sso-creds
aws-sso-creds get [ — profile <profileName>]
Get command will return the temporary credentials on the console.
[ec2-user@ip-172-31-32-71 ~]$ ./aws-sso-creds get Your temporary credentials for account xxxxx are: AWS_ACCESS_KEY_ID ASIAQPBWJUF6TBxxxx AWS_SECRET_ACCESS_KEY Co/HY9xxqEfRDIfZgdAnB34BoCQxxxxx AWS_SESSION_TOKEN IQoJb3JpZ2luX2VxxxMEUCIQC7tLyUegu8ZEqSo16QxxCub92/dBiH8FzDVZ26rwIgXh4PDXjM8SkuE+ks832/65wJYQzY+NT/xMPwVhcn47Iq+wIIGBAAGgwwMzIzMjYxMzIwOTMiDGMI+iq0hOdbm0q7fyrYAteCSkWs+dTK6hl1PFPCCz7XMANTF0Y7x6BhlagAw4WsmsZWGpH3n2Y2IH783Al49VmFJV4/NN0P3oVm3EhiVzsg0ocLgHDEa8kaFFF1rhBDWib9WMoRcbyo+b2bAtXjlSdI3YCxFHFYp4EPLad9MuaOVoOjo9/62ZX13Edz5NRqHj1uNleJROS39CoiXYk14A9LyXTzfdnonTA+wJPBBgWdF5xeyPIn53At1grwFh1DKYM//oDrIKpYQL9VAwm2ycWEeVqcer6WVqEiu34Al7nmEshpmG0eGeUR5YGAmF4UOHpKe1BvCcO8eiF78+01BzWIk0i/MvJQREcHwMRGglhXOAI6nDQJUGvxoKa/QMz6QPq2/AAEa8leowxlj6S8gWcZzghW5qEouuVrEzJDREPNgkjkY+sRnVp4uoS9LPTxgohIRbjOrDEA/BuJEXRrHzJIyIPvInyNMMW41KIGOqcBaryJn1TkeWlflokeHzVK7i4NDL8WC6FUtMOP03hZ1599jHq/cK4rDw2ZUaHO4231+PGbmuYlE//exagVwqwsQqD+U/0BXTp5OTTxpp9yP/aeSCGfXRdXkJCVuKlQngPVxKXwWtJpXzABvm7F/KBy/WUGeeT7/zeZ5AYGbmsFJIjWX+JDFXVnBpWAa6g6tPSPNLOV1H54FwAe7H59HLOTsNaGqHalWWQ= These credentials will expire at: 2023-05-05 16:09:56 +0000 UTC
The returned credentials can be exported using the
aws-sso-creds export command.
At this point, you can use the temporary credentials to access AWS resources, but it’s not a permanent solution. The next step is to update the AWS credentials file with these temporary credentials so that they are readily available for future use. Most of the clients, applications work with above credentials being present in .aws/credentials file.
Let’s build a script that would get the temporary credentials from the utility and then write it to the
generateCredentials.sh with the below content.
The above script ensures that even if you have other profiles within your credentials file, it will only update the section for whom the profile matches the input.
Ensure you provide execute permission to the above script using
You can run the script using
[ec2-user@ip-172-31-32-71 ~]$ ./generateCredentials.sh aws-cb AWS credentials file updated with credentials for profile 'aws-cb'
Finally, we can set up a cron job to renew the credentials periodically.
- Run the following command to open the crontab file in edit mode:
2. Add the following line to the crontab file to run the script every 30 mins:
*/30 * * * * /home/ec2-user/generateCredentials.sh aws-cb
3. Save the changes to the crontab file and exit the editor.
That’s it! The cron job is now set up to renew the credentials periodically and will run your script at the specified interval.
If you liked this article, please consider following, liking, and sharing it with your friends and colleagues. Your support helps me create more valuable content for you.