Credential Process
Granted has a custom SSO credentials process that automatically assumes roles. This is useful for the following:
- You want to use the native AWS CLI (with
--profileflag) but don’t want to be prompted for re-authentication - You don’t want your SSO credentials stored in plaintext (uses Granted’s encrypted credentials store)
Prerequisites
If a profile contains both credential_process and other AWS SSO keys, the AWS CLI skips the credential process and uses the default aws sso login process to fetch the credentials. For this reason, to use Granted to seamlessly authenticate your SSO profiles with the AWS CLI, you will need to update the SSO configuration keys to include the prefix granted* as shown below.
- [profile my-profile]
- sso_account_id = <your-sso-account-id>
- sso_region = <your-sso-region>
- sso_role_name = <your-role-name>
- sso_start_url = <https://example.awsapps.com/start>
+ [profile my-profile]
+ granted_sso_account_id = <your-sso-account-id>
+ granted_sso_region = <your-sso-region>
+ granted_sso_role_name = <your-role-name>
+ granted_sso_start_url = <https://example.awsapps.com/start>
+ credential_process = granted credential-process --profile my-profile
Now when running:
> aws sts get-caller-identity --profile my-profile
You should see something like
{
"UserId": "<UserId>",
"Account": "<Account>",
"Arn": "<Arn>",
}
Auto-login with Credential Process
The --auto-login flag will automatically open a browser window to start an AWS SSO authentication process if your AWS SSO token has expired. For example, if you have
[profile example]
credential_process = granted credential-process --auto-login --profile my-profile
and then run
aws s3 ls --profile example
but you don’t have an AWS SSO token, a browser window will open automatically and the aws command will hang until you’ve finished logging in.
(Credits to Eric Miller for implementing the auto login flag)
Assuming roles with Credential Process
When assuming roles via the credential process, we have improved the process by introducing automatic credential renewal. By default, only the AWS_PROFILE environment variable is exported when you run assume <credential-process-profile>. If you wish to export all variables, you can do so by using the --export-all-env-vars or -x flag when executing the assume command. You can also include the DefaultExportAllEnvVar=true configuration in your ~/.granted/config to export all environment variables by default.
Support for refreshable AWS SSO
You can now add granted_sso_registration_scopes = sso:account:access to your ~/.aws/config, which will cause Granted to respect the session duration in IAM Identity Center. This can be extended to prompt logins less frequently. Supplying the sso:account:access scope will cause IAM Identity Center to return a refreshable access token, with a total allowed session time in accordance with your configured AWS SSO session length. Example set up:
[profile example]
granted_sso_account_id = 123456789012
granted_sso_role_name = AWSAdministratorAccess
granted_sso_registration_scopes = sso:account:access
granted_sso_start_url = https://commonfate.awsapps.com/start
granted_sso_region = ap-southeast-2
credential_process = granted credential-process --profile example