[v2][sso][feedback-wanted] Configure SSO session support

[kyleknap]

This pull request adds support for configuring sso-session sections with the AWS CLI. Specifically, it adds the following new functionality:

• Update configure sso command to support creating and selecting sso-session sections as part of configuring a SSO-enabled profile.
• Add configure sso-session command for creating and updating sso-session sections.
• Add --sso-session argument to sso login command to enable direct SSO login with a configured sso-session

As part of the review for this functionality, we are seeking community feedback on the updates to the configure sso command and the new configure sso-session command. See end of this overview for details on how to give feedback.

Background

⚠️ The below configuration feature may not be currently present in other AWS SDKs and tools. If you plan to try out this branch or manually configure your environment to use sso-session sections, there is no guarantee that the SDK or tool you are using will respect your configured sso-session section.

In the near future, AWS SDKs and tools plan to roll out support for respecting the sso-session section as part of the AWS SSO credential provider. The sso-session section is a named grouping of configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. Furthermore, when an access token derived from a sso-session configuration is cached, it is done by session name instead of start URL.

Currently in order to configure the AWS CLI and SDKs to use SSO, a profile is configured via the following format with all SSO-related configuration specified in the profile.

[profile sso-profile]
sso_account_id = 012345678901
sso_role_name = SampleRole
sso_region = us-east-1
sso_start_url = https://d-abc123.awsapps.com/start

With the rollout, users will be able to declare a sso-session section that can be associated to a profile:

[profile sso-profile]
sso_session = dev
sso_account_id = 012345678901
sso_role_name = SampleRole

[sso-session dev]
sso_region = us-east-1
sso_start_url = https://d-abc123.awsapps.com/start

This also allows sso-session configurations to be reused across profiles:

[profile sso-profile]
sso_session = dev
sso_account_id = 012345678901
sso_role_name = SampleRole

[profile sso-profile-2]
sso_session = dev
sso_account_id = 012345678901
sso_role_name = SampleRole2

[sso-session dev]
sso_region = us-east-1
sso_start_url = https://d-abc123.awsapps.com/start

Furthermore, registration scopes can be configured as part of a sso-session. These scopes define the permissions associated to the registered OIDC client and access tokens retrieved by the client. For example, the below configuration provides access for listing accounts/roles and acquiring AWS credentials:

[sso-session dev]
sso_region = us-east-1
sso_start_url = https://d-abc123.awsapps.com/start
sso_registration_scopes = sso:account:access

This pull request aims to enable interactive configuration of the sso-session sections and associations to profiles.

Demo

Below shows the new configure sso flow for configuring both profiles and SSO sessions:

sso-demo-pr.mp4

Note: The configure sso-session command uses the same interactive prompts as used in the updated configure sso command

Note on legacy configuration format

Users can still use the configure sso command to configure SSO access using the profile-only format. To opt-into this format, enter no answer for the session name prompt and follow the same prompts as before this change:

$ aws configure sso
SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.
SSO start URL [None]: https://cli-reinvent.awsapps.com/start
SSO region [None]: us-west-2
.. [Continues on with previous prompts] ...

How to give feedback

• Watch the video or try out the new functionality directly by checking out the branch for this pull request. React to this PR with a 👍 if you agree with the updates.
• If you have feedback/suggestions on either the configure sso updates or the new configure sso-session command, leave a comment on this pull request.

[codecov-commenter]

Codecov Report

Merging #7364 (3436021) into v2 (3436021) will not change coverage.
The diff coverage is n/a.

❗ Current head 3436021 differs from pull request most recent head cd34669. Consider uploading reports for the commit cd34669 to get more accurate results

@@           Coverage Diff           @@
##               v2    #7364   +/-   ##
=======================================
  Coverage   93.71%   93.71%           
=======================================
  Files         352      352           
  Lines       36355    36355           
  Branches     5227     5227           
=======================================
  Hits        34070    34070           
  Misses       1660     1660           
  Partials      625      625           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[nateprewitt]

A few minor things but overall looks good.

[nateprewitt]

Not sure if the double space was intended. It's not used above at " for the value. When", so we may want to make them consistent.

Suggested change

	'[brackets]. If the config item has no value, it is displayed as '
	'[brackets]. If the config item has no value, it is displayed as '

[kyleknap]

No it was not intended here. I think it was copied from the previous docstrings. I'll fix it.

[nateprewitt]

What is this strip call for? It shouldn't modify value in place, it only returns the stripped value. Did we mean to assign this? If not maybe a comment is needed here as this seems wrong/magic.

[kyleknap]

It's not needed. I think is just an artifact that did not get cleaned up from a refactoring.

[nateprewitt]

nit

Suggested change

	default_profile = '{}-{}'.format(sso_role_name, sso_account_id)
	default_profile = f'{sso_role_name}-{sso_account_id}'

[nateprewitt]

Up to you, but a rare opportunity for a walrus!

Suggested change

	scope = scope.strip()
	if scope:
	if scope := scope.strip():

[kyleknap]

Sure. I think this was just copied from over from a previous definition.

[nateprewitt]

⛵

[ezzatron]

It seems like there's now no way to configure SSO sessions unless you do it interactively. For example you can set profile settings like:

aws configure set profile.profile-name.region eu-west-1 # works fine

But you cannot set SSO session settings in a similar fashion:

aws configure set sso-session.session-name.sso_region eu-west-1 # does not work

Are there any plans to add support for non-interactive configuration?

[fitzoh]

It seems like there's now no way to configure SSO sessions unless you do it interactively. For example you can set profile settings like:

aws configure set profile.profile-name.region eu-west-1 # works fine

But you cannot set SSO session settings in a similar fashion:

aws configure set sso-session.session-name.sso_region eu-west-1 # does not work

Are there any plans to add support for non-interactive configuration?

Ran into this issue as well and created #7835 @ezzatron