Last active
November 5, 2025 17:19
-
-
Save lukeplausin/3cfedc29755e184ef526b504c77ffe70 to your computer and use it in GitHub Desktop.
Automatically configure AWS SSO configuration file for all available accounts and roles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| # How to use this script: | |
| # 1. Follow these instructions to configure a single AWS account to do initial login with SSO | |
| # https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html | |
| # 2. Export AWS_PROFILE=... and then run "aws sso login" to get an SSO token | |
| # 3. Once signed in with AWS SSO, run this script to automatically list out all the other accounts and roles and add them to your config file | |
| # If you want to filter roles / accounts in the process, or validate config before committing it, you can customise the script to do this. | |
| rm -rf ~/.aws/config_append | |
| at_filename=$(ls ~/.aws/sso/cache/*.json | grep -v botocore | head -n 1) | |
| at=$(cat $at_filename | jq -r '.accessToken') | |
| start_url=$(cat $at_filename | jq -r '.startUrl') | |
| region_sso=$(cat $at_filename | jq -r '.region // "us-east-1"') | |
| # alter this line if you prefer to work in a specific region | |
| # e.g. assume_role_region=eu-west-2 | |
| assume_role_region=$region_sso | |
| if [[ "$at" =~ "null" ]] ; then | |
| echo "No access token found. Did you remember to run 'aws sso login' first?" ; | |
| fi | |
| # Iterate account list | |
| available_accounts=$(aws sso list-accounts --region "$region_sso" --access-token "$at") | |
| n_accounts=$(echo $available_accounts | jq '.accountList | length') | |
| echo "Accounts found: $n_accounts" | |
| account_list=$(echo $available_accounts | jq -r '.accountList | .[] | .accountId') | |
| while IFS= read account_id ; do | |
| echo "account: $account_id" | |
| account_data=$( echo $available_accounts | jq -r ".accountList | .[] | select( .accountId == \"$account_id\" )" ) | |
| account_name=$(echo $account_data | jq -r '.accountName // .accountId' | xargs | tr -d "[:space:]") | |
| account_roles=$(aws sso list-account-roles --region "$region_sso" --access-token "$at" --account-id $account_id) | |
| role_names=$(echo $account_roles | jq -r '.roleList | .[] | .roleName') | |
| while read role_name ; do | |
| echo " role: $role_name" | |
| config_profile_name="$account_name-$role_name" | |
| hit=$(cat ~/.aws/config | grep $config_profile_name || echo "") | |
| if [ -z "$hit" ] ; then | |
| echo " profile: $config_profile_name not found, adding to config..." | |
| cat << EOF >> ~/.aws/config_append | |
| [profile $config_profile_name] | |
| sso_start_url = $start_url | |
| sso_region = $region_sso | |
| sso_account_id = $account_id | |
| sso_role_name = $role_name | |
| sts_regional_endpoints = regional | |
| region = $assume_role_region | |
| EOF | |
| else | |
| echo " profile: $config_profile_name found, doing nothing..." | |
| fi | |
| done < <(printf '%s\n' "$role_names") | |
| done < <(printf '%s\n' "$account_list") | |
| echo "" | |
| echo "" | |
| echo "The following config will be appended to your ~/.aws/config file:" | |
| cat ~/.aws/config_append | |
| echo "" | |
| read -p "Do want to proceed? [y/n] " yn | |
| case $yn in | |
| [Yy]* ) cat ~/.aws/config_append >> ~/.aws/config; echo "committed!"; ;; | |
| * ) echo "cancelled!";; | |
| esac | |
| echo "cleaning up..." | |
| rm ~/.aws/config_append | |
| echo "Done!" | |
For the people who stumble across this script and can't get it to work. In my case, I had to slightly change the script so it passes the AWS_PROFILE to the forked aws calls for list-account-roles and list-accounts. Without that, it would fail to perform those calls.
@lukeplausin thanks so much for this. I intend to make a Golang port of this with a couple more optoins ;)
Author
I've added a default region to handle the case that access tokens don't specify a region, and also added a reminder in case the user didn't run aws sso login before running the script.
Author
Thank you so much for this @lukeplausin !
Having some issues getting it working unfortunately:
me@laptop /usr/local/bin wget https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh --2023-04-21 12:07:47-- https://gist.githubusercontent.com/lukeplausin/3cfedc29755e184ef526b504c77ffe70/raw/be06415488d4a60bc379871b992b1d9fb16913e8/auto_configure_aws_cli_sso_roles.sh Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ... Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|185.199.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2659 (2.6K) [text/plain] Saving to: 'auto_configure_aws_cli_sso_roles.sh.1' auto_configure_aws_cli_sso_roles.sh.1 100%[============================================================================>] 2.60K --.-KB/s in 0s 2023-04-21 12:07:47 (21.9 MB/s) - 'auto_configure_aws_cli_sso_roles.sh.1' saved [2659/2659] me@laptop /usr/local/bin chmod a+x auto_configure_aws_cli_sso_roles.sh 3745 12:07:48 me@laptop /usr/local/bin ./auto_configure_aws_cli_sso_roles.sh 3746 12:07:52 Could not connect to the endpoint URL: "https://portal.sso.null.amazonaws.com/assignment/accounts" me@laptop /usr/local/bin
I think this should be resolved now with the change that I've made. Let me know if you're still having issues
Awesome script! Thanks a lot for sharing it! 👏
Fantastic script! It inspired me to write a derivation here:
https://gist.github.com/chattr/5ab07ebb3b8defc1bb422710eef60a82
Thanks for the inspiration 🙇
Love it, cheers Luke!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you so much for this @lukeplausin !
Having some issues getting it working unfortunately: