'aws configure get' should support sso-session configurations

[alexevansigg]

Describe the feature

The aws configure get subcommand doesn't support reading sso-session configuration items.

Use Case

I work alot with multiple instances of Identity Center and use many AWS Profiles with SSO Sessions configured for each one, I made a library of helper bash functions which wraps around common Operations/Developer CLI commands... These, when creating resources or interacting with services may output console HyperLinks or open console pages.. so one can view the resources in the console quickly without having to click through 5+ weblinks to get there.

To ensure the browser opens the Console in the context of the correct SSO Session I can build a hyperlink in the following format.

http://<sso_start_url>?account_id=<profile_account_it>&region=<profile_region_id>&role=<profile_role_id>&destination=<url_encoded_console_url>

This way the SSO context is correctly set before redirecting to the target destination in the URL.

Real example...

With current shell directory set to a checked out codecommit repository I run a bash command.

open-pipeline-execution

This would then take me to the sso console refresh my session to the respective codepipeline execution for that Repository.

Proposed Solution

Already opened a PR the other week as linked to this Issue with necessary Unit Tests updates... just need to find out how to get it reviewed.
#8690

The underlying boto3 method used by 'aws configure get' to read the local .aws/config is already able to parse the sso-section. The AWS CLI abstraction, however, hardcodes the config section type as 'profile'. This is addressed by the above PR.

Other Information

I work in AWS so reach out to me for more info. @alxev

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

2.16.4

Environment details (OS name and version, etc.)

MacOS

[tim-finnigan]

Thanks for the feature request. After a quick discussion with the team, we think this probably a reasonable request for the aws configure get command but further review is needed regarding the potential implementation. We would have to account for the config file variations and not introduce any possibly breaking behavior.

[alexevansigg]

No problem, I had added the unit test for the new functionality.. and whilst here the CI Workflow didn't run yet due to review process, All Pytests executed locally successfully (with Py3.9 + Py3.11).

The only things I thought might perhaps make sense but didn't add was support for was get sso_section attributes using Unqualified Names...

e.g If one Specifies aws configure get sso_start_url --profile abc

This could lookup the values in the 'abc' profile section, if there isn't an sso_start_url key in that profile, then check if it has an sso_section key... if it does use that value to get the respective sso_section and return the sso_start_url value set there.

Also probably a documentation sample could be updated.

[Farmbuyer]

Just a comment from an interested observer: from skimming the linked PR, it looks like the patch will enable retrieving specific keys from sso-session blocks? So given a config file containing

[sso-session sso-personal]
sso_region = ...
sso_start_url = ...

[sso-session sso-homebusiness]
sso_region = ...
sso_start_url = ...

the patch would permit things like aws configure get sso-personal.sso_start_url?

My comment/question is whether it could be extended a little bit to also support some variation on the theme of aws configure list-sso-sessions? Or perhaps a --sso-sessions option flag to the existing configure list-profiles?

I ask because there is no way at present that I can find to extract the "sso-personal" and "sso-homebusiness" labels from the configuration file. (I was hoping to script some management utilities around generating these sections, or at least testing whether a previous aws configure sso-session call had done so, etc.)