====== Automating SSO ======

AWS sso has changed, so if you are running this on a headless system over ssh for example, use ''aws configure sso –-use-device-code''. This will produce an option to open a browser and approve access there.


<code>
SSO session name (Recommended): test123
SSO start URL [None]: https://d-1a2345ab23.awsapps.com/start/#
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://d-1a2345ab23.awsapps.com/start/#/device

Then enter the code:

ABCD-EFGH
</code>
{{:aws:use-device-code.png?200}}

Click Allow Access, you can then close your tab / browser session.

<code>
There are 8 AWS accounts available to you.
Using the account ID 123412341234
There are 3 roles available to you.
Using the role name "AdministratorAccess"
Default client Region [None]: eu-west-1
CLI default output format (json if not specified) [None]: json
Profile name [AdministratorAccess-123412341234]: MyDeploymentRole
To use this profile, specify the profile name using --profile, as shown:

aws sts get-caller-identity --profile MyDeploymentRole
</code>


===== Deriving SSO URL =====

The URL for the SSO sign in can be derived programatically:-

<code>
SSO uses the URL:-
https://d-1a2345ab23.awsapps.com/start/#

The d-xxxx is the Identity Store Directory id

$ aws sso-admin list-instances | jq -r .Instances[]."IdentityStoreId"
d-1a2345da26

</code>