I remember taking a stab at reimplementing aws login to see if we could do that without the CLI but I gave up :-) Since then I think IAM and SSO now has much better support on the API side, so you might be able to implement equivalent of aws login yourself, I'd look for the sso-idc and also how the CLI does it itself: https://github.com/aws/aws-cli/blob/8854b38131d2d943ca3c3318dbe8679ff9c60c9d/awscli/customizations/sso/utils.py#L57-L77

How are you going to distribute your program btw? Just as an uberjar?

Good to know, thanks! I haven't fully decided on how to distribute yet, I think I'm more fine with requiring , e.g. the clojure cli installed, and just having a script clone the project and run it. But an uberjar might be better. I'm mainly daunted by having to devote tons of readme text to aws sso setup, which I've found somewhat tricky to get working even for myself. If I can hide those details I think it'll give me some more room to work with for other installation requirements

I’m asking because if you package the tool as a docker image (since you require Clj installation then you also need Java, docker might be easier to setup), then you can bundle aws CLI and everything else into one package.

oh yeah that's an option

I did just find https://gist.github.com/jeroenvandijk/ace7432be94d083e63729ac313a0b78f which seems to be just what I want, a complete login process with no aws CLI requirements

ah nice, I don't work with AWS anymore, but this is really neat

you probably want to remove the comment section though, it has the SSO url that takes me to your company's Okta login screen - might or might not be an issue, depending on how paranoid you are

(not my gist just found it in this comment https://github.com/cognitect-labs/aws-api/issues/182#issuecomment-831155716)

oh, it's on the original author then ;-)

It seemed like it should be that easy, I wonder why it's not really documented and the entire aws ecosystem requires a cli with a setup step. Maybe the signin flow is more obvious if you're already familiar with OpenID?

Agreed! I don't know how much it changed int the last ~2 years, but just based on my experience of working with SSO before that - it seemed to be a hack on top of IAM and Cognito - when it worked, it worked, but it wasn't uncommon for login attempts to just fail several times in a row, or changes to take a while to propagate (I used Google Workspace and Okta as the idP). I think at some point they started to make it more solid, and also change the name - so my guess is, that until the v1 proved itself, AWS didn't want to get tied too much into how things work - for example there was no API for any of this, so I couldn't use Terraform to manage SSO configuration. That changed after the new (renamed) version arrived.

It doesn't seem like the situation has improved very much since then based on the the random comments I came across looking into this and the ~10 projects that offer alternatives to the official aws api for managing creds

Bummer, it was really nifty when it worked, and made our security story that much better. I never run into major issues (except for that credential provider I had to write), because we relied on AWS CLI being available