Programmatically establish boto3 sessions with AWS SSO

Question

I'm trying to establish a boto3 session with boto3.session.Session(profile_name='foo') but getting an UnauthorizedSSOTokenError error:

botocore.exceptions.UnauthorizedSSOTokenError: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.

I tried logging in with subprocess.run("aws sso login --profile foo"), but this opens up my web browser and prompts for manual confirmation.

Is there any way to programmatically establish boto3 sessions if you're using AWS SSO?

In other words, is there any way to avoid manual confirmation?

AFAIK, no, not with AWS SSO. You would need to create an IAM user with keys outside of SSO (or run your code on an ec2 instance with an instance profile attached). — jordanm, Jul 07 '21 at 13:50

score 3 · Answer 1 · answered Aug 20 '22 at 13:21

I wanted to handle SSO reauthentication on expiration automatically in my script and can live with a browser window being opened and (possibly) prompting the user to authorize device access.

Ended up with:

def establishSession(retry = True):
    session = boto3.Session(profile_name=AWS_PROFILE)
    sts = session.client('sts')
    try:
        identity = sts.get_caller_identity()
        print(f"Authorized as {identity['UserId']}")
        return session
    except botocore.exceptions.UnauthorizedSSOTokenError:
        if retry:
            subprocess.run(['aws','sso', 'login', '--profile', AWS_PROFILE])
            return establishSession(False)
        else:
            raise

The get_caller_identity api call is fast and does not need any special permissions. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.get_caller_identity

Coin Graham · Answer 2 · 2021-12-30T18:28:37.757

2

With just boto3, no. As you discovered already, you'll want to engaged the CLI for a solution with AWS SSO.

You can follow the steps here to setup the AWS CLI with AWS SSO. This will open a browser for you to manually confirm. My recommendation is that you increase the SSO session duration to be 12 hours. Effectively you sign in once a day and you're good for the rest of the day. This is the best mix of security and convenience. Other solutions like creating IAM roles, or totally automating the login are not recommended.

edited Dec 30 '21 at 18:28

answered Jul 08 '21 at 15:54

Coin Graham

1,343
3
11

This question is about `boto3`, not `AWS CLI`. – alex Jul 08 '21 at 16:13
1

You can't get there with boto3. I'll update the answer to state that clearly. – Coin Graham Dec 30 '21 at 18:27

score 0 · Answer 3 · answered Mar 04 '22 at 14:06

Here is a link to a Gist I found that will assist you halfway anyway, Still it will open a webbrowser but depending on the login process of your auth provider you should be able to cram your way through a webbrowser call using python requests lib.

https://gist.github.com/jcalvento/92861eb7ebda3fa064f3fbbb71acba41

score 0 · Answer 4 · answered Apr 26 '22 at 00:44

0

@coin graham's answer is now out of date. Please refer to this example for how to establish an sso session via boto3.

answered Apr 26 '22 at 00:44

2ps

15,099
2
27
47

There is still no boto3 solution for this. There are python solutions, but not pure boto3. – Coin Graham Jul 19 '22 at 15:53
There is, please see the link. I mean boto3 is written in python, so I don't see how any boto3 solution (let alone a "pure" one) would avoid using python. I guess I don't understand what would be wrong or incorrect about using a series of steps within boto3 to establish an sso session (with a flow that fundamentally requires user interaction) that would make it more or less "pure." But obviously, if you were looking for a one-liner provided by boto3, you're right that no such one-liner exists. – 2ps Jul 20 '22 at 16:49

Programmatically establish boto3 sessions with AWS SSO

4 Answers4