aws-vault configure

[FernandoMiguel]

Now that v6 adds SSO support, it is missing an important security feature:
aws-vault configure

a user to has to aws sso configure to create the profile in ~/.aws/config if they don't want to create it by hand.
by doing so, a long term session json will be left under ~/.aws/sso/

If aws-vault is able to run the configure command and store the keys directly into the keychain, no sensitive files are left on disk

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[christophetd]

Sounds like this is still a great feature proposal!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[christophetd]

Still an interesting feature request it seems?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[christophetd]

Commenting to avoid closure.

[christophetd]

AWS SSO roles and accounts you have access to frequently change. I find myself having to manually juggle with my .aws/config a lot, and that's why people created tooling like https://github.com/synfinatic/aws-sso-cli

It would be nice to have this feature in aws-vault, but I'm unsure what it would look like:

• Do we want to prompt at exec/login time for the SSO account and role to use, and use it as a one-off?
• Do we want to have an aws-vault sso-configure command that interactively shows the AWS accounts and roles the user has access to, and select the ones they want to have reflected in their .aws/config file?
• Do we consider it out of scope of aws-vault, and consider we should have an external tool handling the generation of .aws/config?

@mtibben feel free to share if you have an opinion

[mtibben]

Hey @christophetd I don't have an opinion as I don't use this feature at this time