Skip to content

Add AWS SSO integration#136

Merged
robert-chiniquy merged 3 commits intomainfrom
feat/aws-sso
Mar 30, 2026
Merged

Add AWS SSO integration#136
robert-chiniquy merged 3 commits intomainfrom
feat/aws-sso

Conversation

@afalahi
Copy link
Copy Markdown
Contributor

@afalahi afalahi commented Mar 29, 2026
edited
Loading

Summary

  • Adds cone aws setup — configures SSO URL/regions, scans ConductorOne for AWS permission set entitlements, creates ~/.aws/config profiles with credential_process pointing to cone
  • Adds cone aws credentials <profile> — fetches temporary AWS credentials via SSO, auto-submits access requests if no active grant, polls for auto-approval, retries SSO login on expired tokens
  • Adds cone aws setup show — displays current SSO configuration
  • Separates --sso-region (Identity Center) from --region (default AWS CLI region)

Usage

# First-time setup
cone aws setup --sso-url https://myorg.awsapps.com/start --sso-region us-east-1 --region us-west-2

# Creates profiles for all available AWS permission sets
# Then just use AWS CLI normally:
aws s3 ls --profile acme-admin

# If no access, cone auto-submits a request and polls for approval
# If approved, credentials are returned transparently

Test plan

  • cone aws setup --sso-url <url> --sso-region <region> creates profiles in ~/.aws/config
  • cone aws setup show displays saved config
  • cone aws setup (re-run) skips existing profiles
  • cone aws credentials <profile> returns JSON credentials when granted
  • cone aws credentials <profile> auto-submits request when no grant exists
  • Auto-approval polling works for auto-approved entitlements
  • Expired SSO token triggers automatic aws sso login and retry
  • aws <command> --profile <name> works end-to-end via credential_process

@robert-chiniquy robert-chiniquy enabled auto-merge (squash) March 29, 2026 17:07
afalahi
afalahi commented Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@afalahi afalahi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. tested locally and everything works

afalahi and others added 3 commits March 30, 2026 09:03
@afalahi
feat: add AWS SSO support to client layer
77d9486 
Fix GetResource interface parameter order to match implementation.
Add UpdateEntitlement method to C1Client interface.
Add IsAWSPermissionSet detection in task.go.
Add output.JSON constant for format checks.
@afalahi
feat: add cone aws commands for SSO integration
3bcf4d5 
Add `cone aws setup` — configures SSO URL and regions, scans ConductorOne
for AWS permission set entitlements, and creates ~/.aws/config profiles
with credential_process pointing to cone.

Add `cone aws credentials` — fetches temporary AWS credentials via SSO.
Automatically submits a ConductorOne access request if no active grant
exists, polls for auto-approval, and retries SSO login on expired tokens.

Add `cone aws setup show` — displays current SSO configuration.
@robert-chiniquy @afalahi
Fix checkC1Access to use caller's client, add AWS CLI check
a7114f4 
checkC1Access was building a fake cobra.Command with hardcoded flags
just to call cmdContext() for a client. Since awsCredentialsRun already
has a client from cmdContext, pass it through instead.

Also add requireAWSCLI() check before shelling out to aws, so users
get a clear error message instead of an exec failure.
@robert-chiniquy robert-chiniquy merged commit c2f4fa2 into main Mar 30, 2026
2 checks passed
@robert-chiniquy robert-chiniquy deleted the feat/aws-sso branch March 30, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robert-chiniquy robert-chiniquy robert-chiniquy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@afalahi @robert-chiniquy