Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Programmatically establish boto3 sessions with AWS SSO

Tags:

python-3.x

amazon-web-services

boto3

boto

I'm trying to establish a boto3 session with boto3.session.Session(profile_name='foo') but getting an UnauthorizedSSOTokenError error:

botocore.exceptions.UnauthorizedSSOTokenError: The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.

I tried logging in with subprocess.run("aws sso login --profile foo"), but this opens up my web browser and prompts for manual confirmation.

Is there any way to programmatically establish boto3 sessions if you're using AWS SSO?

In other words, is there any way to avoid manual confirmation?

like image 464
alex Avatar asked Mar 10 '26 21:03

alex

2 Answers

I wanted to handle SSO reauthentication on expiration automatically in my script and can live with a browser window being opened and (possibly) prompting the user to authorize device access.

Ended up with:

def establishSession(retry = True):
    session = boto3.Session(profile_name=AWS_PROFILE)
    sts = session.client('sts')
    try:
        identity = sts.get_caller_identity()
        print(f"Authorized as {identity['UserId']}")
        return session
    except botocore.exceptions.UnauthorizedSSOTokenError:
        if retry:
            subprocess.run(['aws','sso', 'login', '--profile', AWS_PROFILE])
            return establishSession(False)
        else:
            raise

The get_caller_identity api call is fast and does not need any special permissions. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.get_caller_identity

like image 167
Elijah Avatar answered Mar 13 '26 09:03

Elijah

With just boto3, no. As you discovered already, you'll want to engaged the CLI for a solution with AWS SSO.

You can follow the steps here to setup the AWS CLI with AWS SSO. This will open a browser for you to manually confirm. My recommendation is that you increase the SSO session duration to be 12 hours. Effectively you sign in once a day and you're good for the rest of the day. This is the best mix of security and convenience. Other solutions like creating IAM roles, or totally automating the login are not recommended.

like image 43
Coin Graham Avatar answered Mar 13 '26 10:03

Coin Graham

Sign in to Comment

Related questions

Removing dictionary from a list
Get Poetry script endpoints

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!