aws-use-sso
npx skills add https://github.com/jordangarrison/aws-use-sso --skill aws-use-sso
Agent 安装分布
Skill 文档
aws-use-sso
A lightweight tool that automates AWS SSO login and exports credentials to environment variables. It bridges the gap between AWS SSO authentication and tools that need AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN in the environment.
Environment Detection
Before doing anything, run the detection script to understand the user’s environment:
bash <skill-dir>/scripts/detect-env.sh
Parse the key=value output. The keys are:
| Key | Values | Meaning |
|---|---|---|
AWS_USE_SSO_INSTALLED |
true/false |
Whether aws-use-sso is on PATH |
AWS_USE_SSO_PATH |
path or empty | Location of the binary |
NIX_AVAILABLE |
true/false |
Whether nix is available |
DEVBOX_AVAILABLE |
true/false |
Whether devbox is available |
DEVBOX_PROJECT_LOCAL |
true/false |
Whether devbox.json exists in current directory |
NIXOS |
true/false |
Whether running on NixOS |
AWS_CONFIG_EXISTS |
true/false |
Whether ~/.aws/config exists |
SSO_PROFILES |
comma-separated | SSO-enabled profile names |
SSO_PROFILE_COUNT |
number | Count of SSO profiles |
CREDS_FILE_EXISTS |
true/false |
Whether ~/.aws/sso-creds.sh exists |
AWS_PROFILE_SET |
true/false |
Whether AWS_PROFILE env var is set |
AWS_PROFILE_VALUE |
string or empty | Value of AWS_PROFILE |
Installation
If AWS_USE_SSO_INSTALLED=false, guide the user through installation based on their environment.
Nix Available (NIX_AVAILABLE=true)
Offer these options:
-
Add as flake input (for Nix projects with a
flake.nix):inputs.aws-use-sso.url = "github:jordangarrison/aws-use-sso"; -
Install to profile (persistent, user-wide):
nix profile install github:jordangarrison/aws-use-sso -
One-off run (no install needed):
nix run github:jordangarrison/aws-use-sso -- <profile-name>
Devbox Available (DEVBOX_AVAILABLE=true)
-
Project-local (if
DEVBOX_PROJECT_LOCAL=trueor user has adevbox.json):devbox add github:jordangarrison/aws-use-sso -
Global (system-wide via devbox):
devbox global add github:jordangarrison/aws-use-sso
Neither Available
- If
NIXOS=true: Nix should already be installed. Suggest runningnix-channel --updateor checking their PATH. - If
NIXOS=false: Guide the user to install Nix via the Determinate Systems installer:
After Nix is installed, return to the Nix installation options above.curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
Proactive Login Flow
Use this flow when the user explicitly asks to log in to AWS, set up credentials, or authenticate.
Step 1: Detect Profiles
Run the detection script. Check SSO_PROFILES and SSO_PROFILE_COUNT:
- 0 profiles: Tell the user they need to configure an SSO profile in
~/.aws/config. Link them to AWS SSO configuration docs. - 1 profile: Auto-select it.
- Multiple profiles: If
AWS_PROFILE_SET=true, suggestAWS_PROFILE_VALUEas the default. Present all profiles and let the user choose.
Step 2: Run aws-use-sso
aws-use-sso <profile-name>
This will:
- Open a browser for SSO authentication (user must complete this)
- Export credentials to
~/.aws/sso-creds.sh
Step 3: Offer Sourcing Choice
Present the user with two options:
Option A â Agent sources credentials:
The agent runs source ~/.aws/sso-creds.sh in its shell. Credentials are available for subsequent commands in this session.
Option B â User sources manually: Tell the user to run the following in their terminal, then resume the conversation:
source ~/.aws/sso-creds.sh
This is useful when the user wants credentials in their own shell (e.g., for IDE integration or other tools outside the agent session).
Mid-Task Auto-Fix Flow
Use this flow when an AWS command fails during normal work. Do NOT prompt the user â fix silently and retry.
Error Patterns
Watch for these patterns in command output:
ExpiredTokenExceptionExpiredTokenThe SSO session associated with this profile has expiredUnable to locate credentialsAuthFailureInvalidClientTokenIdThe security token included in the request is expiredUnauthorizedAccessNoCredentialProvidersSSOTokenProviderFailure
Recovery Steps
-
Identify the profile: Use
AWS_PROFILE_VALUEif set, otherwise parseSSO_PROFILESfrom the detection script. If only one profile exists, use it. If multiple, use the one most recently used or ask the user. -
Run aws-use-sso:
aws-use-sso <profile-name> -
Source credentials:
source ~/.aws/sso-creds.sh -
Retry the failed command.
-
If sourcing fails (e.g., agent shell context doesn’t support it), fall back to asking the user:
Your AWS credentials have expired. I’ve re-authenticated, but I can’t source the credentials in my current shell. Please run
source ~/.aws/sso-creds.shin your terminal, then let me know when you’re ready to continue.
Troubleshooting
SSO session requires browser authentication
The aws sso login command opens a browser window. If running in a headless environment, the user must complete authentication on a machine with a browser. The CLI will display a URL and code to enter.
No SSO profiles configured
The user needs to add SSO profile configuration to ~/.aws/config. Example:
[profile my-sso-profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = MyRole
region = us-east-1
[sso-session my-sso]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
aws-use-sso not found after installation
If installed via nix profile install, the user may need to restart their shell or run hash -r to refresh the PATH cache. If using devbox, ensure they are inside a devbox shell or have run eval "$(devbox global shellenv)".
Credentials expire quickly
AWS SSO session tokens have a limited lifetime (typically 1-12 hours depending on the IdP configuration). Re-run aws-use-sso <profile> when they expire. The mid-task auto-fix flow handles this automatically.