A Python CLI tool for generating AWS CLI configuration and directory structures.
In a large organization with multiple AWS accounts, managing access via AWS SSO can become cumbersome. You may have access to many roles across various accounts, and switching between them manually can be error-prone and time-consuming.
sso-config-generator creates a profile for each AWS Role you have access to via AWS SSO. After logging in to an sso session, you can use the profiles in your AWS CLI commands, SDKs, and tools like Terraform.
aws sso login --profile sso-browserThe login command opens a browser window for authentication. After successful login, you can use the generated profiles like this:
aws s3 ls --profile my-profile-nameor set the AWS_PROFILE (or AWS_DEFAULT_PROFILE) environment variable:
export AWS_PROFILE=my-profile-name
aws s3 lsIt also creates a directory structure that mirrors your AWS Organization, making it easy to navigate and manage multiple AWS accounts. Each account directory contains a .envrc file (for use with direnv) that sets the AWS_PROFILE environment variable to the appropriate profile for that account, so that cd-ing into the directory automatically switches to the correct AWS profile.
Profiles are named using the following convention:
<RoleName>@<AccountName>
For example, if you have access to the AdministratorAccess role in the DevAccount, the profile will be named:
AdministratorAccess@DevAccount
All commands in this repo assume your ~/.aws/config contains a reusable profile that points at your SSO session. Make sure this exact block exists (adjust the region only if your SSO region differs):
[profile sso-browser]
sso_session = sso
region = eu-west-1
output = json
Run aws sso login --profile sso-browser before invoking sso-config-generator so the CLI can reuse the cached credentials.
SSO Config Generator is a standalone Python tool that simplifies AWS SSO configuration management by:
- Generating properly configured AWS CLI config files
- Creating directory structures that mirror your AWS Organization
- Setting up environment files for easy role switching using
direnv
You can install sso-config-generator via pip, or use it directly without installation using uvx.
pip install sso-config-generator- Python 3.8 or higher
- AWS CLI v2 configured with:
- Default region set in
~/.aws/configor viaAWS_DEFAULT_REGIONenvironment variable - AWS SSO configured via
aws configure sso
- Default region set in
direnv(optional, for automatic profile switching)
Before using the tool, ensure you have:
- Configure AWS SSO:
Either run:
or manually edit
aws configure sso # Follow the prompts to enter: # - SSO start URL (e.g., https://your-domain.awsapps.com/start) # - SSO Region # - SSO registration scopes (accept default)
~/.aws/configto look like this (the[profile sso-browser]block must match the one described in the Required SSO Browser Profile section):[sso-session sso] sso_region = eu-west-1 sso_start_url = https://YOUR_DOMAIN.awsapps.com/start sso_registration_scopes = sso:account:access [profile sso-browser] sso_session = sso output = json region = eu-west-1 - Login to AWS SSO:
# Login to SSO to create credentials aws sso login --profile sso-browser
When running in AWS Cloud9 or CloudX environments, the tool will automatically:
- Detect if you're in your home directory with an "environment" subdirectory
- Change to the "environment" directory
- Skip the SSO name in the directory structure
This ensures seamless operation in AWS-provided development environments.
-
"Error: You must specify a region"
- Use the
--regionflag:uvx sso-config-generator --region us-east-1 - Or set AWS_DEFAULT_REGION environment variable
- Or configure default region in ~/.aws/config
- Use the
-
"Unable to locate credentials"
- Run
aws sso loginto refresh your SSO credentials - Ensure you've completed AWS SSO configuration with
aws configure sso - Check if your SSO session has expired (sessions typically last 8 hours)
- Run
-
"SSO session is expired"
- Run
aws sso loginto start a new session
- Run
Simply run:
uvx sso-config-generatorThis will:
- Update your AWS CLI config file (
~/.aws/config) - Generate a directory structure in the current directory + sso-name
- Create
.envrcfiles in each account directory with AdministratorAccess role - Use OU structure for directory organization (cached for performance)
The tool caches OU structure information in the same directory as your AWS config file to improve performance. When the cache exists, it will be used automatically with a notification. To rebuild the cache:
uvx sso-config-generator --rebuild-cacheUsage: sso-config-generator [OPTIONS]
Options:
--create-directories/--no-create-directories Create a directory for each account (default: True)
--use-ou-structure/--no-use-ou-structure Create directories for each OU (default: True)
--developer-role-name NAME Role name to use for .envrc files (default: AdministratorAccess)
--rebuild-cache Force rebuild of OU structure cache
--sso-name NAME Use specified SSO name instead of extracting from SSO start URL
--create-repos-md Create repos.md files in each account directory
--skip-sso-name Do not create a directory for the SSO name (default: False)
--unified-root PATH Directory where account directories are created
(default: current directory)
If current directory is named "environment", SSO name is
automatically skipped
--region REGION AWS region to use (default: eu-west-1)
--validate Validate current AWS SSO configuration instead of generating
--help Show this message and exit
--version Show the version and exit
- Basic config generation (uses defaults):
uvx sso-config-generator- Disable OU structure (flat account directories):
uvx sso-config-generator --no-use-ou-structure- Use different role for .envrc files:
uvx sso-config-generator --developer-role-name ReadOnlyAccess- Use specific AWS region:
uvx sso-config-generator --region us-east-1- Force rebuild of OU cache:
uvx sso-config-generator --rebuild-cache- Specify custom root directory:
uvx sso-config-generator --unified-root ~/aws-environments- Skip creating directories (config file only):
uvx sso-config-generator --no-create-directories- Working in an "environment" directory (automatic behavior):
# If your current directory is named 'environment'
cd environment
uvx sso-config-generator
# This will automatically skip creating the SSO name directory- Validate existing configuration:
uvx sso-config-generator --validate- Clone the repository:
git clone https://github.com/easytocloud/sso-config-generator.git
cd sso-config-generator- Create a virtual environment:
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate- Install the package in development mode:
pip install -e .- Build the package:
pip install build && python -m build - Run the tool:
uvx sso-config-generator - Test changes:
./test_sso_config.sh
This project uses semantic-release for automated versioning and package publishing. The version is stored in a single source of truth:
src/sso_config_generator/version.py: Contains the__version__variable__init__.pyimports this versionpyproject.tomlis updated automatically by the GitHub workflow
When a commit is pushed to the main branch, the GitHub workflow:
- Determines the next version based on commit messages
- Creates a GitHub release and tag
- Updates the version in version.py and pyproject.toml
- Publishes the package to PyPI
To trigger specific version increments, use the following commit message prefixes:
feat:- Minor version increment (e.g., 1.1.0 -> 1.2.0)fix:,docs:,style:, etc. - Patch version increment (e.g., 1.1.0 -> 1.1.1)
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.