aws-sso-util VS glide

This tool allows you to configure all accounts your SSO has access to as well as login to all of them at once: https://github.com/benkehoe/aws-sso-util

I just wanted to give a shout out to the maintainers of https://github.com/benkehoe/aws-sso-util . It fills in so many little gaps with AWS SSO (which itself may be a bit clunky, but is a service I wish more people made use of). If you're using CloudFormation to manage SSO access to various organisation accounts, this project provides a really great CloudFormation Macro to make everything easier.

AWS SSO prevents the need to store credentials on disk. Adding and removing users from a group dynamically changes their permissions, and you can customise the maximum session durations. There are some shortcomings with the service, and if you want to get more involved, it's worth checking out aws-sso-util by Ben Kehoe.

Only in rare cases where I work with tooling that can't support SSO vended credentials do I configure my .config profiles with a credential helper script like Ben's stuff over at https://github.com/benkehoe/aws-sso-util

Especially for occasional access, I recommend implementing a request/approval workflow. It is still an early product, but Common Fate has a tool for this that I’m really excited about. https://github.com/common-fate/common-fate

Take a look at Common Fate

Honestly? I don’t know. On a more granular level, each of the above problems have their own solution. Talk to your coworkers about how you trust them, you just don’t want to take unnecessary risks. Make sure to do good security design before you need to pay KPMG $25 million to fix it for you. Talk to your coworkers about what their jobs actually are. Check out our Github repo, etc. etc.

If you want to check out the code for yourself, here’s a Go Playground link. And if you’re interested in seeing how we’ve implemented this in our own project, you can check out our gconfig package.