tmclnk · December 11, 2025 18:40
diff --git a/list-aws-profiles.sh b/list-aws-profiles.sh
 #!/bin/bash

 # Generate AWS config file entries for all SSO profiles
 #
 # How this works:
 # - There is ONE sso-session that corresponds to your IAM Identity Center login
 # - Once authenticated, you get MULTIPLE profiles (one for each account+role combination)
 # - This script does NOT modify ~/.aws/config - it outputs everything to stdout
 # - Copy/paste the output into ~/.aws/config
 # - Safe to run multiple times to regenerate your complete config
 #
 # Usage Examples:
 #   ./list-aws-profiles.sh                    # (Dry run) Output to terminal
 #   ./list-aws-profiles.sh > config.txt       # (Recommended) Save to file
 #
 # Configure these variables for your organization
 SSO_START_URL="${SSO_START_URL:-https://d-906781a82a.awsapps.com/start/}"
 SSO_REGION="${SSO_REGION:-us-east-1}"
 SSO_SESSION="${SSO_SESSION:-dc}"

 set -e

 # Create temporary config file
 TEMP_CONFIG=$(mktemp)
 trap "rm -f $TEMP_CONFIG" EXIT

 echo "Creating temporary AWS config at: $TEMP_CONFIG" >&2
 echo "This file will be automatically deleted when the script finishes." >&2
 echo "" >&2

 # Write the sso-session block to the temp config and output it
 cat <<EOF | tee "$TEMP_CONFIG"
 [sso-session ${SSO_SESSION}]
 sso_start_url = ${SSO_START_URL}
 sso_region = ${SSO_REGION}
 sso_registration_scopes = sso:account:access
 EOF

 export AWS_CONFIG_FILE="$TEMP_CONFIG"
 export AWS_DEFAULT_REGION="$SSO_REGION"

 echo "" >&2
 echo "Logging in to AWS SSO session '$SSO_SESSION'..." >&2
 aws sso login --sso-session "$SSO_SESSION" >&2

 echo "" >&2
 echo "Fetching AWS SSO accounts and roles..." >&2

 # Get the access token from the cached credentials
 SSO_CACHE_DIR="$HOME/.aws/sso/cache"
 ACCESS_TOKEN=$(jq -r '.accessToken' $(ls -t "$SSO_CACHE_DIR"/*.json | head -1))

 if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
  echo "Error: Could not find access token. Please ensure you're logged in." >&2
  exit 1
 fi

 echo "" >&2
 echo "Generating AWS config profiles..." >&2
 echo "" >&2

 # Get all accounts
 accounts=$(aws sso list-accounts --access-token "$ACCESS_TOKEN" --query 'accountList[*].[accountId,accountName]' --output text)

 # For each account, get available roles and append profiles to temp config
 while IFS=$'\t' read -r account_id account_name; do
  roles=$(aws sso list-account-roles --account-id "$account_id" --access-token "$ACCESS_TOKEN" --query 'roleList[*].roleName' --output text)

  for role in $roles; do
    profile_name="${account_id}-${role}"
    cat <<EOF | tee -a "$TEMP_CONFIG"

 [profile ${profile_name}]
 sso_session = ${SSO_SESSION}
 sso_account_id = ${account_id}
 sso_role_name = ${role}
 region = ${SSO_REGION}
 output = json
 EOF
  done
 done <<<"$accounts"
	#!/bin/bash

	# Generate AWS config file entries for all SSO profiles
	#
	# How this works:
	# - There is ONE sso-session that corresponds to your IAM Identity Center login
	# - Once authenticated, you get MULTIPLE profiles (one for each account+role combination)
	# - This script does NOT modify ~/.aws/config - it outputs everything to stdout
	# - Copy/paste the output into ~/.aws/config
	# - Safe to run multiple times to regenerate your complete config
	#
	# Usage Examples:
	# ./list-aws-profiles.sh # (Dry run) Output to terminal
	# ./list-aws-profiles.sh > config.txt # (Recommended) Save to file
	#
	# Configure these variables for your organization
	SSO_START_URL="${SSO_START_URL:-https://d-906781a82a.awsapps.com/start/}"
	SSO_REGION="${SSO_REGION:-us-east-1}"
	SSO_SESSION="${SSO_SESSION:-dc}"

	set -e

	# Create temporary config file
	TEMP_CONFIG=$(mktemp)
	trap "rm -f $TEMP_CONFIG" EXIT

	echo "Creating temporary AWS config at: $TEMP_CONFIG" >&2
	echo "This file will be automatically deleted when the script finishes." >&2
	echo "" >&2

	# Write the sso-session block to the temp config and output it
	cat <<EOF \| tee "$TEMP_CONFIG"
	[sso-session ${SSO_SESSION}]
	sso_start_url = ${SSO_START_URL}
	sso_region = ${SSO_REGION}
	sso_registration_scopes = sso:account:access
	EOF

	export AWS_CONFIG_FILE="$TEMP_CONFIG"
	export AWS_DEFAULT_REGION="$SSO_REGION"

	echo "" >&2
	echo "Logging in to AWS SSO session '$SSO_SESSION'..." >&2
	aws sso login --sso-session "$SSO_SESSION" >&2

	echo "" >&2
	echo "Fetching AWS SSO accounts and roles..." >&2

	# Get the access token from the cached credentials
	SSO_CACHE_DIR="$HOME/.aws/sso/cache"
	ACCESS_TOKEN=$(jq -r '.accessToken' $(ls -t "$SSO_CACHE_DIR"/*.json \| head -1))

	if [ -z "$ACCESS_TOKEN" ] \|\| [ "$ACCESS_TOKEN" = "null" ]; then
	echo "Error: Could not find access token. Please ensure you're logged in." >&2
	exit 1
	fi

	echo "" >&2
	echo "Generating AWS config profiles..." >&2
	echo "" >&2

	# Get all accounts
	accounts=$(aws sso list-accounts --access-token "$ACCESS_TOKEN" --query 'accountList[*].[accountId,accountName]' --output text)

	# For each account, get available roles and append profiles to temp config
	while IFS=$'\t' read -r account_id account_name; do
	roles=$(aws sso list-account-roles --account-id "$account_id" --access-token "$ACCESS_TOKEN" --query 'roleList[*].roleName' --output text)

	for role in $roles; do
	profile_name="${account_id}-${role}"
	cat <<EOF \| tee -a "$TEMP_CONFIG"

	[profile ${profile_name}]
	sso_session = ${SSO_SESSION}
	sso_account_id = ${account_id}
	sso_role_name = ${role}
	region = ${SSO_REGION}
	output = json
	EOF
	done
	done <<<"$accounts"
No results found