From ddc90d33ddadd369d954ec0bb07e98eb4544d0d2 Mon Sep 17 00:00:00 2001
From: Yessergire Mohamed <yessergire.mohamed@nordcloud.com>
Date: Thu, 26 Jun 2025 13:53:26 +0300
Subject: [PATCH 1/2] feat: Enable using AWS SSO for credentials

---
 src/lib/aws-sdk/credentials.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/aws-sdk/credentials.ts b/src/lib/aws-sdk/credentials.ts
index ab2346e..765d347 100644
--- a/src/lib/aws-sdk/credentials.ts
+++ b/src/lib/aws-sdk/credentials.ts
@@ -144,6 +144,10 @@ export async function setAWSCredentials(profile?: string, region?: string): Prom
       sources.push(() => new AWS.SharedIniFileCredentials({ filename: credentialsFileName(), profile, tokenCodeFn }));
     }
 
+    if (await canRead(configFileName())) {
+      sources.push(() => new AWS.SsoCredentials({ filename: configFileName(), profile }));
+    }
+
     const credentials = await new AWS.CredentialProviderChain(sources).resolvePromise();
     AWS.config.update({ credentials });
   } catch (err) {

From 1876abeb0eb01e9de237faf3bba876576291feb6 Mon Sep 17 00:00:00 2001
From: Yessergire Mohamed <yessergire.mohamed@nordcloud.com>
Date: Tue, 12 Aug 2025 18:42:08 +0300
Subject: [PATCH 2/2] feat: Add an yarg option for SSO profile

---
 README.md                           |  2 ++
 src/cmd/cloudwatch/export.ts        |  8 +++++++-
 src/cmd/log-retention/aws.ts        |  7 ++++++-
 src/cmd/monitoring/init.ts          |  7 ++++++-
 src/cmd/monitoring/update.ts        |  5 +++++
 src/lib/aws-sdk/credentials.ts      | 12 ++++++------
 src/lib/log-retention/aws/types.ts  |  1 +
 src/lib/log-retention/aws/update.ts |  2 +-
 src/lib/monitoring/types.ts         |  1 +
 9 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 19d0d89..e9d5773 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,8 @@ In the root project folder run
 <details>
   <summary>Optional flags</summary>
 
+  `--sso`: a boolean flag indicating if the provided AWS profile should be used with SSO credentials. Default value is `false`.
+
   `--service` -
   a space seperated list of service names to include in the search for resources. By default all resources are included:
   <ul>
diff --git a/src/cmd/cloudwatch/export.ts b/src/cmd/cloudwatch/export.ts
index bc3db9a..395cd7f 100644
--- a/src/cmd/cloudwatch/export.ts
+++ b/src/cmd/cloudwatch/export.ts
@@ -42,6 +42,11 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       type: 'string',
       default: 'alarms.json',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 
@@ -52,6 +57,7 @@ interface Args {
   include: string[];
   exclude: string[];
   output: string;
+  sso?: boolean;
 }
 
 interface AlarmExport {
@@ -70,7 +76,7 @@ interface AlarmExport {
 
 export const handler = async (args: Args): Promise<void> => {
   setVerbose(args.verbose);
-  await aws.setAWSCredentials(args.profile, args.region);
+  await aws.setAWSCredentials(args.profile, args.region, args.sso);
 
   const alarms = await aws.getCloudWatchMetricAlarms(args.include, args.exclude);
   const parsed = alarms.reduce((acc, alarm) => {
diff --git a/src/cmd/log-retention/aws.ts b/src/cmd/log-retention/aws.ts
index 98706cc..b4466e4 100644
--- a/src/cmd/log-retention/aws.ts
+++ b/src/cmd/log-retention/aws.ts
@@ -31,10 +31,15 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
         default: false,
         type: 'boolean',
       },
+      sso: {
+        default: false,
+        describe: 'Use an AWS profile with SSO credentials',
+        type: 'boolean',
+      },
     });
 };
 
 export const handler = async (args: types.CmdParams): Promise<void> => {
-  await setAWSCredentials(args.profile, args.region);
+  await setAWSCredentials(args.profile, args.region, args.sso);
   SetRetentions(args);
 };
diff --git a/src/cmd/monitoring/init.ts b/src/cmd/monitoring/init.ts
index 738907d..8dbfcc7 100644
--- a/src/cmd/monitoring/init.ts
+++ b/src/cmd/monitoring/init.ts
@@ -69,12 +69,17 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       default: false,
       type: 'boolean',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 
 export const handler = async (args: monitoring.Args): Promise<void> => {
   setVerbose(args.verbose);
-  await aws.setAWSCredentials(args.profile, args.region);
+  await aws.setAWSCredentials(args.profile, args.region, args.sso);
 
   const awsConfig = await monitoring.getAllFromAWS(args);
 
diff --git a/src/cmd/monitoring/update.ts b/src/cmd/monitoring/update.ts
index b5988f8..a52bdec 100644
--- a/src/cmd/monitoring/update.ts
+++ b/src/cmd/monitoring/update.ts
@@ -67,6 +67,11 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       default: false,
       type: 'boolean',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 
diff --git a/src/lib/aws-sdk/credentials.ts b/src/lib/aws-sdk/credentials.ts
index 765d347..2733dbc 100644
--- a/src/lib/aws-sdk/credentials.ts
+++ b/src/lib/aws-sdk/credentials.ts
@@ -134,18 +134,18 @@ function environmentCredentials(prefix: string): () => AWS.EnvironmentCredential
 /**
  * Set credentials and region to AWS from config and env variables
  */
-export async function setAWSCredentials(profile?: string, region?: string): Promise<void> {
+export async function setAWSCredentials(profile?: string, region?: string, sso?: boolean): Promise<void> {
   try {
     const sources: (() => AWS.Credentials)[] = [environmentCredentials('AWS'), environmentCredentials('AMAZON')];
 
     profile = profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
 
-    if (await canRead(credentialsFileName())) {
+    if (!sso && await canRead(credentialsFileName())) {
       sources.push(() => new AWS.SharedIniFileCredentials({ filename: credentialsFileName(), profile, tokenCodeFn }));
-    }
-
-    if (await canRead(configFileName())) {
-      sources.push(() => new AWS.SsoCredentials({ filename: configFileName(), profile }));
+    } else if (sso && await canRead(configFileName())) {
+      /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+      const ssoProfile = profile !== (AWS as any).util.defaultProfile ? 'profile ' + profile : profile;
+      sources.push(() => new AWS.SsoCredentials({ filename: configFileName(), profile: ssoProfile }));
     }
 
     const credentials = await new AWS.CredentialProviderChain(sources).resolvePromise();
diff --git a/src/lib/log-retention/aws/types.ts b/src/lib/log-retention/aws/types.ts
index 4fc8740..6b70e74 100644
--- a/src/lib/log-retention/aws/types.ts
+++ b/src/lib/log-retention/aws/types.ts
@@ -11,4 +11,5 @@ export interface CmdParams {
   prefix: string;
   retention: number;
   region: string;
+  sso: boolean;
 }
diff --git a/src/lib/log-retention/aws/update.ts b/src/lib/log-retention/aws/update.ts
index 6f2bfdd..e25fd4b 100644
--- a/src/lib/log-retention/aws/update.ts
+++ b/src/lib/log-retention/aws/update.ts
@@ -6,7 +6,7 @@ export function ValidatePrefix(logGroupName: string, prefix: string): boolean {
 }
 
 export async function SetRetentions(args: CmdParams): Promise<void> {
-  await setAWSCredentials(args.profile, args.region);
+  await setAWSCredentials(args.profile, args.region, args.sso);
 
   const logGroups = await getLogGroups();
 
diff --git a/src/lib/monitoring/types.ts b/src/lib/monitoring/types.ts
index 04daa7f..ba247ad 100644
--- a/src/lib/monitoring/types.ts
+++ b/src/lib/monitoring/types.ts
@@ -25,6 +25,7 @@ export interface Args {
   region?: string;
   dry: boolean;
   verbose: boolean;
+  sso?: boolean;
 }
 
 /**