Add support for deployment with AWS SSO Credentials

README.md

@@ -66,6 +66,8 @@ In the root project folder run
 <details>
   <summary>Optional flags</summary>
 
+  `--sso`: a boolean flag indicating if the provided AWS profile should be used with SSO credentials. Default value is `false`.
+
   `--service` -
   a space seperated list of service names to include in the search for resources. By default all resources are included:
   <ul>

src/cmd/cloudwatch/export.ts

@@ -42,6 +42,11 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       type: 'string',
       default: 'alarms.json',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 
@@ -52,6 +57,7 @@ interface Args {
   include: string[];
   exclude: string[];
   output: string;
+  sso?: boolean;
 }
 
 interface AlarmExport {
@@ -70,7 +76,7 @@ interface AlarmExport {
 
 export const handler = async (args: Args): Promise<void> => {
   setVerbose(args.verbose);
-  await aws.setAWSCredentials(args.profile, args.region);
+  await aws.setAWSCredentials(args.profile, args.region, args.sso);
 
   const alarms = await aws.getCloudWatchMetricAlarms(args.include, args.exclude);
   const parsed = alarms.reduce((acc, alarm) => {

src/cmd/log-retention/aws.ts

@@ -31,10 +31,15 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
         default: false,
         type: 'boolean',
       },
+      sso: {
+        default: false,
+        describe: 'Use an AWS profile with SSO credentials',
+        type: 'boolean',
+      },
     });
 };
 
 export const handler = async (args: types.CmdParams): Promise<void> => {
-  await setAWSCredentials(args.profile, args.region);
+  await setAWSCredentials(args.profile, args.region, args.sso);
   SetRetentions(args);
 };

src/cmd/monitoring/init.ts

@@ -69,12 +69,17 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       default: false,
       type: 'boolean',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 
 export const handler = async (args: monitoring.Args): Promise<void> => {
   setVerbose(args.verbose);
-  await aws.setAWSCredentials(args.profile, args.region);
+  await aws.setAWSCredentials(args.profile, args.region, args.sso);
 
   const awsConfig = await monitoring.getAllFromAWS(args);
 

src/cmd/monitoring/update.ts

@@ -67,6 +67,11 @@ export const builder = (yargs: Argv<{}>): Argv<{}> => {
       default: false,
       type: 'boolean',
     },
+    sso: {
+      default: false,
+      describe: 'Use an AWS profile with SSO credentials',
+      type: 'boolean',
+    },
   });
 };
 

src/lib/aws-sdk/credentials.ts

@@ -134,14 +134,18 @@ function environmentCredentials(prefix: string): () => AWS.EnvironmentCredential
 /**
  * Set credentials and region to AWS from config and env variables
  */
-export async function setAWSCredentials(profile?: string, region?: string): Promise<void> {
+export async function setAWSCredentials(profile?: string, region?: string, sso?: boolean): Promise<void> {
   try {
     const sources: (() => AWS.Credentials)[] = [environmentCredentials('AWS'), environmentCredentials('AMAZON')];
 
     profile = profile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || 'default';
 
-    if (await canRead(credentialsFileName())) {
+    if (!sso && await canRead(credentialsFileName())) {
       sources.push(() => new AWS.SharedIniFileCredentials({ filename: credentialsFileName(), profile, tokenCodeFn }));
+    } else if (sso && await canRead(configFileName())) {
+      /* eslint-disable-next-line  @typescript-eslint/no-explicit-any */
+      const ssoProfile = profile !== (AWS as any).util.defaultProfile ? 'profile ' + profile : profile;
+      sources.push(() => new AWS.SsoCredentials({ filename: configFileName(), profile: ssoProfile }));
     }
 
     const credentials = await new AWS.CredentialProviderChain(sources).resolvePromise();

src/lib/log-retention/aws/types.ts

@@ -11,4 +11,5 @@ export interface CmdParams {
   prefix: string;
   retention: number;
   region: string;
+  sso: boolean;
 }

src/lib/log-retention/aws/update.ts

@@ -6,7 +6,7 @@ export function ValidatePrefix(logGroupName: string, prefix: string): boolean {
 }
 
 export async function SetRetentions(args: CmdParams): Promise<void> {
-  await setAWSCredentials(args.profile, args.region);
+  await setAWSCredentials(args.profile, args.region, args.sso);
 
   const logGroups = await getLogGroups();
 

src/lib/monitoring/types.ts

@@ -25,6 +25,7 @@ export interface Args {
   region?: string;
   dry: boolean;
   verbose: boolean;
+  sso?: boolean;
 }
 
 /**