What does HackerNews think of saml2aws?
CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
Language:
Go
Depending on your SSO provider, you can list all the roles using saml2aws[0] and then parse the output so you can generate the relavant config. It is a bit tedious, but it works.
In my company everything goes through Active Directory and we use saml2aws [1] to generate credentials with two factor involved. It works quite well for us. We even use this for our artists to create local builds of our games since we keep all important secrets and such in aws secrets mananger. We scope access to said secrets with custom roles and tags.
Have you considered saml2aws[0]?
We've been using SAML to log in to AWS for the better part of a year now and it's been pretty good for us.
When logging in, you assume a role (sts:AssumeRoleWithSAML), I'm surprised you did not mention the worst part: logging in to the CLI with this. You either have to manually input the returned SAML assertion to the AWS cli[1], but luckily there is a tool called saml2aws[2] to do this with the majority of identity providers.
saml2aws sadly didn't have proper support for assuming many roles at once, so we even ended up writing our own tool for this.
This is something AWS has completely ignored so far and I am not aware of any progress towards a better CLI experience.
[1]: https://aws.amazon.com/premiumsupport/knowledge-center/aws-c...