Skip to content

feat: add SSO auth support#9

Open
phoenix-ru wants to merge 1 commit into
mainfrom
feat/add-sso-oidc-auth
Open

feat: add SSO auth support#9
phoenix-ru wants to merge 1 commit into
mainfrom
feat/add-sso-oidc-auth

Conversation

@phoenix-ru
Copy link
Copy Markdown
Member

@phoenix-ru phoenix-ru commented May 29, 2026

Summary

Adds AWS SSO auth mode alongside existing static AWS credentials.

Changes

  • Added ssm-secrets auth --sso-start-url <url> SSO login flow.
  • Uses AWS SSO/OIDC SDKs for:
    • client registration
    • device authorization
    • token polling/refresh
    • account and role discovery
    • temporary role credentials
  • Stores SSO auth state in system keyring.
  • Automatically refreshes cached credentials when possible.
  • Opens browser for device login when deep refresh is needed and user allowed it.
  • Migrates legacy static credentials to new { mode: 'static' } format.
  • Added ssm-secrets wipe-credentials.
  • Updated docs and exports.

Usage

Static credentials still work:

ssm-secrets auth

SSO auth:

ssm-secrets auth --sso-start-url https://d-zzzzzz.awsapps.com/start

Optional account/role hints:

ssm-secrets auth \
  --sso-start-url https://d-zzzzzz.awsapps.com/start \
  --region eu-central-1 \
  --account-id 123456789012 \
  --role-name Developer

Remove stored credentials:

ssm-secrets wipe-credentials

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phoenix-ru