Add --so-scope in hint for granted sso login (#619)

When running granted without --auto-login, and if the token is expired or missing, it will print a hint. This hint should include --sso-scopes if the profile has this setting as granted_sso_registration_scopes = ... Example: $ ./bin/dgranted credential-process --profile myprofile/myrole [✘] error when retrieving credentials from custom process. please login using 'granted sso login --sso-start-url https://d-....awsapps.com/start --sso-region us-west-2 --sso-scope sso:account:access'
common-fate · Mar 6, 2024 · 9924d63 · 9924d63
1 parent 63cf3ec
commit 9924d63
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/pkg/cfaws/assumer_aws_sso.go b/pkg/cfaws/assumer_aws_sso.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -194,6 +195,11 @@ func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Cred
 			cmd += " --sso-region " + region
 		}
 
+		scopes := c.SSOScopes()
+		if len(scopes) > 0 {
+			cmd += " --sso-scope " + strings.Join(scopes, ",")
+		}
+
 		// if the token exists but is invalid, attempt to clear it so that next login works.
 		secureSSOTokenStorage.ClearSSOToken(ssoTokenKey)