Metadata-Version: 2.4
Name: ssof
Version: 0.1.0
Summary: A simple CLI tool to manage AWS SSO sessions
Author-email: Your Name <your.email@example.com>
License: MIT
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: click>=8.3.0
Requires-Dist: boto3>=1.43.0
Requires-Dist: questionary>=2.1.0
Provides-Extra: dev
Requires-Dist: pytest>=9.0.0; extra == "dev"
Requires-Dist: black>=26.0.0; extra == "dev"

# Tori - AWS SSO Session Manager

Ultra-simple CLI tool to manage AWS SSO sessions across multiple organizations. Configure once per org, then just `tori assume <account>` and you're in!

## Installation

Tori uses [uv](https://docs.astral.sh/uv/) for dependency management.

```bash
# Install uv if you don't have it
brew install uv  # or: curl -LsSf https://astral.sh/uv/install.sh | sh

# Sync dependencies and install tori in editable mode
uv sync

# Run tori via uv (no activation needed)
uv run tori --help

# Or activate the venv to use `tori` directly
source .venv/bin/activate
tori --help
```

## Quick Start

1. **Configure Tori with your SSO details**:
```bash
tori configure my-org
```
Enter your SSO start URL and region when prompted. Tori will authenticate and cache all available accounts.

2. **List available accounts**:
```bash
tori list
```
This shows all AWS accounts you have access to via SSO across all configured orgs.

3. **Assume a role**:
```bash
tori assume my-account-name
```
This will:
- Authenticate with AWS SSO (if needed)
- Get temporary credentials
- Back up your current default profile (if exists) to a named profile
- Configure your default AWS CLI profile automatically
- You're ready to use AWS CLI immediately!

## Commands

### `tori configure <org-name>`
Configure AWS SSO settings for an organization. You can configure multiple orgs.

**Example:**
```bash
tori configure my-company
# Enter SSO start URL: https://my-company.awsapps.com/start
# Enter SSO region: us-east-1
```

The first org you configure becomes the default. All accounts will be cached automatically.

### `tori assume <account> [org-name]`
Assume an AWS SSO role and configure the default AWS profile with credentials.

**Examples:**
```bash
# Assume by account name (uses default org)
tori assume production

# Assume by account ID
tori assume 123456789012

# Assume from specific org
tori assume production my-company

# Assume with specific role (skips interactive selection)
tori assume production my-company --role AdminRole
```

**Profile Backup:** When you assume a new role, Tori automatically backs up your current default profile to `profile_<account_id>_<role_name>` so you can switch back later.

### `tori refresh [org-name]`
Refresh cached accounts for an organization. Use this when new accounts or roles are added.

**Examples:**
```bash
# Refresh default org
tori refresh

# Refresh specific org
tori refresh my-company
```

### `tori list [org-name]`
List all configured orgs and their AWS SSO accounts.

**Examples:**
```bash
# List all orgs and accounts
tori list

# List accounts for specific org
tori list my-company
```

### `tori status`
Check your current AWS credentials status and see all backed up profiles.

### `tori default <org-name>`
Set the default organization to use when org name is not specified.

**Example:**
```bash
tori default my-company
```

## Configuration

Tori stores its configuration in `~/.tori/config.yaml`:

```yaml
default_org: my-company
orgs:
  my-company:
    sso_start_url: https://my-company.awsapps.com/start
    sso_region: us-east-1
    cached_accounts:
      production:
        accountId: '123456789012'
        accountName: production
        email: aws-prod@company.com
        roles:
          - AdminRole
          - ReadOnlyRole
  another-org:
    sso_start_url: https://another-org.awsapps.com/start
    sso_region: us-west-2
    cached_accounts: {}
active_profiles:
  profile_123456789012_AdminRole:
    account_id: '123456789012'
    role_name: AdminRole
    timestamp: '2025-11-21T10:30:00'
```

Credentials are automatically written to `~/.aws/credentials` (default profile).

## Multi-Org Workflow

Tori supports multiple SSO organizations:

1. **Configure multiple orgs**:
```bash
tori configure company-prod
tori configure company-dev
tori configure client-org
```

2. **Set a default org** (optional):
```bash
tori default company-prod
```

3. **Assume roles**:
```bash
# Uses default org
tori assume my-account

# Uses specific org
tori assume my-account company-dev
```

4. **List all orgs**:
```bash
tori list
```

## Profile Management

When you assume a new role, Tori:
1. Backs up your current default profile to a named profile
2. Sets the new credentials as the default profile
3. Tracks all backed up profiles in the config

**Backed up profile naming:** `profile_<account_id>_<role_name>`

**View backed up profiles:**
```bash
tori status
```

**Switch back to a previous profile:**
Simply use `tori assume` with the account and role you want to switch to.

## How it Works

1. **One-time setup per org**: Store your SSO start URL and region
2. **Automatic caching**: Accounts and roles are cached during configuration
3. **Explicit refresh**: Only re-fetch accounts when you run `tori refresh`
4. **Assume roles**: 
   - Authenticate via AWS SSO (browser-based, only when needed)
   - Get temporary credentials for the selected account and role
   - Backup current default profile
   - Write new credentials to default AWS profile
   - Use AWS CLI normally!

No need to manage multiple profiles manually or remember account details - just use the account name!

## Requirements

- Python 3.8+
- boto3 (AWS SDK)
- click (CLI framework)
- questionary (interactive prompts)
- pyyaml (config management)
- Internet connection for SSO authentication
