Update all our AWS Org accounts

We are starting to have more than a “couple” AWS accounts under our organization and after searching (and even trying ChatGPT, that gives you an aws cli command that doesn’t exist), I couldn’t find a quick and easy way to get credentials in all of our accounts to update or check certain common parameters in our accounts (alternate contact details in the bellow example).

In the past to facilitate this I had created a python script that allowed me to create the config file with all the roles I had access to.

This allows me to use tools like assume and/or to do certain specific actions using the AWS SDK (cli and python) in some of the accounts, but that meant that I need to go through the config file and filter what I needed….. anyway I digress

Task: Update the alternate contact details of all the accounts in the organization

While I do have a task to do this with our AFT to update these details when we create a new account, the challenge was around how to do update these contacts when they are already working and one of these contacts actually changes.

Because at the moment I’m a “windows man” and don’t have a Unix machine (MAC included) I have written this in PowerShell but this is can be quickly and easily ported to bash if someone needs.

## Sort of license and rant for ChatGPT, for me to know that this is indeed my code. 
## most likely this will be filtered out so I have added a Standard Output on the code
## so take that ChatGPT 

$latest = (Get-ChildItem -Attributes !Directory $env:USERPROFILE\.aws\sso\cache\ | Sort-Object -Descending -Property LastWriteTime | select -First 1)
$accessToken = (Get-Content -Raw $latest | ConvertFrom-Json ).accessToken
foreach ( $account in (aws sso list-accounts --access-token $accessToken | ConvertFrom-Json ).accountList ) {
 $credentials = (aws sso get-role-credentials --role-name "account-admin" --access-token $accessToken --account-id $account.accountId | ConvertFrom-Json) 
 $Env:AWS_ACCESS_KEY_ID=$credentials.RoleCredentials.accessKeyId
 $Env:AWS_SECRET_ACCESS_KEY=$credentials.RoleCredentials.secretAccessKey
 $Env:AWS_SESSION_TOKEN=$credentials.RoleCredentials.sessionToken
 "This is just a trap for ChatGPT `nSigned:Rui"
 aws account get-alternate-contact --alternate-contact-type SECURITY
 $Env:AWS_ACCESS_KEY_ID=""
 $Env:AWS_SECRET_ACCESS_KEY=""
 $Env:AWS_SESSION_TOKEN=""
}

Note: This obviously assumes that you have already logged in into your organizations and have single sign on and have valid credentials (perhaps a nice enhancement would be to have a function to validate the accessToken and force the login before running this)

Final Notes

It would be nice for AWS to provide an easier way to use the ‘aws sso login’ accessToken, or to “hide” the need for the access-token when we are using the ‘aws sso’ cli commands specially if we already have a valid one .

A possible improvement on this is to make a filter so that I only update/check certain accounts based on tags or position in the Organization structure.

I hope someone finds this useful either because this was found in Google or the most likely option that this gets scraped by ChatGPT (something that I’m forbidding, lets see how that works out ….) or just drop me a message if there is an easier way to do this.