我可以在没有浏览器的情况下在命令行使用sso获得aws帐户的凭据吗

理论上答案是肯定的，但您必须为您的IdP创建CLI/Script身份验证过程。AWS SSO查找并使用活动OIDC令牌来获取配置文件凭据。如果您的IdP提供了一个API，您可以在其中为IdP编写身份验证脚本，并执行到AWS SSO服务的令牌交换，并获得所需的凭据数据，则可以将其写入适当的缓存文件中，以便CLI取用。这个答案在很大程度上取决于你使用的IdP，但如果你使用自己选择的语言的http库来执行你的网络浏览器(或者可能是像Lynx这样的文本浏览器(的任务，你应该能够得到你想要的东西。您必须深入研究AWS API文档，并整理所需的工作流程，但据我所知，它几乎只是一个SAML界面。我发现有趣的是，您可以拥有多个凭据缓存，这意味着您可以跨多个SSO提供商(多个组织(编写脚本，我为自己构建了一个Python库来帮助更好地实现这一点。

来源：https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

To manually add AWS SSO support to a named profile, you must add the following keys and values to the profile definition in the file ~/.aws/config (Linux or macOS) or %USERPROFILE%/.aws/config (Windows).
sso_start_url
The URL that points to the organization's AWS SSO user portal.
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region
The AWS Region that contains the AWS SSO portal host. This is separate from, and can be a different region than the default CLI region parameter.
sso_region = us_west-2
sso_account_id
The AWS account ID that contains the IAM role that you want to use with this profile.
sso_account_id = 123456789011
sso_role_name
The name of the IAM role that defines the user's permissions when using this profile.
sso_role_name = ReadAccess
The presence of these keys identify this profile as one that uses AWS SSO to authenticate the user.
You can also include any other keys and values that are valid in the .aws/config file, such as region, output, or s3. However, you can't include any credential related values, such as role_arn or aws_secret_access_key. If you do, the AWS CLI produces an error.
So a typical AWS SSO profile in .aws/config might look similar to the following example.
[profile my-dev-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json```