AWS STS Credentials and Google Apps Federated User

Federated Login Helper (aws-google-auth)

$ pip install aws-google-auth
$ git clone https://github.com/cevoaustralia/aws-google-auth \
aws-google-auth
$ cd aws-google-auth
$ docker build --rm -t aws-google-auth .

Locating Google Identity and SAML Provider IDs (IDPID/SPID)

Generate STS Temporary Credentials

$ docker run -it aws-google-auth -h
..
...
-u USERNAME (Google Apps username)
-I IDPID (Google Identity Provider identifier)
-S SPID (SAML Provider identifier )
-R REGION (AWS region endpoint)
-d DURATION (Credential duration in SECONDS)
-p PROFILE (AWS profile - defaults to value of $AWS_PROFILE)
-r ROLE_ARN (The ARN of the role to assume. If not supplied
,a list roles to choose from will be listed)
..
...
username=eg@myexample.com
idpid=X7x0Xxxx
spid=000111000111
region=us-east-1
duration=3600
profile=sts-temp
role_arn=arn:aws:iam::111222333444:role/saml-init
$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init
Google Password: *******
Enter SMS token: G-nnnnnn
Assuming arn:aws:iam::111222333444:role/saml-init
Credentials Expiration: 2020-07-12 00:41:15+00:00
[profile sts-temp]
region = us-east-1
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = X7x0Xxxx
google_config.role_arn = arn:aws:iam::111222333444:role/saml-init
google_config.google_sp_id = 000111000111
google_config.u2f_disabled = False
google_config.google_username = eg@myexample.com
google_config.bg_response = None
[sts-temp]
aws_access_key_id = exampleAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = exampleBBBBBBBBBBBBBBBBBBBBB
aws_security_token = exampleCCCCCCCCCCCCCCCCCC
aws_session_expiration = exampleDDDDDDDDDDDDDDDDDDDDDD
aws_session_token = exampleEEEEEEEEEEEEEEEEEEEE

Switch to/Assume Secondary Role using STS Credentials

[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev
$ aws configure set profile.dev-env.region us-east-1
$ aws configure set profile.dev-env.source_profile sts-temp
$ aws configure \
set profile.dev-env.role_arn \ arn:aws:iam::888777666555:role/assumed-dev

Putting it all Together

$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init
[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev
$ aws configure set profile.dev-env.region us-east-1
$ aws configure set profile.dev-env.source_profile sts-temp
$ aws configure set profile.dev-env.role_arn \ arn:aws:iam::888777666555:role/assumed-dev
$ aws s3 ls s3://mybucket/mydir --profile dev-env
$ aws ecr get-login --registry-ids xxxxxxxxxxxx --no-include-email --profile dev-env
$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

Programmatic Access with Python & boto

import boto3

session = boto3.Session(profile_name='dev-env')
dev_s3_client = session.client('s3')

for key in dev_s3_client.list_objects(Bucket='mybucket')['Contents']:
print(key['Key'])

Final Comments

**UPDATE May 2022 - aws-google-auth Trace ERROR:root:’NoneType’ object has no attribute ‘get’ **

~ $ aws-google-auth -Vaws-google-auth 0.0.37
~ $ aws-google-auth -u xxxx@example.com -I xxxxxxxxx -S 123456789654 -R us-east-1 -d 3600 -p testingGoogle Password:
ERROR:root:’NoneType’ object has no attribute ‘get’
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/__init__.py”, line 79, in cli
process_auth(args, config)
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/__init__.py”, line 243, in process_auth
google_client.do_login()
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/google.py”, line 256, in do_login
passwd_challenge_url = ‘https://accounts.google.com' + form.get(‘action’)
AttributeError: ‘NoneType’ object has no attribute ‘get’
~ $ pip show aws-google-authName: aws-google-auth
Version: 0.0.37
Summary: Acquire AWS STS (temporary) credentials via Google Apps SAML Single Sign On
Home-page: https://github.com/cevoaustralia/aws-google-auth
Author: Colin Panisset
Author-email: colin.panisset@cevo.com.au
License: MIT
Location: /usr/local/lib/python3.8/site-packages
Requires: beautifulsoup4, boto3, configparser, filelock, keyring, keyrings.alt, lxml, Pillow, requests, six, tabulate, tzlocal
Required-by:
/usr/local/lib/python3.8/site-packages/aws_google_auth/google.py
    # Set bg_response in request payload to passwd challenge
if self.config.bg_response:
payload['bgresponse'] = self.config.bg_response

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store