AWS STS Credentials and Google Apps Federated User

  • You are a developer working with the aws cli for the purposes of testing your Dev stack.
  • Your organisation has enabled SSO via SAML, with Google as the Identity Provider.
  • Your Google account (eg@myexample.com) has been provisioned for access to AWS.
  • Access to AWS resources requires that you authenticate using your Federated user and request temporary credentials using the Secure Token Service (STS). You are advised that the role you need to “assume” to request the credentials is, arn:aws:iam::111222333444:role/saml-init.
  • Once you have your STS temp credentials, you will then be permitted to “assume” a secondary development role, which has been provisioned to allow access to AWS resources such as S3 and Elastic Container Registry (ECR). The arn of the secondary role is arn:aws:iam::888777666555:role/assumed-dev

Federated Login Helper (aws-google-auth)

Option 1: Local Python Installation

$ pip install aws-google-auth

Option 2: Docker Installation

$ git clone https://github.com/cevoaustralia/aws-google-auth \
aws-google-auth
$ cd aws-google-auth
$ docker build --rm -t aws-google-auth .

Locating Google Identity and SAML Provider IDs (IDPID/SPID)

  • Google Identity Provider ID (idpid)
  • SAML Service Provider ID assigned by Google (spid)

Generate STS Temporary Credentials

  • Linux-based hosts -v $HOME/.aws:/root/.aws
  • Windows host -v c:/Users/<username>/.aws:/root/.aws

Run the Docker Image

$ docker run -it aws-google-auth -h
..
...
-u USERNAME (Google Apps username)
-I IDPID (Google Identity Provider identifier)
-S SPID (SAML Provider identifier )
-R REGION (AWS region endpoint)
-d DURATION (Credential duration in SECONDS)
-p PROFILE (AWS profile - defaults to value of $AWS_PROFILE)
-r ROLE_ARN (The ARN of the role to assume. If not supplied
,a list roles to choose from will be listed)
..
...
username=eg@myexample.com
idpid=X7x0Xxxx
spid=000111000111
region=us-east-1
duration=3600
profile=sts-temp
role_arn=arn:aws:iam::111222333444:role/saml-init
$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init
Google Password: *******
Enter SMS token: G-nnnnnn
Assuming arn:aws:iam::111222333444:role/saml-init
Credentials Expiration: 2020-07-12 00:41:15+00:00

Verify AWS Config & Credentials

[profile sts-temp]
region = us-east-1
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = X7x0Xxxx
google_config.role_arn = arn:aws:iam::111222333444:role/saml-init
google_config.google_sp_id = 000111000111
google_config.u2f_disabled = False
google_config.google_username = eg@myexample.com
google_config.bg_response = None
[sts-temp]
aws_access_key_id = exampleAAAAAAAAAAAAAAAAAAAAAA
aws_secret_access_key = exampleBBBBBBBBBBBBBBBBBBBBB
aws_security_token = exampleCCCCCCCCCCCCCCCCCC
aws_session_expiration = exampleDDDDDDDDDDDDDDDDDDDDDD
aws_session_token = exampleEEEEEEEEEEEEEEEEEEEE

Refreshing AWS STS Credentials

Switch to/Assume Secondary Role using STS Credentials

[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev
$ aws configure set profile.dev-env.region us-east-1
$ aws configure set profile.dev-env.source_profile sts-temp
$ aws configure \
set profile.dev-env.role_arn \ arn:aws:iam::888777666555:role/assumed-dev

Putting it all Together

1. Authenticate with Federated User and Retrieve STS Credentials

  • Authenticate with Federated Google account using aws-google-auth and obtain STS temporary credentials for profile sts-temp.
$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

2. Configure New AWS Profile for Secondary Role to use STS

  • Create new AWS profile for the secondary role
[profile dev-env]
region = us-east-1
source_profile = sts-temp
role_arn = arn:aws:iam::888777666555:role/assumed-dev
$ aws configure set profile.dev-env.region us-east-1
$ aws configure set profile.dev-env.source_profile sts-temp
$ aws configure set profile.dev-env.role_arn \ arn:aws:iam::888777666555:role/assumed-dev

3. Start Using CLI Commands

  • S3 list bucket subdir/key
$ aws s3 ls s3://mybucket/mydir --profile dev-env
  • ECR get docker registry login, get-login
$ aws ecr get-login --registry-ids xxxxxxxxxxxx --no-include-email --profile dev-env

4. Update/Refresh Expired STS credentials

$ docker run -it -v $HOME/.aws:/root/.aws aws-google-auth \
-u eg@myexample.com \
-I X7x0Xxxx \
-S 000111000111 \
-R us-east-1 \
-d 3600 \
-p sts-temp \
-r arn:aws:iam::111222333444:role/saml-init

Programmatic Access with Python & boto

import boto3

session = boto3.Session(profile_name='dev-env')
dev_s3_client = session.client('s3')

for key in dev_s3_client.list_objects(Bucket='mybucket')['Contents']:
print(key['Key'])

Final Comments

  • Removing the user’s account from the linked Identity Provider/Organisation (eg. Google GSuite) ensures the user no longer has access to the AWS account.
  • The use of temporary credentials with a short expiration period (as opposed to issuing non-expiring keys), enforces the concept of key rotation.
  • Managing comprised temporary credentials is likely to be simpler than managing comprised permanent keys.

**UPDATE May 2022 - aws-google-auth Trace ERROR:root:’NoneType’ object has no attribute ‘get’ **

~ $ aws-google-auth -Vaws-google-auth 0.0.37
~ $ aws-google-auth -u xxxx@example.com -I xxxxxxxxx -S 123456789654 -R us-east-1 -d 3600 -p testingGoogle Password:
ERROR:root:’NoneType’ object has no attribute ‘get’
Traceback (most recent call last):
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/__init__.py”, line 79, in cli
process_auth(args, config)
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/__init__.py”, line 243, in process_auth
google_client.do_login()
File “/usr/local/lib/python3.8/site-packages/aws_google_auth/google.py”, line 256, in do_login
passwd_challenge_url = ‘https://accounts.google.com' + form.get(‘action’)
AttributeError: ‘NoneType’ object has no attribute ‘get’
  • Find install location of aws-google-auth:
~ $ pip show aws-google-authName: aws-google-auth
Version: 0.0.37
Summary: Acquire AWS STS (temporary) credentials via Google Apps SAML Single Sign On
Home-page: https://github.com/cevoaustralia/aws-google-auth
Author: Colin Panisset
Author-email: colin.panisset@cevo.com.au
License: MIT
Location: /usr/local/lib/python3.8/site-packages
Requires: beautifulsoup4, boto3, configparser, filelock, keyring, keyrings.alt, lxml, Pillow, requests, six, tabulate, tzlocal
Required-by:
  • Edit the following file:
/usr/local/lib/python3.8/site-packages/aws_google_auth/google.py
    # Set bg_response in request payload to passwd challenge
if self.config.bg_response:
payload['bgresponse'] = self.config.bg_response

--

--

--

Learner. Interests include Cloud and Devops technologies.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Dancing About Architecture

Writing and understanding Lambdas in Terraform

Deploying Helm Charts w. Terraform

Kafka — Core Concepts & Terminologies

Optimizing Graphing Performance on the Web

black cells surrounded by dark blue

An Introduction to Michelson: The Scripting Language of Tezos (Part 2)

Sharing UI Components at an Enterprise Level

Closeup of a pair of hands sketching UI components on a sheet of paper

Refactoring Scrum from Basic Principles

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tony Tannous

Tony Tannous

Learner. Interests include Cloud and Devops technologies.

More from Medium

AWS EC2 Launch Instance(Elastic Compute Cloud).

FREE hosting website on AWS with Gohugo — Netlify low cost alternative

Certificate is in use — AWS Bug?

One-Click CV Portal to Send CV based on Position using AWS FREE Tier Services