This command-line tool allows you to acquire AWS temporary (STS)credentials using Google Apps as a federated (Single Sign-On, or SSO)provider.
You'll first have to set up Google Apps as a SAML identity provider(IdP) for AWS. There are tasks to be performed on both the Google Appsand the Amazon sides; these references should help you with thoseconfigurations:
If you need a fairly simple way to assign users to roles in AWSaccounts, we have another tool called Google AWSFederatorthat might help you.
You will need to know Google's assigned Identity Provider ID, and the IDthat they assign to the SAML service provider.
Once you've set up the SAML SSO relationship between Google and AWS, youcan find the SP ID by drilling into the Google Apps console, underApps > SAML Apps > Settings for AWS SSO
-- the URL will include acomponent that looks like ...#AppDetails:service=123456789012...
--that number is GOOGLE_SP_ID
You can find the GOOGLE_IDP_ID
, again from the admin console, viaSecurity > Set up single sign-on (SSO)
-- the SSO URL
includes astring like https://accounts.google.com/o/saml2/idp?idpid=aBcD01AbC
where the last bit (after the =
) is the IDP ID.
You can install quite easily via pip
, if you want to have it on yourlocal system:
# For basic installation
localhost$ sudo pip install aws-google-auth
# For installation with U2F support
localhost$ sudo pip install aws-google-auth[u2f]
Note If using ZSH you will need to quote the install, as below:
localhost$ sudo pip install "aws-google-auth[u2f]"
If you don't want to have the tool installed on your local system, or ifyou prefer to isolate changes, there is a Dockerfile provided, which youcan build with:
# Perform local build
localhost$ cd ..../aws-google-auth && docker build -t aws-google-auth .
# Use the Docker Hub version
localhost$ docker pull cevoaustralia/aws-google-auth
If you want to develop the AWS-Google-Auth tool itself, we thank you! In orderto help you get rolling, you'll want to install locally with pip. Of course,you can use your own regular workflow, with tools like virtualenv.
# Install (without U2F support)
pip install -e .
# Install (with U2F support)
pip install -e .[u2f]
We welcome you to review our code of conduct andcontributing documents.
$ aws-google-auth -h
usage: aws-google-auth [-h] [-u USERNAME] [-I IDP_ID] [-S SP_ID] [-R REGION]
[-d DURATION] [-p PROFILE] [-D] [-q]
[--bg-response BG_RESPONSE]
[--saml-assertion SAML_ASSERTION] [--no-cache]
[--print-creds] [--resolve-aliases]
[--save-failure-html] [--save-saml-flow] [-a | -r ROLE_ARN] [-k]
[-l {debug,info,warn}] [-V]
Acquire temporary AWS credentials via Google SSO
optional arguments:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Google Apps username ($GOOGLE_USERNAME)
-I IDP_ID, --idp-id IDP_ID
Google SSO IDP identifier ($GOOGLE_IDP_ID)
-S SP_ID, --sp-id SP_ID
Google SSO SP identifier ($GOOGLE_SP_ID)
-R REGION, --region REGION
AWS region endpoint ($AWS_DEFAULT_REGION)
-d DURATION, --duration DURATION
Credential duration (defaults to value of $DURATION, then
falls back to 43200)
-p PROFILE, --profile PROFILE
AWS profile (defaults to value of $AWS_PROFILE, then
falls back to 'sts')
-D, --disable-u2f Disable U2F functionality.
-q, --quiet Quiet output
--bg-response BG_RESPONSE
Override default bgresponse challenge token ($GOOGLE_BG_RESPONSE).
--saml-assertion SAML_ASSERTION
Base64 encoded SAML assertion to use.
--no-cache Do not cache the SAML Assertion.
--print-creds Print Credentials.
--resolve-aliases Resolve AWS account aliases.
--save-failure-html Write HTML failure responses to file for
troubleshooting.
--save-saml-flow Write all GET and PUT requests and HTML responses to/from Google to files for troubleshooting.
-a, --ask-role Set true to always pick the role
-r ROLE_ARN, --role-arn ROLE_ARN
The ARN of the role to assume ($AWS_ROLE_ARN)
-k, --keyring Use keyring for storing the password.
-l {debug,info,warn}, --log {debug,info,warn}
Select log level (default: warn)
-V, --version show program's version number and exit
Note If you want a longer session than the AWS default 3600 seconds (1 hour)duration, you must also modify the IAM Role to permit this. Seethe AWS documentationfor more information.
aws-google-auth
Note You can skip prompts by either passing parameters to the command, or setting the specified Environment variables.
Set environment variables for anything listed in Usage with ($VARIABLE)
after command line option:
GOOGLE_USERNAME
, GOOGLE_IDP_ID
, and GOOGLE_SP_ID
(see above under "Important Data" for how to find the last two; the first one is usually your email address)
AWS_PROFILE
: Optional profile name you want the credentials set for (default is 'sts')
ROLE_ARN
: Optional ARN of the role to assume
For Docker:docker run -it -e GOOGLE_USERNAME -e GOOGLE_IDP_ID -e GOOGLE_SP_ID -e AWS_PROFILE -e ROLE_ARN -v ~/.aws:/root/.aws cevoaustralia/aws-google-auth
You'll be prompted for your password. If you've set up an MFA token foryour Google account, you'll also be prompted for the current tokenvalue.
If you have a U2F security key added to your Google account, you won'tbe able to use this via Docker; the Docker container will not be able toaccess any devices connected to the host ports. You will likely see thefollowing error during runtime: "RuntimeWarning: U2F Device Not Found".
If you have more than one role available to you (and you haven't set up ROLE_ARN),you'll be prompted to choose the role from a list.
To enhance usability when using third party tools for managing passwords (aka password manager) you can feed data inaws-google-auth
from stdin
.
When receiving data from stdin
aws-google-auth
disables the interactive prompt and uses stdin
data.
Before #82, all interactive prompts could be fed from stdin
already apart from the Google Password:
prompt.
Example usage:`$ password-manager show password | aws-google-authGoogle Password: MFA token:Assuming arn:aws:iam::123456789012:role/adminCredentials Expiration: ...`
Note: this feature is intended for password manager integration, not for passing passwords from command line.Please use interactive prompt if you need to pass the password manually, as this provide enhanced security avoidpassword leakage to shell history.
Through the use of AWS profiles, using the -p
or --profile
flag, the aws-google-auth
utility will store the supplied username, IDP and SP details in your ./aws/config
files.
When re-authenticating using the same profile, the values will be remembered to speed up the re-authentication process.This enables an approach that enables you to enter your username, IPD and SP values once and then after only need to re-enter your password (and MFA if enabled).
Creating an alias as below can be a quick and easy way to re-authenticate with a simple command shortcut.
`alias aws-development='unset AWS_PROFILE; aws-google-auth -I $GOOGLE_IDP_ID -S $GOOGLE_SP_ID -u $USERNAME -p aws-dev ; export AWS_PROFILE=aws-dev'`
Or, if you've alredy established a profile with valid cached values:
`alias aws-development='unset AWS_PROFILE; aws-google-auth -p aws-dev ; export AWS_PROFILE=aws-dev'`
Google supports a number of 2-factor authentication schemes. Each of theseresults in a slightly different "next" URL, if they're enabled, during do_login
Google controls the preference ordering of these schemes in the case thatyou have multiple ones defined.
The varying 2-factor schemes and their representative URL fragments handledby this tool are:
Method | URL Fragment |
---|---|
No second factor | (none) |
|
.../signin/challenge/totp/... |
|
.../signin/challenge/ipp/... |
|
.../signin/challenge/iap/... |
|
.../signin/challenge/az/... |
|
.../signin/challenge/sk/... |
|
.../signin/challenge/dp/... |
|
... (unknown yet) ... |
This work is inspired by keyme-- their digging into the guts of how Google SAML auth works is what'senabled it.
The attribute management and credential injection into AWS configuration fileswas heavily borrowed from aws-adfs <https://github.com/venth/aws-adfs>
app aws 本周在AWS re:Invent上的重大公告之一是AWS App Mesh 。 在谈论它之前,让我们先看一下网格到底是什么…… 什么是服务网格? 服务网格是微服务体系结构的基础结构层。 它处理服务之间的通信问题,使该通信更加可见(或“可观察”)且易于管理。 更具体地说,它可以处理诸如服务发现,路由和负载平衡,安全性(例如,加密,TLS,身份验证,授权)之类的事情,并提供错误处理(例
谷歌云存储(与谷歌硬盘不同)似乎与S3应用编程接口兼容: https://developers.google.com/storage/docs/migrating#migration-simple 有人知道我是否可以使用aws/aws-sdk-php(https://packagist.org/packages/aws/aws-sdk-php)包并将其配置为连接到我的谷歌云存储而不是AWS S3吗
我们的具体用例是允许我们的用户更新他们的头像。在appserver上,我们进行了单元测试,成功地从文件中计算和上载图像数据到S3,以及它们的base64字符串表示,并返回URL供客户端使用。文件大小从几千字节到几兆字节不等。单元测试覆盖了boto控制器以及调用它的endpoints.api包装器。我们使用源自python库的base64字符串以及IOS上的工具进行了测试。这些字符串是网络安全的。在
Amazon-AWS支持与Anthos放大器的集成吗? 从企业的角度来看,我不喜欢与AWS锁在一起,所以如果AWS与Anthos放大器集成会很好。
我正在使用GCS web仪表板/控制台中提供的传输工具来安排从S3到GCS的备份文件副本。 在GCS传输日志中,它显示UNKNOWN:(显示241个故障中的5个)。失败列表中显示的文件没有什么不同。同样的241个文件在每次计划的传输中失败。有没有地方我可以得到一个实际的错误消息? 我已经检查过: 在这些失败之前和之后有超过150万成功复制的其他文件。这些失败不是在传输列表的开始或结束,也不是连续的
我想知道使用AWS OpsWorks与AWS Beanstalk和AWS CloudFormation的优缺点是什么? 我感兴趣的是一个可以自动伸缩的系统,它可以处理任意数量的并发web请求(从每分钟1000个请求到1000万rpm),包括一个可以自动伸缩的数据库层。 理想情况下,我希望有效地共享一些硬件资源,而不是为每个应用程序提供单独的实例。在过去,我主要使用EC2实例RDS Cloudtop
我在AWS/S3上与其他域名注册商建立了许多静态站点;但是,google域给我带来了一些问题。 我采取的步骤: -在S3/AWS上: > 已创建桶domainname.org 通过添加index.html启用静态网站托管 已将index.html和相关文档上载到存储桶 创建桶www.domainname.org以重定向到桶domainname.org 为domainname.org创建了桶策略,如